Verifying user identities using Yubikey Authenticator
ADSelfService Plus secures user accounts during password self-service activities, ADSelfService Plus' logins, and system logins with any one of the available authenticators.
With Yubikey Authenticator enforced, users must successfully authenticate themselves twice before they are allowed to access their domain accounts or their workstations. They are authenticated first through their AD domain credentials, and next through the one-time passcode (OTP) generated by the Yubikey Authenticator.
- The firewall should have the below outbound connections:
Get the Client ID and Secret Key from the Yubikey website with steps below:
- Go to https://upgrade.yubico.com/getapikey.
- Enter your email address. Connect the Yubikey to your workstation or server and enter the Yubikey OTP.
- Select I've read and accepted the Terms and Conditions option. Click Get API Key.
- Copy the displayed Secret Key.
Configuring Yubikey Authenticator
- Go to Configuration → Self-Service → Multi-factor Authentication → Configuration tab → Yubikey Authenticator.
- Select the policy for which Yubikey Authenticator is to be configured from the drop-down.
- Enter the Client ID and the Secret Key from the step 2 of Prerequsite.
- Click Save.
Note: You can choose to enforce multiple configurations for different users based on their domain, group, or OU membership, or simply apply one Yubikey Authenticator settings for all users.
Mapping Yubikey Authenticator to secure password self-service activities and system logins
Now you can enforce the configured Yubikey Authenticator for multiple user activities such as:
- Self-service password resets/account unlocks
- ADSelfService Plus logins
- Windows and macOS logins
Self-service password resets and account unlocks
- Go to Authenticator Settings > MFA for Reset/Unlock.
- Select Yubikey Authenticator from Configure authenticator for reset/unlock drop-down.
ADSelfService Plus logins
- Go to Authenticator Settings > TFA for ADSelfService Plus logins.
- Select the Enable authenticators for ADSelfService Plus logins checkbox, and select Yubikey Authenticator from the drop-down.
- Go to Authenticator Settings > TFA for Windows logins.
- Select the Enable authenticators for Windows logins checkbox, and select Yubikey Authenticator from the drop-down.
Copyright © 2020, ZOHO Corp
. All Rights Reserved.