Yubico Forum

Hi all.

Just got my first YubiKey and plan to use them along with YubiRADIUS and Cisco ASA.

Is there some way to protect my exposed webmail application from the Internet with YubiKey's OTP? I mean, is it possible to set up some kind of a front-end to it, that only allows valid YubiKey users through to the login window?

Hello,

At a high-level the Yubico technology and ecosystem comprises of following main parts:

a. YubiKey hardware token that generates one time passwords (OTPs)
b. Yubico Validation server that validates the OTPs generated by YubiKeys and
c. Validation Protocol that defines the client-server communication protocol between the clients and Yubico Validation server

The link http://www.yubico.com/technical-description gives an overview and details of various components mentioned above. This page has several links on the left side for further reading on each component.

We further recommend the following links:

1. For more information on Yubico Validation Server please visit http://www.yubico.com/validation-server and look for Yubico PHP server which is free open-source project you can download and deploy in your environment to meet your requirements. The Validation server has a dependency on key storage module for secure storage of Secret AES keys. Yubico YK-KSM is an open-source implementation of secure key storage module and YubiHSM is hardware based solution that offers much stronger security of the key storage module. Please visit http://www.yubico.com/yubihsm for more information on YubiHSM.

2. Yubico also offers open-source client implementation in a number of programming languages (including for .NET) to make it easy for customers to implement YubiKey based strong 2 factor authentication. Please visit http://www.yubico.com/web-api-clients for more details on the validation clients and links to Validation Protocol.

3. Most relevant to your needs could be YubiRADIUS solution from Yubico which is enterprise class software for secure remote access with YubiKey two-factor authentication. It provides 3 potential ways of integrating YubiKey based authentication into your environments:
a) RADIUS
b) Web API for YubiKey based two-factor authentication. (In both a) and b) one of the factors for authentication is standard username + password based on AD binding and the second factor is YubiKey OTP)
c) Web API for validating the YubiKey OTPs

The solution is based on FreeRADIUS and open source components and is offered as a free virtual appliance for easy download and quick installation. YubiRADIUS virtual appliance has a pre-configured instance of the Yubico PHP validation server that can be used for OTP validation and an option to use YK-KSM and YubiHSM for secure key storage.

4. Finally, Yubico offers guidelines and best practices on how YubiKey based two-factor authentication can be implemented. Please visit http://www.yubico.com/development-guidelines for more details.

Hope this helps.

Thanks and best regards,
Samir.

Hello Sir,

Can you provide us with some more information about your webmail application?

Are you using OWA, Gmail or another application. Due to the different methods used by various webmail apps to connect to the web, you will need to approach this solution differently. Any additional information you may provide will help!

Thanks!

_________________
-David Maples
Yubico Senior Solutions Engineer
http://www.Yubico.com

Its OWA on Exchange 2010.

Would it be possible to set up a PHP app that would authenticate the keys and then forward requests to OWA?

Use TMG 2010. You won't have access to ActiveSync unless you have two external IPs for two different listeners tho.