Verifying user identities using Yubikey Authenticator

ADSelfService Plus secures user accounts during password self-service activities, ADSelfService Plus' logins, and system logins with any one of the available authenticators.

With Yubikey Authenticator enforced, users must successfully authenticate themselves twice before they are allowed to access their domain accounts or their workstations. They are authenticated first through their AD domain credentials, and next through the one-time passcode (OTP) generated by the Yubikey Authenticator.


  1. The firewall should have the below outbound connections:
  2. Get the Client ID and Secret Key from the Yubikey website with steps below:
    • Go to
    • Enter your email address. Connect the Yubikey to your workstation or server and enter the Yubikey OTP.
    • Select I've read and accepted the Terms and Conditions option. Click Get API Key.
    • Copy the displayed Secret Key.

Configuring Yubikey Authenticator

  1. Go to Configuration → Self-Service → Multi-factor Authentication → Configuration tab → Yubikey Authenticator.
  2. Select the policy for which Yubikey Authenticator is to be configured from the drop-down.
  3. Enter the Client ID and the Secret Key from the step 2 of Prerequsite.
  4. yubikey-authenticator

  5. Click Save.

Note: You can choose to enforce multiple configurations for different users based on their domain, group, or OU membership, or simply apply one Yubikey Authenticator settings for all users.


Mapping Yubikey Authenticator to secure password self-service activities and system logins

Now you can enforce the configured Yubikey Authenticator for multiple user activities such as:

  1. Self-service password resets/account unlocks
  2. ADSelfService Plus logins
  3. Windows and macOS logins

Self-service password resets and account unlocks 

ADSelfService Plus logins

System MFA

Copyright © 2020, ZOHO Corp. All Rights Reserved.