OATH Walk-Through

The YubiKey supports Open Authentication (OATH) standards for generating one-time password (OTP) codes. Configure the YubiKey to generate the OTP for users to enter as their passcode.

The YubiKey-generated passcode can be used as one of the authentication options in two-factor or multi-factor authentication. The user’s login credentials are typically the other half of the two-factor authentication. Go to Two Factor Auth (2FA) for a list of software and web sites that support two-factor authentication.

Requirements

Implementation Methods

The configuration steps below apply to both of the authentication methods:

  • Time-based One-Time Password algorithm (TOTP) — Requires an application that can read OATH codes from YubiKeys. Uses a timestamp to calculate the OTP code.

  • HMAC-based One-time Password algorithm (HOTP) — Can be configured using the YubiKey Manager as a GUI, or as a CLI. Uses an authentication counter to calculate the OTP code.

Configure YubiKey for Android

Use the Yubico Authenticator app to read OATH codes from your YubiKey over NFC or over USB (Android app for OATH).

Step 1: If using USB, verify USB connection requirements:

Step 2: From Google Play, download the Yubico Authenticator app to your device.

Step 3: Add app for Android device to read OATH codes from YubiKey.

a) Build the APK to install on the Android device. From the device command line, run the gradle command to build the Android Studio app.

./gradlew assemble

The compiled file is stored in the directory, ``app/build/outputs/apk``.

b) Manage OATH credentials by command. See YKOATH protocol specification. The YKOATH protocol includes commands for: Select, Put, Delete, Set Code, Reset, List, Calculate, Validate, Calculate All, Send Remaining.

Step 4: Add credentials to the YubiKey:

a) Select the credential method: scan a QR code or enter Base32-encoded secret. On the YubiKey, tap the + to select the option.

b) Tap the YubiKey or connect it to display the codes.

Configure YubiKey for Windows, OS X, or Linux with YubiKey Manager (GUI)

The Yubico Authenticator for Desktop enables you to read OATH codes from your YubiKey over USB. Support the newer OATH implementation as well as the older slot-based implementation.

Step 1: Verify supported version:

  • Windows 7 or later

  • macOS High Sierra 10.13 or later

  • Ubuntu 16.04 LTS or later

Step 2: For Linux, ensure the ``pcscd`` service is installed and running.

Step 3: If using USB, verify USB connection requirements:

Step 4: Download the YubiOATH Desktop.

Step 5: Add credentials to the YubiKey:

a) Select the credential method: Scan a QR code or enter Base32-encoded secret. On the YubiKey, tap the + to select the option.

b) Tap the YubiKey or connect it to display the codes.