Yubico OTP is a type of One-Time-Password authentication based on a keyboard-emulating hardware device (Yubikey). OTPs are validated against an external server, either on the cloud or on premices.
Almost all Yubikeys sold by Yubico now support FIDO2.
You are encouraged to use this type of second factor instead, since it is
compatible with a much broader range of devices, and also more secure.
You must install Auth::Yubikey_WebClient package.
You have to retrieve a client ID and a secret key from Yubico. See Yubico API page.
In the manager (second factors), you just have to enable it:
Attention
If you want to use a custom rule for “activation” and
want to keep self-registration, you must include this in your rule:
has2f('UBK')
, else Yubico OTP will be required even if users are not
registered. This is automatically done when “activation” is simply set to
“on”.
If you don’t want to use self-registration, set public part of user’s yubikey in Second Factor Devices array (JSON) in your user-database. Then map it to the _2fDevices attribute (see exported variables):
[{"name" : "MyYubikey" , "type" : "UBK" , "_secret" : "########" , "epoch":"1524078936"}, ...]
If you have enabled self registration, users can register their U2F keys using https://portal/2fregisters