Yubico Yubikey and Authpoint Import as Third Party Token

Hi,

i need some help with importing PSKC seed files from Yubikeys to Authpoint,

I tried to import seed files from Yubikey Hardware Tokens for Authpoint as Third Party Hardware Tokens. But i had no luck. I could not find any information to create the right format (or formatting) for the key and seed file (PSKC) for importing them without errors.

The only information i found for PSKC format (RFC 6030) and Yubikeys is from another vendor, i searched for "yubikey pskc seed file".

The best information i could find was: https://thalesdocs.com/sta/Content/STA/Tokens/YubiKey.htm
But something seems to be wrong with the file.

Especially the part how to export the files from a Yubikey (at the moment with the Personalisation Tool, later through "YubiEnterprise Delivery") and formatting the seed file for importing to Authpoint.

Thank you all!

Marc

Comments

  • james.carsonjames.carson Moderator, WatchGuard Representative

    Hi @MA7C
    Yubikey isn't supported in AuthPoint, so this won't work.

    If you'd like to use a hardware key in AuthPoint, you have a few options.

    -AuthPoint token.
    https://www.watchguard.com/wgrd-products/authpoint/hardware-tokens

    -3rd Party tokens: (Requirements are listed in the "Supported Hardware Tokens" section.
    https://www.watchguard.com/help/docs/help-center/en-US/Content/en-US/authpoint/tokens_hardware.html

    -James Carson
    WatchGuard Customer Support

  • Hi James,

    I will just quote both vendors product information:

    Yubico: Yubikey 5 primary functions:

    ... OATH – HOTP (Event), OATH – TOTP (Time), ... https://www.yubico.com/products/identifying-your-yubikey/

    Watchguard Authpoint:

    "AuthPoint also supports any OATH TOTP compliant third-party hardware tokens." (your link above).

    "any" compatible means yes for me. :)

    Marc

  • james.carsonjames.carson Moderator, WatchGuard Representative

    Hi @MA7C

    From the linked document:
    Hardware tokens must meet these requirements:
    Response Format — Six-digit time-based OTP (one time password) that includes only numbers with a 30 or 60-second time interval.

    As far as I'm aware, YubiKey does not have a display nor does not have a way to output a 6 digit OTP.

    -James Carson
    WatchGuard Customer Support

  • You can use a configuration tool to do that. See screenshot.
    (YubiKey Personalization Tool)

    Yes, it does not have a display but it has buttons for that: Open the HOTP input field (Login-App), press the button and your 6-digit is magically written where it should be. No need for typing! (see details below the image).

    [The YubiKey has an integrated touch-contact that triggers the OTP generation. Generated OTPs are sent as keystrokes by the emulated keyboard, thereby allowing the OTPs to be received by any text input field or command prompt. This can be done across any channel which accepts keyboard input, such as virtual desktops, remote desktops, SSH or web interfaces.]

  • james.carsonjames.carson Moderator, WatchGuard Representative

    Hi @MA7C

    If Yubi can provide the proper OTP, that should be sufficient. So long as they can provide the seed file and key in the proper format.

    RFC6030 lays out how the seed must be formatted:
    https://tools.ietf.org/html/rfc6030

    -James Carson
    WatchGuard Customer Support

  • edited March 2021

    YES, exactly: the "proper format" is my issue. B)

    There are rarely any sources at both vendors (or even other verndors) how to generate the RFC6030 seed file in order to import it to Authpoint as 3rd party token. I just receive "parsing errors" after uploading. I am looking for a python script to generate a seed file with a test token.

    I am currently here:
    https://arthurdejong.org/python-pskc/

    Any help is appreciated.

    Marc

  • james.carsonjames.carson Moderator, WatchGuard Representative

    @MA7C
    Unfortunately, I can't help convert Yubi's key into the proper format. I'd suggest asking Yubi to provide it in that RFC6030 format, or use one of the supported keys.

    There is an open feature request for AuthPoint to support Yubikey. It's AAAS-12937. However, since there are both WatchGuard branded and 3rd party keys that are already supported, this isn't a high priority.

    If you'd like to follow that enhancement request, please open a case and mention AAAS-12937 somewhere in the case.

    Thank you,

    -James Carson
    WatchGuard Customer Support

  • Thanks James,

    If i have a solution for the implementation, i will update this thread with instructions.

    Thank you,
    Marc

  • While we use the excellent AuthPoint token, we also use Yubikeys in our business where the AuthPoint token will not work. It would be nice to see better interchangeability between token providers.

    Adrian from Australia

  • edited March 2021

    Hi

    Finally there is the missing part of the puzzle:

    • Yubikey natively runs 100% HOTP. but OATH-TOTP only with extra-App!

    • Authpoint supports 100% OATH-TOTP in Hardware.

    Both will not work together. (in March 2021, Authpoint is moving fast).

