Authenticating with Yubico

Introduction

Yubico provides hardware authentication devices that can be used in one or two-factor authentication flows. Generating a unique password and validated by Yubico's free cloud service, Yubico authentication provides a great way to secure your Hypersocket server.

Before proceeding with these instructions, ensure that you have the latest Yubico extension installed on your server. If you do not see a Yubico option in the list of authentication modules on the Authentication page then navigate to Extensions->Extensions, locate the Yubico Authentication extension in the list of Available extensions and install. Then restart your server.

 

Step 1 - Configure Yubico

The first step is to configure the Yubico Authenticator with a Client ID and Secret Key obtained from Yubico. Navigate to Authentication->Settings and select the Yubico tab.

Either enter your existing Client ID and Secret Key, or click the link in the Client ID information text to register for a new set of keys with Yubico. 

 

Step 2 -Allocate Yubikey

Before we activate the Yubico authentication method. We must first allocate at least one Yubikey to an Administrator.

Navigate to Access Control->Users and click the gear icon  beside the user you want to allocate the key to. Select Allocate Yubikey.

In the dialog prompt provide a name for the key and then click into the Yubikey field, and hold your finger on the plugged in Yubikey for a second, then release. A long password should populate the Yubikey field.

That's your authentication configured. There is only one thing left to do

Step 3 - Activate Yubico Authentication

Navigate back to Authentication->Schemes and configure the flow that you want to include the Yubico method on. Depending on what product you are using, there will be a number of options.

For example you can configure the Browser flow. This is the scheme used whenever a user comes direct to the server to login using their browser.

Products such as Hypersocket SSO have the SSO flow, which is the flow presented to the user when they attempt to access a single sign-on resource and are redirected back to the server for authentication.

Once you have selected the correct flow Tab you can edit the methods available by deleting them with the  icon or adding them in to the flow with the  icon

In the example below Yubico is acting as a single factor authentication. Because each password contains a unqiue identifier Hypersocket is able to resolve the user just from the Yubikey password.

You could alternatively combine this with reCAPTCHA ...

Or require the user enter their actual password after the Yubikey. For example if you have a number of Single Sign-on resources that require the users current password you would want to configure it this way. 

There are also other options available such as PIN too. 

 

Step 4 -Logging in

Now you have configured the system and activated the Yubico authentication method you will now be able to login using your Yubikey on the configured flow.

The user is asked for their Yubikey password. They simply ensure the Yubikey field has focus and then touch the Yubikey for one second and the Yubikey inserts the password into the field. 

Our form will automatically detect this and submit the form for authentication. The user is either then logged in or presented with further authentication if the flow requires it.

 

Summary

In this article we have demonstrated how to configure, activate and use Yubico's Yubikey hardware to authenticate and access your Hypersocket product. 

Have more questions? Submit a request

Comments