Enable YubiKey OTP authentication

This topic describes how to configure a YubiKey one-time password (OTP) in your tenant so you can select it as an authentication mechanism when creating an authentication profile.

YubiKey OTP generates an OTP as a second authentication factor to provide a second layer of security without using a memorized secret. CyberArk Identity supports YubiKey OTP as an authentication mechanism that you can use for other applications.

Before you begin

Complete the following before you begin
Task Description

Set up YubiKey using the YubiKey Manager to configure the two slots on your YubiKey operating system.

See YubiKey Manager for more information.

Obtain your YubiKey API credentials.

The following information is available from Yubico API key signup:

  • Client ID

  • Secret Key

Configure YubiKey in the Identity Administration portal

  1. Go to Settings > Authentication > YubiKey Configuration, then select Enable YubiKey OTP.

  2. Enter the client ID and secret key in the appropriate fields. This information is available in your YubiKey setup.

  3. Select the period of time that the challenge response will time out using the Timeout drop-down menu. You can choose from 10 to 60 seconds in increments of 10 seconds.

  4. You can select Allow unrecognized YubiKeys to register to allow users to register a key that has not been added in the Registered YubiKey users table in the User Portal. This is unselected by default.

    (Optional) You can populate the table if Allow unrecognized YubiKeys to register is unselected to allow other devices to enroll.

  5. Click Save.

Set the policy to use with YubiKey OTP

The following procedure describes how to enable enrollment of YubiKey OTP and how to select it as an authentication mechanism.

  1. Go to Core Services > Policies to select the policy you want to use.

  2. In the policy, go to User Security Policies > User Account Settings and select Yes next to Enable users to configure a YubiKey OTP device.

    (Optional) You can select Yes next to Prompt users to configure a YubiKey OTP on login to enable a wizard.

  3. You can use the authentication profile required to configure the YubiKey OTP drop-down menu. See create an authentication profile for more information.

  4. Click Save.

Add YubiKey devices

  1. Go to Settings > Authentication > YubiKey Configuration and click Add.

    (Optional) Select the username for the key.

  2. Enter the YubiKey ID.

    Ensure that the Active checkbox is selected.

  3. Click Add.

    The key is ready for the user.

Edit registered YubiKey users

You can modify, delete and deactivate registered YubiKey users in the table.

  1. Select the checkbox for the registered user in the table.

  2. Click Actions to modify, delete and deactivate.


Set up OTPs to authenticate to the User Portal

Import YubiKey OTP tokens in bulk

Create authentication profiles