Skip to end of metadata
Go to start of metadata

User steps

  1. Open the YubiKey Personalization Tool and insert the YubiKey into a USB port on your computer
  2. Select Yubico OTP Mode under the 'Personalize your YubiKey menu'
  3. Select the 'Quick' option
  4. Select 'Configuration Slot 1'
  5. Click 'Regenerate' to generate a new secret
  6. Click 'Write Configuration'. If a 'Confirm: Overwrite configuration slot 1' box comes up, click Yes

    This will overwrite your existing configuration. See the notes in this document for details and workarounds.

  7. A box will prompt for where to save the log file. Save this file to a temporary location and note the name of the .csv file for later reference.

    This file contains the secret key that will need to be provisioned into Duo. Once provisioned, this file must be either saved in a safe place if this secret is to be used elsewhere or, if not, deleted immediately.

  8. Confirm that the YubiKey Personalization Tool states 'YubiKey has been successfully configured'
  9. If you are planning on using this secret with other services unrelated to Duo you will need to also click 'Upload to Yubico'. This will open a browser window to upload your newly generated secret to Yubico's validation servers. This will allow other applications that directly integrate with Yubico's servers to be used with this Yubikey's configuration.
  10. You may now quit the personalization tool and remove the YubiKey from the USB port. Note the serial number in the tool for future reference.
  11. Head to the Identity.UW Add Token page: https://identity.uw.edu/2fa/addtoken and select the 'Yubico AES OTP' option.

  12. Enter the information from the YubiKey Configuration Tool into the corresponding fields on the Add Token page (note that the serial number is prefixed by "EX_" which is intended):
    The 'Serial number' field should correspond with the serial number of the YubiKey, found either on the device or in the YubiKey configuration tool.
    The 'Yubico Private Identity' field comes from the CSV log file, highlighted below:

    The 'Yubico Secret Key' field comes from the CSV log file, highlighted below:



  13. To generate the passcode for the Passcode field, click into text box and press the button on your Yubikey. The Yubikey will generate a code and type it into the text field.
  14. If you'd like to link this token to your UW NetID, select the 'Link this token to my UW NetID' option. If this token is being added by you but will be used by someone else you'll need to send them to the Identity.UW Link page here: https://identity.uw.edu/2fa/link?type=yk after you select the 'Do not link' option. This will let the other person link the token to their UW NetID.
  15. Click 'Add token' to complete the process.
  16. Once you have imported the hardware token into Duo and have confirmed the YubiKey is working, delete the log file with the secret key if no longer needed. Otherwise, save in a safe place.

1 Comment

  1. Great instructions!