YubiKey Based Two-Factor Authentication

Purpose

Two-Factor Authentication is a secure authentication service which supports CSCF staff in gaining privileged access to the services which they maintain. Privileged access includes becoming root user on key UNIX type systems or logging into key management servers from off campus. Other examples include privileged access to a web-based application or read/write access to a network device such as a switch/router or firewall.

NOTE: A user account still requires authorization for privileged access even with two-factor authentication.

The Two Factors

As the title implies, two-factor authentication is dependent upon two requisite components both of which must be validated before authentication is successful. These are commonly referred to as "What I Know" and "What I Have".

• User Login Password - "What I Know"

  This is a classic user password. In our case this password is the user's login password: the password used by the user to login to a system under their username. Normally its validity is authenticated by our Directory Service which is currently a Microsoft Windows Server 2012 Active Directory environment.

• YubiKey Generated One Time Password (OTP) - "What I Have"

  A Yubico YubiKey is a personal USB device assigned to and carried by the user and connected to the terminal through which the user is running their session. Most computers interpret the key as a secondary keyboard device.

  YubiKey OTP validation is event driven. By tapping the key's button, the YubiKey generates a twelve (12) character device identifier code followed by a thirty-two (32) character one time password (OTP). The device code associates the YubiKey to a specific user object (account) in our Directory Service and ensures that a specific key can only be used by the user to which it is assigned. The OTP is validated through a web based YubiKey validation service separate from our Directory Service.

  A standard CSCF YubiKey can be obtained from CSCF's Two-Factor service manager (Clayton Tucker, ctucker@cs.uwaterloo.ca) who will personalize the key, enter its identifiers into the CSCF OTP Validation service and associate the key with the requesting user's Directory Services account.

YubiKey Usage

The example below is the most common use of CSCF Two-Factor, becoming root on a CSCF managed system via the sudo command. But all implementations of YubiKey two-factor employ the same user interaction.

• Insert your personal YubiKey into a USB port on your terminal - the LED in the centre of the YubiKey button should illuminate..
• Enter the sudo command at the command prompt - most often the sudo -s command.
• You will receive a special password prompt requesting your YubiKey: YubiKey for 'username':
  1. Type in the same password you used for login - DO NOT press RETURN afterwards.
  2. Tap the button on your person YubiKey in your terminal's USB port.
     As with a password, the OTP will not appear on screen.

Your password will be sent to a relevant domain controller for authenitcation. Your YubiKey's OTP will be sent to CSCF's YubiKey validation service for separate validation. If both services respond positively then your two-factor login will succeed. In the case of a sudo operation the on screen output will appear as follows.

username@host-202:~$ 
username@uhost-202:~$ sudo -s
YubiKey for 'username': <user's login password><press yubikey button> 
root@host-202:~#

-- ClaytonTucker - 2015-07-23