=== Use !YubiKey for 2FA with UA Duo for SSO, VPN and potentially other services using 2FA === 1. Obtain a !YubiKey supporting OTP in form factor that works for you: https://www.yubico.com/products/yubikey-hardware/ 2. Download and install the !YubiKey Manager application on your computer: https://www.yubico.com/products/services-software/download/yubikey-manager/ 3. Configure your !YubiKey for OTP in one of its two (virtual) slots* using detailed illustrated instructions in the Duo guide:[[br]][[br]] https://duo.com/docs/yubikey NOTE WELL: You will use the !YubiKey Manager to generate cryptographic keys and store them on your !YubiKey;[[br]] BE PATIENT: each of the three items will take a minute or so to generate and store;[[br]] DO NOT REPEAT steps by clicking multiple times - each click will restart and overwrite the previous result! 4. Send a comma-separated string with [[br]](1) the digital serial no, (2) the 6 byte private id, and (3) the 16 bit secret key [[br]]in that order (like this example:) {{{ 4475749, e7fe845755d4, 8184650122dbe50057f968927f224b6a }}} to IAM or Security, noting your UA Username, which is the Duo account to which the token will be attached.[[br]] NOTE: send the '''text''' in a string, like the string above, not a picture of text! 5. IAM or Security will upload the CSV string to import your token, and assign it to your ID at Duo ---- *Which of the !YubiKey's two (virtual) slots is used is determined by the duration of your touch. The first slot is used to generate the output when the !YubiKey button is touched between 0.3 to 1.5 seconds and released and the second slot is used if the button is touched between 2 to 5 seconds. === Two factor authentication for privileged VPN access to UA network === As of March 2017 two VPNs require Duo two-factor authentication:[[br]] swf-no-1.vpn.alaska.edu and [[br]] swf-ts-1.vpn.alaska.edu ==== You must request access to use VPN's through the UA Service Desk / incident ticket http://www.alaska.edu/oit/servicecatalog/#id=162 ==== === VPN authentication === VPNs use Duo's "Append Mode" to provide a second factor in addition to UA Password in the Password field. You enter your password, followed by a comma, then an indicator of your second factor. You can provide the second factor using !DuoMobile Push, telephone call-back, one-time passcodes (OTPs), or !YubiKey token. [[br]] ==== !DuoMobile for second factor ==== {{{ password,push e.g., enTrenching?4flogged,push }}} pushes a login request to your smart phone with !DuoMobile app enrolled for UA; review the request and tap "Approve" on the phone to complete login.[[br]] ==== One-time Passcodes for second factor==== {{{ password,OTPasscode e.g., Licenser&6wiretapper,012345 }}} where OTPasscode is a one-time passcode generated with !DuoMobile, or generated by your hardware token (see use of YubiKey section below for automated entry of OTPasscode).[[br]] You can also request that passcodes be sent to you via SMS to your enrolled mobile phone by appending "sms" to your password; ''please note that SMS is considered less secure than other methods using OTPasswords, and may be disallowed in the future.'' {{{ password,sms e.g., Licenser&6wiretapper,sms }}} ==== Telephone call-back for second factor==== {{{ password,phone# e.g., BestialiZed^7picovolts,phone }}} will trigger a telephone call to the number that has been enrolled and attached to your Duo account; you will be asked to touch a key on the telephone key pad to complete authentication. If you have multiple phone numbers enrolled and attached to your Duo account, you can specify which to use by typing "phone1" or "phone2". You can enroll telephone numbers in your Duo account if you are enrolled for use of Duo for SSO (see https://iam.alaska.edu/trac/wiki/mfa for Duo enrollment instructions).[[br]] === !YubiKey for VPN 2nd factor === If registered with Dou as described above, you can use the !YubiKey to send the second factor passcode: In the password field type your password followed by comma then touch your key*; that is, {{{ password, }}} then touch your key, which enters a one-time passcode.[[br]]