How to mass program YubiKeys for Duo


#1

We were looking to deploy YubiKeys for our clients on mass and it was quite tedious to follow the official documentation and manually generate each secret and program.

I’ve developed this easy guide to automatically generate keys and save them to a Duo compatible file as soon as they’re plugged in.

  1. Download and install the YubiKey Personalisation Tool from the Yubico website.
    https://developers.yubico.com/yubikey-personalization-gui/Releases/yubikey-personalization-gui-3.1.25.exe

  2. Open the Personalisation tool and select “Update Settings.” Under Logging Settings change the format to Flexible and in the box to the right copy the following code:
    {serial}, {pvtIdTxt}, {secretKeyTxt}

  3. Insert the first YubiKey into a free USB port and wait until the software detects it by saying “YubiKey is inserted” at the top right of the window.

  4. Select “Yubico OTP” at the top right – then select Advanced.

  5. Select “Configuration slot 1” then tick the boxes for “Program multiple YubiKeys” and “Automatically program YubiKeys when inserted”. Change the Parameter Generation Scheme to “Randomize all parameters”

  6. Under Yubico OTP Parameters click the three Generate buttons one after the other. Then select “Write configuration”

b

  1. Save the configuration log to the server in a safe place. We’ll need this later.

  2. At the bottom of the window you’ll see the YubiKey has been successfully configured. If you’re configuring more than one you can unplug the current key and plug in a new one – then take it out when it’s been programmed. Keep doing this until all keys are programmed.

  3. Click “Stop” at the end when you’ve programmed all the YubiKeys.

  4. Close the personalisation tool then navigate to the directory where you saved the configuration log and open it using Notepad++ or a similar text editor (Not Notepad) . Select all of the file and copy it to your Clipboard.

  5. Log into the Duo Admin Panel with an account with User Manager permissions or higher.

  6. Select “2FA Devices” then “Hardware Tokens”. Click “Import hardware tokens” at the top right.

  7. Change the token type to “YubiKey AES” then paste all the configuration log data into the box underneath.

  8. Click “Import hardware tokens”. You’ll then see “hardware token imported” at the top.

  9. Go to “Users” and select the user.

  10. Scroll down to “Hardware tokens” and attach one.

NOTE: If Duo errors with a red banner stating you need to contact Support, you should add a 0 to the start of all the serial numbers.