Multi-factor authentication (MFA) - YubiKey
Using a YubiKey (or other physical MFA keys that support FIDO2) is not formally supported at present by the University, but they do work, and can be useful in some circumstances (e.g. if you work in an area where you can't get a reliable phone signal).
You can buy YubiKeys directly from the manufacturers, from online retailers, and also from Insight (YubiKey 5 series only at time of writing).
What should I get? §
- You want keys that can do FIDO2. This includes all the Yubikey range. All the Yubikeys can do
- U2F
- FIDO2
- As such, the Security key series are fine for O365, and pretty much any online service. These only come in USB-A or C form factors (both with NFC).
- The 5 series have the useful nano form factors, and more esoteric functionality.
- You don't need the FIPS or CSPN certified versions (or if you do, you'll know).
- We recommend you get at least two keys - one that you'll carry around, and one that stays safe (plugged into a system at home, in a safe, whatever).
Setup §
You have your new Yubikey(s), now what?
It is recommended you set a PIN on the keys before doing anything else. This can be done through Windows directly, but to mimimise ambiguity it is recommended you use the YubiKey Manager. Download and install this on a trusted system (your laptop, desktop etc.).
- Plug one key at a time into the system.
- Note that Yubikeys can be a bit funny about USB hubs, docking stations etc. If you plug it into a docking station, hub etc. and it isn't recognised, try plugging it in to a port in the computer itself.
- Set the PIN for FIDO2. It is recommended that the PIN is fairly simple, say a 4-6 digit number that you will not forget (see the FAQ for justification).
- Plug in the next key and repeat. You could use the same PIN for all keys or different ones, depending how secure you feel and how good your memory is.
Once this is done, go to the Helpdesk and request that your account be enabled for FIDO2 keys (this assumes you already have MFA enabled on your account). Use the service catalog category IT -> MFA -> Multi-factor authentication help.
Once this request has been fulfilled, go to your Microsoft account settings at https://myaccount.microsoft.com/. Choose the Security info option, which takes you to https://mysignins.microsoft.com/security-info. If you choose Add method you should now have the option to add a security key.
The following is taken from https://support.microsoft.com/en-us/account-billing/set-up-a-security-key-as-your-verification-method-2911cacd-efa5-4593-ae22-e09ae14c6698
Also note that this requires a web browser that supports
WebAuthn
. Most mainstream browsers have had this for some time.
- Choose Security key and click Add.
- Choose the type of key you have. For a laptop/desktop we'll want USB device.
- In the Setting up your new sign-in method page, select Next.
- Insert the key into a USB port.
- You should then be asked for the PIN for that key.
- You should then be asked for a name for the key. This can be anything you want (this is not stored on the key itself.) Choose a useful name, e.g. "Yubikey USB-A", or "On keychain", or "Key 2" etc.
- For other online services the setup will be very similar. The descriptive names you give to your keys can be different for each, but using the same (or similar) name for the same key is recommended.
Once you have finished you should see the key appear on the list of sign-in methods on the Security info page. You can now repeat the process to add further keys.
Once your keys are set up you should test them. The easiest way to do this is to sign out of any Microsoft accounts you have open in your web browser (or open a different browser) and try to sign in to Office 365. Unless you changed your default sign-in method in the Security info page this will ping your authenticator app/send you a text as usual, but you should be able to choose a different method, and use your key. It will ask you for the PIN of the key, and then ask you to touch the button on the key. This should then log you in - without a password!
Other online accounts §
If you have Yubikeys you might as well use them to secure your other email, social media accounts etc. Google, Facebook, Twitter etc. all have support for FIDO2 authentication. The workflow to register your key(s) is generally fairly similar to the Microsoft example. Once set up most of them use the Password+touch key authentication sequence.
Note that you can't get a list of what services you have registered a FIDO2 key with from the key itself. It is a good idea to make a list of which websites you have registered with your keys. This means that when adding a new key you remember to add it to all the sites, and also if a key is lost or stolen you have the list of sites to remove that key from (this is also why you want to name your keys appropriately on each site).