Related Products
ADManager Plus

Active Directory Management & Reporting
Download | Demo
ADAudit Plus

Real-time Active Directory Auditing and UBA
Download | Demo
EventLog Analyzer

Real-time Log Analysis & Reporting
Download | Demo
Exchange Reporter Plus

Exchange Server Auditing & Reporting
Download | Demo
AD360

Integrated Identity & Access Management
Download | Demo
Log360

Comprehensive SIEM and UEBA
Download | Demo

Verifying user identities using Yubikey Authenticator

ADSelfService Plus secures user accounts during password self-service activities, ADSelfService Plus' logins, and system logins with any one of the available authenticators.

With Yubikey Authenticator enforced, users must successfully authenticate themselves twice before they are allowed to access their domain accounts or their workstations. They are authenticated first through their AD domain credentials, and next through the one-time passcode (OTP) generated by the Yubikey Authenticator.

Pre-requisites

The firewall should have the below outbound connections:

https://api.yubico.com/wsapi/2.0/verify
https://api2.yubico.com/wsapi/2.0/verify
https://api3.yubico.com/wsapi/2.0/verify
https://api4.yubico.com/wsapi/2.0/verify
https://api5.yubico.com/wsapi/2.0/verify

Get the Client ID and Secret Key from the Yubikey website with steps below:

Go to https://upgrade.yubico.com/getapikey.
Enter your email address. Connect the Yubikey to your workstation or server and enter the Yubikey OTP.
Select I've read and accepted the Terms and Conditions option. Click Get API Key.
Copy the displayed Secret Key.

Configuring Yubikey Authenticator

Go to Configuration → Self-Service → Multi-factor Authentication → Configuration tab → Yubikey Authenticator.
Select the policy for which Yubikey Authenticator is to be configured from the drop-down.
Enter the Client ID and the Secret Key from the step 2 of Prerequsite.

yubikey-authenticator

Click Save.

Note: You can choose to enforce multiple configurations for different users based on their domain, group, or OU membership, or simply apply one Yubikey Authenticator settings for all users.

yubikey-authenticator-confirm-message

Mapping Yubikey Authenticator to secure password self-service activities and system logins

Now you can enforce the configured Yubikey Authenticator for multiple user activities such as:

Self-service password resets and account unlocks

Go to Authenticator Settings > MFA for Reset/Unlock.
Select Yubikey Authenticator from Configure authenticator for reset/unlock drop-down.

ADSelfService Plus logins

Go to Authenticator Settings > TFA for ADSelfService Plus logins.
Select the Enable authenticators for ADSelfService Plus logins checkbox, and select Yubikey Authenticator from the drop-down.

System MFA

Go to Authenticator Settings > TFA for Windows logins.
Select the Enable authenticators for Windows logins checkbox, and select Yubikey Authenticator from the drop-down.

ManageEngine