    Besides all the sales stuff available the net, the dev-docs tell us the truth:

    Yubikey’s „TOTP implementation needs an (extra*) application that can read OATH codes from YubiKeys, since YubiKeys does not have an internal clock.“ ‼️

    Source #1: https://developers.yubico.com/OATH/OATH_Walk-Through.html

    So currently the answer is “NO”.
    It is simply not possible.

    [* An extra authenticator application on the Windows desktop or smartphone to enable TOTP with Yubikeys makes no sense to me. Authpoint already has a mobile app.]

    I personally hope that Watchguard will enable HOTP (-Token) in Authpoint for future versions of their solution. I am sure they will reach more customers already using Yubikey or others.

    best regards,
    Marc

    Source #2:
    YUBICOs OATH-TOTP:

    The OATH application can store up to 32 OATH credentials, either OATH-TOTP (time based) or OATH-HOTP (counter based).

    These credentials are separate from those stored in the OTP application, and can only be accessed via the CCID channel. In order to manage these credentials and read the OTPs generated by the YubiKey, the Yubico Authenticator software is needed. ‼️

    Currently, the Yubico Authenticator is supported on Windows, Linux, macOS, Android and iOS. In order to restrict access to the OTPs, a password can be set for this application. Using the OATH application functions on iOS requires the Yubico iOS SDK.

    from https://support.yubico.com/hc/en-us/articles/360016614900-YubiKey-5-Series-Technical-Manual - scroll down to “OATH”

  • Hi,

    i found the missing part of the puzzle now. In the dev-documentation the most important sentence regarding OATH-TOTP with Yubico is:

    „For TOTP you need an application that can read OATH codes from YubiKeys, since YubiKeys does not have an internal clock.“ The Yubico Authenticator for Windows (iOS, Android).

    Source: https://developers.yubico.com/OATH/

    So this would not make sense to use a Windows or a Smartphone app + Yubikey. Authpoint has an app with push, we need that before Windows Logon.

    Thank you,
    Marc

    I will open a feature request case to support HOTP with Yubikey and mention AAAS-12937 in my additional case.
  • The YubiKey does need the authenticator app for TOTP but the advantage is that you then get mobility as the otp follows the key. So I use a key on a nfc pad at my desk and the Mac app, then tap to the phone app when away from desk
  • edited March 2021

    Hi Nic,

    can you tell me how (you made it work with Authpoint)?

    Yesterday there was a push authentication failure for several hours - "only for some clients" as confirmed by Watchguard DACH. For us, the Watchguard site was simply unreachable, no push notification was sent to any employee. So VPN-Auth was impossible! And just at begininning of the european working day!

    If push is not available: will HOTP/TOTP still work? And is the QR-Code token the only fallback authentication factor available? [Call the admin by phone for an auth-code is not a good idea if you have 100 users trying to access VPN).

  • edited January 5

    Some clarification on why we don't support HOTP, or event-based tokens. HOTP is much less secure, since it doesn't have the time component. Let's say you keep pressing the Yubikey token button, so it keeps spitting out OTPs (basically, a counter + seed goes into a HMACSH function). Write down 10 of those OTPs into a piece of paper. Now you have a paper token, in the form of a scratch list. Just use it in order, and you can use them at any time.

    An attacker that redirects you to a phishing website could convince you to type in a series of event-based OTPs, and use it any time later, multiple times. Could be done by phone, could be done by phishing.

    You could do this with 1 TOTP, but you would need to use it within a small time window, almost concurrently.

    Most HOTP or event-based tokens are not considered anymore, because of those security issues.

  • Good point noticing, Kimmo! There is a way you can enable TOTP with Yubikeys, it requires some external configs, but we have at least one customer with that working!

  • Hi Alexandre

    I would like to see even easier support for Yubikey, both how to enroll the Yubikey and how to use it….

    If you check the following SecurEnvoy & Yubikey youtube video,
    (from: 2:50 - 4:00 min)
    Is this something maybe also AuthPoint could support?

  • I'm not too familiar with Yubikey's enrollment process, but it seems they provide it in 2 ways:

    1. You use the personalization tool, in order to create the token key, and share it with the authentication backend.
    2. You use the YubiCloud OTP Service, which seems to be the case from this SecurEnvoy video. The OTP authentication is done outside their service, it relies on a 3rd party authentication provided by Yubico

    That could be an option, but we would need to align SLA and support, if something happens with their cloud application. In any case, I always prefer to authenticate ourselves, even for just OTP, because we know well how to handle time shifts, something that Duo for example doesn't know. We also prefer to import the seeds using PSKC format, not the seed completely in cleartext, like Duo and Microsoft, since anyone with access to that file could easily create software clones of it.

    In any case, it is in our roadmap FIDO2 integration.

  • Hi Alexandre

    Could you share how you created the Yubikey seed file, yk-pskc.py, that you refer to in your “Yubikey Hardware Token Integration with AuthPoint” guide.

Sign In to comment.