Duo - Adding a Personally Purchased Yubikey

Body

Overview

After purchasing a YubiKey from a source other than Technology Services, it must be securely programmed, registered with YubiCo, and then reported to the Texas A&M Technology Services Identity Management Office to be associated with the university's Duo two-factor authentication system. Once the YubiKey is tied to Texas A&M, it can be added to your NetID to use One Time Password authentication. If your YubiKey token supports U2F authentication, and you want to enable it with your Duo account, instructions can be found at the bottom of this document.

Instructions for One Time Password authentication

Getting Started

  1. Download the latest Yubikey personalization tool from https://developers.yubico.com/yubikey-personalization-gui/Releases/.
  2. Launch the Yubikey Personalization Tool.
  3. Select Yubico OTP in the "Personalize your YubiKey in:" window.
  4. Select Quick.
  5. Select Configuration Slot 1.
  6. Uncheck Hide Values under Yubico OTP Parameters.

Programming your YubiKey

  1. Insert the Yubikey to need to program into an available USB port. If any other YubiKeys are connected to the computer, remove them at this time to prevent complications. Only one YubiKey at a time should be programmed. NOTE: If you are reprogramming a YubiKey, click Regenerate in the Personalization Tool interface to seed new values.
  2. Verify that the serial number reported by the Personalization Tool matches the serial number printed on the Yubikey you are programming. If no serial number is printed on the Yubikey, write the serial number reported by the Personalization Manager onto the Yubikey. NOTE: In the YubiKey Personalization Tool, the Serial Number will be displayed as a Decimal number, a Hexadecimal number, and as a Modhex number. Make sure to look for each of these on your YubiKey.
  3. Record the serial number, private identity and secret key in the YubiKey Information Template spreadsheet.
  4. Click Write Configuration in the Personalization Manager.
  5. Acknowledge and Confirm that you want to program Slot 1, if you are warning about Slot 1 being configured.
  6. Click Cancel, if you get a prompt to save to a log file. You should get a message in green toward the top of the screen stating the the YubiKey has been successfully programmed. If you do not, please restart this process from Step 1.
  7. Click the Upload to Yubico button. A new web browser window will open.
  8. Enter the following information:
    1. Email address: identity@tamu.edu (you may also use a departmental email address; do not use a personal email address).
    2. OTP from the Yubikey: With your cursor in the field's text box, press and hold the gold disk on the Yubikey being programmed for 1-2 seconds. This will generate a One Time Password which will be automatically added to the field your cursor is currently in.
  9. Complete the Captcha.
  10. Click the Upload AES Key button.
  11. Close the browser window.
  12. Remove the programmed Yubikey from the USB port.
  13. If need to program additional Yubikeys:
    1. Click Regenerate in the Personalization Manager interface to seed new values.
    2. Repeat steps 1 through 12.
  14. Save the YubiKey Information Template spreadsheet. It should contain one entry for each YubiKey you have programmed.
  15. Send the YubiKey Information Template spreadsheet to the Texas A&M Division of IT Identity Management Office via FileX (instructions below).

Reporting your YubiKey to the Identity Management Office

  1. Login to https://filex.tamu.edu with your NetID and NetID password.
  2. Click Start Sending with FileX.
  3. Click Create a folder.
  4. Enter your [department name] Yubikey Import File as the title of the folder.
  5. Click Next.
  6. Click Browse.
  7. Browse to the location of the Yubikey Import File you saved in step 14 of the previous section,  and select it.
  8. Click Open.
  9. Select Encrypt this file. You do not need to change any other settings.
  10. Click Next.
  11. The File Access Code required to decrypt the file will be displayed. Email the File Access Code to identity@tamu.edu using your preferred email client. NOTE: A copy of this access code will be emailed to you as well.
  12. Click Continue.
  13. Enter tamiam@tamu.edu in the email field on the Add Recipients page. This provide access to the encypted file for the Identity Management Office.
  14. Click Complete.

Once the Identity Management Office receives your YubiKey Import File, they will associate your new YubiKey token with your NetID. This will allow you to use your personal token for One Time Password authentication.

Adding your YubiKey to your NetID for U2F authentication

U2F authentication is an alternative type of authentication than One Time Password authentication. At this time, only some web browsers support U2F authentication, the most prevalent being the Google Chrome browser.

  1. Go to https://gateway.tamu.edu/duo-enroll/.
  2. Click Enroll/Manage Devices.
  3. Login with your NetID and NetID password.
  4. Click Add a new device under the TAMU logo.
  5. Authenticate with a Push, Call, or Passcode.
  6. Select U2F.
  7. Click Continue and follow the remaining prompts.
  8. Your token can be set to the authentication device in the drop down menu on the main Duo page.

 

https://tamu.service-now.com/kburl.do?article=KB0016180

Details

Details

Article ID: 612
Created
Thu 5/2/24 11:07 AM
Modified
Mon 6/24/24 4:35 PM

Related Articles

Related Services / Offerings

Related Services / Offerings (1)

The "Duo Multi Factor Authentication" Service offering allows incidents for managing and troubleshooting Duo MFA as well as requests for help setting up Duo MDA.