Skip to content

YubiKeys

Mideye Server supports YubiKeys provided by Mideye (with pre-provisioned keys, validated in the Mideye central service) as well as YubiKeys obtained from third parties (validated in the YubiCloud service).

YubiKey 5 USB-A, with NFC support. Weight: 4 grams.

Yubikeys provided by Mideye

Mideye can ship batches of YubiKeys to corporate IT-departments or send single YubKeys directly to corporate end-users. These YubiKeys come preconfigured and authenticate directly against the Mideye central service.

To set up authentication with YubiKey for an end-user:

  1. Obtain the 8-digit serial number: The serial number is printed on the back of the YubiKey (add a leading digit 0 if it is only 7 digits). If the serial number is not readable, insert the YubiKey in a computer and open a text editor. Touch the button on the YubiKey and copy the first 12 characters of the string, e.g **ubbc06434510**04116861. All YubiKeys provided by Mideye will start with the prefix ubbc, followed by the 8-digit serial number.
  2. Add the serial number to the user repository: The serial number is registered in the format ubbcXXXXXXXX in the user’s entry. For user accounts in Active Directory, the default attribute for token serial numbers is ipPhone, but this can be changed in the Mideye Server LDAP profile configuration, submenu ‘User Attributes’.

  1. Enable setting alternative authentication: If not already the default authentication type, the authentication method for the user must be changed to Token. Mark ‘Read Optional Attributes’ in the Authentication submenu of the LDAP profile and specify an Authentication Type Attribute. The default attribute for authentication type in Active Directory is pager. It is important that whatever attribute is selected is empty for all users and not used for other purpose.

  1. Specify authentication type 3-Token for the user: Add the digit 3 in the Authentication Type Attribute (AD default: pager attribute) in the user’s account. See section Authentication types in the Reference guide to see what each number represents in the authentication list.

YubiKeys obtained from third parties

In addition to YubiKeys provided by Mideye, off-the shelf YubiKeys that have been obtained from third parties can also be used. Note that Mideye will delegate the OTP verification to the YubiCloud service, and the availability of this service can't be guaranteed

Per default, YubiKeys shipped directly from Yubico are pre-configured with keys in the YubiCloud service. Alternatively, YubiKeys can be configured with custom keys that can be manually uploaded to the YubiCloud service.

To determine if a YubKey has a custom key, insert the YubiKey in a computer and open a text editor. Touch the button on the YubiKey to obtain the OTP string, e.g. cccccckdnhjrjgtkhgrvljhfrjtecfhkgefnteictlcc. Pre-configured YubiKey serial numbers have the prefix cccc, custom keys have the prefix vvcc.

YubiKeys with custom keys will only work if the Mideye Server is configured to allow this. See the RADIUS client configuration, submenu ‘Client Configuration’, checkbox ‘Allow YubiKeys with custom keys’.

Be advised that the authentication will be performed directly against Yubicloud, and Mideye can not control the availability of the service. To test a YubiKey with YubiCloud, see https://demo.yubico.com/otp/verify. To upload to custom key to YubiCloud, visit https://upload.yubico.com.**

To set up authentication with YubiKey for an end-user:

  • Obtain the serial number: For pre-configured YubiKeys, the serial number (7 or 8 digits) can usually be found on the back of the token. If it is not visible, or if the YubiKey has a custom key, obtain the serial number from https://demo.yubico.com/otp/verify. Alternatively, insert the YubiKey in a computer and open a text editor. Touch the button on the YubiKey, copy characters 5 – 12 of the string, e.g. cccc**cckdnhjr**jgtkhgrvljhfrjtecfhkgefnteictlcc, and convert to decimal value via the Yubico ModHex converter, https://developers.yubico.com/OTP/Modhex_Converter.html.

(In this sample case, cckdnhjr corresponds to serial number 9614988.)

Yubico authentication test page.

Yubico authentication test page.

  • Add the serial number to the user repository: For YubKeys obtained from a third party, the serial number is registered in the format zmubXXXXXXXX in the user’s entry. For user accounts in Active Directory, the default attribute for token serial numbers is ipPhone, but this can be changed in the Mideye Server LDAP profile configuration, submenu ‘User Attributes’.

Add the serial number in the IP iPhone field

Add the serial number in the IP iPhone field

  • Enable setting alternative authentication: If not already the default authentication type, the authentication method for the user must be changed to Token. Mark ‘Read Optional Attributes’ in the Authentication submenu of the LDAP profile and specify an Authentication Type Attribute. The default attribute for Active Directory is pager. It is important that whatever attribute is selected is empty for all users and not used for other purpose.

  • Specify authentication type 3-Token for the user: Add the digit 3 in the Authentication Type Attribute (AD default: pager attribute) in the user’s account.

  • Once again, open ADUC and open the “Telephones” tab for the user. Add the number 3 to the pager field. See section authentication in the configuration guide to see what each number represents in the authentication list.

Example of AD account configuration with a YubiKey obtained from a third party.