I recently bought the Yubikey 5C and Yubikey NFC from yubico.com.
Yubico is in short summary a company behind Yubikey hardware auth device supporting (OTP
Since I’m I
Quick FAQs Yubikeys with Azure MFA
- Only public preview for AAD
- Works with Azure cloud MFA even though it’s in Azure MFA settings of the AAD portal.
- AAD Supports OATH-TOTP SHA-1 Tokens (30 or 60 sec)
- AAD Only supports 3 Yubikeys, one MS Authenticator app, phone for each user account.
Configure Azure MFA for OATH hardware tokens (public preview)
Azuretenant with AAD Premium
- MFA already enabled
- Have at Least 1 Yubikey. For the purpose of this guide, I’m using a Yubikey 5C
- Yubico Manager Command (to extract Yubikey Serial number)
- Yubico Authenticator
Step 1 ) Configure Yubikey
Download and install ( Windows 10, MacOs or Linux)
Start the Yubico Manager Command from terminal/powershell.
To get the Serial Number of YubiKeys. Use command
.\ykman.exe oath add UPN@<tenant name>onmicrosoft.com
Next step requires you to add a Base32 Key.
Use OpenSSL to create a Base32 key.
Copy your Base32 Key to after you have run the “.\ykman.exe oath add” command.
Step 2) Configure Azure MFA
Go to the AAD portal and go to MFA server. In settings go to OATH Tokens. Choose Upload CSV to Azure.
The CSV has to be in a specific format like the example below
upn,serial number,secret key,timeinterval,manufacturer,model
After the Upload has successfully completed, go to the refresh button.
Verify that the YubiKey is Activiated in the dashboard.
Step 3) Configure MFA settings on the User account
Go to https://aka.ms/mfasetup with the user who has been assigned the YubiKey. In the settings, change the preferred auth Options to Use verification code from
Logout from MFA portal. Start a new login to portal.office.com
you will now see that you will get prompted with
As stated this is only a public preview, and currently only works with
OATH-TOTP SHA-1 and you need the Yubico authenticator app. So it would have been nice to see if these can go next step using the HTOP and Password-less. In comparison with other Hardware tokens, Yubico has some competition from token2.com and deepnetsecurity.com, and I will look into these later:)
As part of the deployment process, I could have used Self Service Hardware token setup, but this limit the administrator part to track all the Hardware keys.
It’s still a lot of potentials in this space, so it will be exciting to see how this develops 🙂