Managing YubiKeys

A YubiKey is a hardware-based security key that can be issued following the same procedures as for physical smart cards. YubiKeys are connected through the USB port and do not require a separate reader. For details, see Issuing an Initial Device to a User in Your Directory.

Note: To enroll YubiKey devices in the User Portal, this setting must be enabled in the Operator Portal; for details, see Setting Parameters for Devices.

YubiKey devices are managed in the Help Desk and offer the same standard functions as physical smart cards.

About YubiKeys

YubiKey devices support one-time passwords, public-key encryption and authentication, as well as the Universal 2nd Factor (U2F) and FIDO2 protocols. YubiKeys provide standard smart card operations, such as logging on to Windows or sending encrypted emails.

A YubiKey can be used with a Windows Mini Driver, with ActivClient, and with other PIV-compliant middleware. It is protected by a PIN, offering a two-factor authentication model.

Note:

If using ActivClient, version 7.2.1 or higher is required to support YubiKey devices. However, ActivClient is not required if you are using the ActivID CMS Client with a Chrome or Edge browser.
The current version of ActivID CMS is only compatible with YubiKey 4 FIPS, YubiKey 5 or YubiKey 5 FIPS.

A YubiKey can be used to secure access to any services that support the OATH Open Authentication-HOTP HMAC-based One-time Password (event) functionality.

Prerequisites for Using YubiKeys

A policy for YubiKeys must be assigned to the corresponding user group; for details, see Creating a Device Policy, Configuring Applications and Configuring Group Assignments.
To use the User Portal for issuance (if applicable):
- The URL for the User Portal where the device is to be self-issued must be added as a Trusted Site in the user’s browser.
- Self-binding and self-issuance must be enabled for the User Portal; for details, see Configure the ActivID CMS User Portal.
- Enrollment of YubiKeys in the User Portal must be enabled; for details, see Setting Parameters for Devices.

YubiKey Profile

ActivID CMS provides a dedicated profile for YubiKey devices.

Note: The YUBIKEY FIPS profile can also be used to issue YubiKey 5 devices after associating the pre-issuance ID with the appropriate ATR. However, OATH Open Authentication application personalization is not supported on YubiKey 5 devices.

ActivID CMS YubiKey Profile
Item	Description
Profile name	YUBIKEY FIPS
Profile description	Profile for YubiKey FIPS
Supported features	Personalization of up to 24 2048-bit keys PIV Personal Identity Verification (technical standard of "HSPD-12") PKI Objects (PIV Authentication, PIV Digital Signature, PIV Key Management Key, PIV Card Authentication, 20 Key Management Keys) loaded by ActivID CMS PIV EP Buffer Objects 1 synchronous OATH_HOTP Object loaded by ActivID CMS PIN, PIV AUTHENTICATION, CHUID Card Holder Unique Identifier and Printed Information objects are mandatory. All other objects are optional
PIN Policy	Minimum PIN length – 6 characters Maximum PIN length – 8 characters Maximum number of PIN tries – 15 Allow Weak PIN – No Force PIN to be Changed on First Card Usage – No Force PIN to Contain Only Digits – Yes

Note: The PIN for YubiKey devices can only be numeric.

For more details about this device profile, refer to Device Profiles and Hardware Devices.

Authenticating with YubiKeys

Once issued, the YubiKey offers the same security and authentication functions as a physical smart card. All users have to do is plug the device into the USB port and press its button to generate an OTP (if applicable).

Note:

The use of OTPs for authentication must be configured beforehand using the ActivID Authentication Server.
When using a French keyboard, the Caps Lock key must be enabled in order for OTPs to be generated correctly.

The possible use cases include:

Microsoft Windows Logon
VPN authentication
Secure access to web sites
Secure email