Yubico Forum

Apologies for the newbie questions, but I figured that it was easier to ask people that know what they're talking about than to keep banging my head against the wall!

First up, I've read the guide for configuring a YubiKey to work with YubiCloud (https://www.yubico.com/wp-content/uploa ... ration.pdf). Simple question - can you only configure slot 1 to work with YubiCloud, or could you use both slot 1 and slot 2? Specifically, if I configure slot 2 and upload it, does it overwrite the existing (slot 1) configuration or can I use both slots for YubiCloud authentication?

Secondly, I'm currently developing a MFA product and we want to add YubiKey integration. We already have a (PostgreSQL) database and a Java backend that's working with other MFA authentication methods. I've been looking into adding YubiKey support into the mix and I notice that there are a couple of different ways that I can authenticate with the YubiKey. One way is to use YubiCloud. Another option is to deploy my own YubiKey authentication server.

The problem with the server approach is that I can only find a tutorial that runs me through installing the server and the identity manager on Linux, which also includes a MySQL database. I don't need the identity manager or database (we already manage users in a PostgreSQL database in the existing product). I literally just need to validate the YubiKey OTP myself without having to go out to YubiCloud. I can't find an easy way to do that without having to install a lot of stuff that I don't need.

If I use the Java client (https://developers.yubico.com/yubico-java-client/), am I right in thinking that that authenticates against YubiCloud? Also, is JAAS integration necessary? Can't I just grab the key and fire it off to YubiCloud for authentication without having to hook into JAAS first?

I've also looked into the U2F server (https://github.com/Yubico/java-u2flib-server) but I'm not clear on whether I'll be able to actually use that. We'll be using a desktop client to prompt the user to authenticate but the U2F server seems to be geared towards using with a browser. Is U2F only available for browsers? I've been trying to read up on U2F but that part isn't particularly clear. Can U2F be used with a desktop client?

Apologies again for the stupid questions. There's a lot of information out there and I'm having trouble wrapping my head around it. All I'm after is the easiest way for me to get a user to authenticate using their YubiKey via a desktop client that I'll be writing. If the easiest way is to get them to get a YubiCloud API key and then use the Java client to authenticate, then I'll do that. I'd much prefer to handle the authentication myself without having to go out to YubiCloud but there doesn't seem to be an easy way to do that without having to install a bunch of stuff that I don't need in order to use the server.

Thanks for your help.

The two slots are completely separate, you can store two different Yubico OTP credentials each validating against the YubiCloud (or your own self-hosted validation server).


I'm not sure which guide you're referring to, but this is a good starting point: https://developers.yubico.com/OTP/Guides/Self-hosted_OTP_validation.html. You will need a database for the validation layer for counter data, but you can re-use your existing PostgreSQL DB if you wish, as yubikey-val supports it. The KSM (python-pyhsm) can be used with or without an SQL database.


That library can be used against the YubiCloud, or your own self-hosted instance. The JAAS plugin is a separate module which you would only use if you need JAAS. To just to OTP validation all you need is the v2 client module. The README contains information on using it.

While U2F was designed primarily for browser-based usage, it can be used from a desktop client as well. In addition to handling the server aspects of U2F, you will also need to handle the client aspects. We provide some libraries for this: https://developers.yubico.com/Software_Projects/FIDO_U2F/U2F_Host_Libraries/

There is some complexity of running a self-hosted validation server (credentials will need to be programmed into YubiKeys, those credentials need to be safely transported to the KSM, multiple instances may be needed for redundancy, which introduces sync, etc.), but you do not need to install anything that isn't required. The two parts which are required are the KSM and Validation servers, which the guide I pointed to explains in more detail. If you go with the YubiCloud route, you wouldn't use an API key per user. Rather your users would send the OTP to your backend to validate (presumably together with a username and password), and that backend would then use a single API key to validate the OTP against the YubiCloud.

Hope I've cleared things up!

Thanks for your help! It sounds as though the easiest way for me to proceed would be to use the Java client to validate using the YubiCloud. The thing that confused me about the YubiCloud was that I assumed that each user would have to have their own API key (I wasn't clear on how the OTP was being validated otherwise - I assumed that there was a link between the user/API and the YubiKey/OTP). If I can just use a single API key to validate a number of OTPs, then that would probably suffice. Much easier than rolling out our own validation server (although that's something that we might look into further down the line).

A couple of follow-up questions on that...

• The software that I'm working on is commercial software, so could potentially be used by thousands of end users from multiple different organizations. I'm guessing that using a single API key to validate thousands of OTPs wouldn't be a problem?
• Related to that - if I'm able to validate against YubiCloud, is there a compelling reason for having my own validation server? Would having my own validation server be more secure? I can't see why there are so many options for validation if you can just use the YubiCloud for everything.
• Finally, does the API key ever expire, or get withdrawn for any reason? If I'm using a single API key in a commercial application and it suddenly stops working, it means that (potentially) thousands of people won't be able to use their YubiKey as their second factor until we've shipped an update with a new API key. What's the risk involved in using a single key?

I haven't had much time to dig around with my YubiKey for the past week or so, so this is the first opportunity that I've had to follow up. I'll give it a try and see how things turn out. If I run into any problems, I'll come back and ask for further information. You've helped to clear things up a little for the moment, though.

Thanks again for your help.

It sounds like you've got a correct understanding of how it works. To answer your questions:

• Thousands of validations using the same API key isn't an issue. That is the recommended approach; One API key per distinct service.
  
• The reasons for running your own server are different in different cases. In some situations, using a cloud based validation server isn't possible due to policy or network restrictions. As long as you have no reason NOT to use the YubiCloud I don't see any real benefit to hosting your own.
  
• API keys do not expire and are not revoked in any automated way. We reserve the right to manually revoke API keys which are being abused in extreme cases, although I am not aware of any instance where this has happened. The terms and conditions of the service are available here: https://www.yubico.com/terms-conditions/

That's great - thanks for your help! I'll mark the question as solved and if I run into any issues, I'll ask more questions later. I think I have enough to go on for the time being though.

Quick follow-up... Would I be breaking any copyright rules if I stripped the code out of the Java client and rewrote it, or do I need to use it as-is? I'm pretty sure that I'm safe to rip it apart given that there are guides on writing clients (https://developers.yubico.com/yubikey-v ... ients.html) and how the validation protocol works (https://developers.yubico.com/yubikey-v ... _V2.0.html) and the Java client relates to both of those. Just wanted to double check!

The Java code is released under the BSD 2 clause license (https://github.com/Yubico/yubico-java-c ... er/COPYING), which is quite liberal in what you're allowed to do with it.