Yubikey Second Factor
Yubikey est un petit matériel d'authentification vendu par Yubico. Il envoie un mot-de-passe à valeur unique (OTP) qui est validé par un serveur Yubico.
Pré-requis et dépendances
Configuration
In the manager (second factors), you just have to enable it:
Activation: set it to “on”
Self registration: set it to “on” if users are authorizated to register their keys
Authentication level: you can overwrite here auth level for Yubikey registered users. Leave it blank keeps auth level provided by first authentication module (default: 2 for user/password based modules). It is recommended to set an higher value here if you want to give access to some apps only to users enrolled
Client ID: given by Yubico or another service
API secret key: given by Yubico or another service
Nonce (optional): if any
URL: Url of service (leave blank to use Yubico cloud services)
OTP public ID part size: leave it to default (12) unless you know what you are doing
If you want to use a custom rule for “activation” and want to keep self-registration, you must include this in your rule: $_yubikeys
, else Yubikey will be required even if users are not registered. This is automatically done when “activation” is simply set to “on”.
Provisioning
If you don't want to use self-registration, set public part of user's yubikey (12 first characters) in an attribute mapped to _yubikeys
. Multiples values are allowed (space or comma separated).