Yubico Yubikey and Authpoint Import as Third Party Token
i need some help with importing PSKC seed files from Yubikeys to Authpoint,
I tried to import seed files from Yubikey Hardware Tokens for Authpoint as Third Party Hardware Tokens. But i had no luck. I could not find any information to create the right format (or formatting) for the key and seed file (PSKC) for importing them without errors.
The only information i found for PSKC format (RFC 6030) and Yubikeys is from another vendor, i searched for "yubikey pskc seed file".
The best information i could find was: https://thalesdocs.com/sta/Content/STA/Tokens/YubiKey.htm
But something seems to be wrong with the file.
Especially the part how to export the files from a Yubikey (at the moment with the Personalisation Tool, later through "YubiEnterprise Delivery") and formatting the seed file for importing to Authpoint.
Thank you all!
Yubikey isn't supported in AuthPoint, so this won't work.
If you'd like to use a hardware key in AuthPoint, you have a few options.
-3rd Party tokens: (Requirements are listed in the "Supported Hardware Tokens" section.
WatchGuard Customer Support
I will just quote both vendors product information:
Yubico: Yubikey 5 primary functions:
"any" compatible means yes for me.
From the linked document:
Hardware tokens must meet these requirements:
Response Format — Six-digit time-based OTP (one time password) that includes only numbers with a 30 or 60-second time interval.
As far as I'm aware, YubiKey does not have a display nor does not have a way to output a 6 digit OTP.
WatchGuard Customer Support
You can use a configuration tool to do that. See screenshot.
(YubiKey Personalization Tool)
Yes, it does not have a display but it has buttons for that: Open the HOTP input field (Login-App), press the button and your 6-digit is magically written where it should be. No need for typing! (see details below the image).
[The YubiKey has an integrated touch-contact that triggers the OTP generation. Generated OTPs are sent as keystrokes by the emulated keyboard, thereby allowing the OTPs to be received by any text input field or command prompt. This can be done across any channel which accepts keyboard input, such as virtual desktops, remote desktops, SSH or web interfaces.]
If Yubi can provide the proper OTP, that should be sufficient. So long as they can provide the seed file and key in the proper format.
RFC6030 lays out how the seed must be formatted:
WatchGuard Customer Support
YES, exactly: the "proper format" is my issue.
There are rarely any sources at both vendors (or even other verndors) how to generate the RFC6030 seed file in order to import it to Authpoint as 3rd party token. I just receive "parsing errors" after uploading. I am looking for a python script to generate a seed file with a test token.
I am currently here:
Any help is appreciated.
Unfortunately, I can't help convert Yubi's key into the proper format. I'd suggest asking Yubi to provide it in that RFC6030 format, or use one of the supported keys.
There is an open feature request for AuthPoint to support Yubikey. It's AAAS-12937. However, since there are both WatchGuard branded and 3rd party keys that are already supported, this isn't a high priority.
If you'd like to follow that enhancement request, please open a case and mention AAAS-12937 somewhere in the case.
WatchGuard Customer Support
If i have a solution for the implementation, i will update this thread with instructions.
While we use the excellent AuthPoint token, we also use Yubikeys in our business where the AuthPoint token will not work. It would be nice to see better interchangeability between token providers.
Adrian from Australia
Finally there is the missing part of the puzzle:
Yubikey natively runs 100% HOTP. but OATH-TOTP only with extra-App!
Authpoint supports 100% OATH-TOTP in Hardware.
Both will not work together. (in March 2021, Authpoint is moving fast).
Besides all the sales stuff available the net, the dev-docs tell us the truth:
Yubikey’s „TOTP implementation needs an (extra*) application that can read OATH codes from YubiKeys, since YubiKeys does not have an internal clock.“ ‼️
Source #1: https://developers.yubico.com/OATH/OATH_Walk-Through.html
So currently the answer is “NO”.
It is simply not possible.
[* An extra authenticator application on the Windows desktop or smartphone to enable TOTP with Yubikeys makes no sense to me. Authpoint already has a mobile app.]
I personally hope that Watchguard will enable HOTP (-Token) in Authpoint for future versions of their solution. I am sure they will reach more customers already using Yubikey or others.
The OATH application can store up to 32 OATH credentials, either OATH-TOTP (time based) or OATH-HOTP (counter based).
These credentials are separate from those stored in the OTP application, and can only be accessed via the CCID channel. In order to manage these credentials and read the OTPs generated by the YubiKey, the Yubico Authenticator software is needed. ‼️
Currently, the Yubico Authenticator is supported on Windows, Linux, macOS, Android and iOS. In order to restrict access to the OTPs, a password can be set for this application. Using the OATH application functions on iOS requires the Yubico iOS SDK.
from https://support.yubico.com/hc/en-us/articles/360016614900-YubiKey-5-Series-Technical-Manual - scroll down to “OATH”
i found the missing part of the puzzle now. In the dev-documentation the most important sentence regarding OATH-TOTP with Yubico is:
„For TOTP you need an application that can read OATH codes from YubiKeys, since YubiKeys does not have an internal clock.“ The Yubico Authenticator for Windows (iOS, Android).
So this would not make sense to use a Windows or a Smartphone app + Yubikey. Authpoint has an app with push, we need that before Windows Logon.
I will open a feature request case to support HOTP with Yubikey and mention AAAS-12937 in my additional case.
can you tell me how (you made it work with Authpoint)?
Yesterday there was a push authentication failure for several hours - "only for some clients" as confirmed by Watchguard DACH. For us, the Watchguard site was simply unreachable, no push notification was sent to any employee. So VPN-Auth was impossible! And just at begininning of the european working day!
If push is not available: will HOTP/TOTP still work? And is the QR-Code token the only fallback authentication factor available? [Call the admin by phone for an auth-code is not a good idea if you have 100 users trying to access VPN).
Some clarification on why we don't support HOTP, or event-based tokens. HOTP is much less secure, since it doesn't have the time component. Let's say you keep pressing the Yubikey token button, so it keeps spitting out OTPs (basically, a counter + seed goes into a HMACSH function). Write down 10 of those OTPs into a piece of paper. Now you have a paper token, in the form of a scratch list. Just use it in order, and you can use them at any time.
An attacker that redirects you to a phishing website could convince you to type in a series of event-based OTPs, and use it any time later, multiple times. Could be done by phone, could be done by phishing.
You could do this with 1 TOTP, but you would need to use it within a small time window, almost concurrently.
Most HOTP or event-based tokens are not considered anymore, because of those security issues.
Yubikey Hardware Token Integration with AuthPoint:
Good point noticing, Kimmo! There is a way you can enable TOTP with Yubikeys, it requires some external configs, but we have at least one customer with that working!
I would like to see even easier support for Yubikey, both how to enroll the Yubikey and how to use it….
If you check the following SecurEnvoy & Yubikey youtube video,
https://www.youtube.com/watch?v=5oNg9OBOAXY (from: 2:50 - 4:00 min)
Is this something maybe also AuthPoint could support?
I'm not too familiar with Yubikey's enrollment process, but it seems they provide it in 2 ways:
That could be an option, but we would need to align SLA and support, if something happens with their cloud application. In any case, I always prefer to authenticate ourselves, even for just OTP, because we know well how to handle time shifts, something that Duo for example doesn't know. We also prefer to import the seeds using PSKC format, not the seed completely in cleartext, like Duo and Microsoft, since anyone with access to that file could easily create software clones of it.
In any case, it is in our roadmap FIDO2 integration.
Could you share how you created the Yubikey seed file, yk-pskc.py, that you refer to in your “Yubikey Hardware Token Integration with AuthPoint” guide.