Using YubiKeys with Azure MFA OATH-TOTP

Introduction

These instructions show how to use YubiKeys with Azure Multi-Factor Authentication (Azure MFA).

Objectives

  1. Register a YubiKey to a user account in Azure AD as an OATH-TOTP token.

  2. Authenticate using a YubiKey as an OATH-TOTP token.

Before you begin

  1. Have a compatible YubiKey.

  2. Install the Yubico Authenticator on your mobile device and/or workstation.

Since the YubiKey does not contain a battery it cannot track time and will require software to generate OATH-TOTP codes. Yubico provides Yubico Authenticator for all major platforms (Windows, MacOS, Android, and iOS) to display the one time passcodes generated on the YubiKey.

Register a YubiKey

  1. Open a browser window and navigate to your Microsoft Profile.

  2. Sign in to your account. 

  3. Select Security Info in the left navigation or Update Info in the Security Info tile.

    Security Info tab highlighted in the left navigation
  1. Select Add Method.

    Add method button shown highlighted in the security info section
  1. Select Authenticator app.

  1. Make sure to select “I want to use a different authenticator app”.

  1. Select Next.

  2. You will now see a QR code displayed on the screen.

  3. Insert your YubiKey and open Yubico Authenticator. Select Add or click on the three vertical dots in the top right corner. If the QR Code is visible, it will automatically fill in the fields required.

  1. Select Add.

  1. Double-click the Microsoft entry to copy the code to your clipboard. If successful, the message displays Code copied to clipboard. Note: if you selected Require Touch in the previous step you must touch your YubiKey to copy the code.

  1. Back in your internet browser window paste the code in the box and click Next.

  1. Select Done. You have now successfully registered your YubiKey to your account!

Use a YubiKey to sign in

It is simple to use your YubiKey as an OATH token to sign in to a Microsoft site, or site that has been federated to Azure AD. Generating the YubiKey OTP code to sign in can be done on any device where the Yubico Authenticator is installed (Linux, MacOS, Microsoft Windows, Android, and iOS).

Before you begin

Website sign in

  1. Open the Yubico Authenticator application.

  2. Insert the YubiKey into the device.

  3. Sign into a Microsoft site with a username and password.

  4. Double click the code in Yubico Authenticator application to copy the OTP code.

  5. Paste the code into the prompt.

  1. Select Verify to complete the sign in.

Troubleshooting

Listed below are some common troubleshooting tips.  In addition, you can visit Microsoft’s “Troubleshooting Azure Multi-factor Authentication issues” site.

QR code not recognized by Yubico Authenticator

  • If one does not click I want to use a different authenticator app when setting up TOTP MFA via self-service, the QR code produced will only be readable by Microsoft Authenticator. When trying to scan such a QR code, Yubico Authenticator for desktop will indicate that no QR code is visible on screen (No QR code found on screen), Yubico Authenticator for iOS version will produce the error Error occurred - Invalid URI format, and Yubico Authenticator for Android, The scanned barcode is invalid.

Another OATH token cannot be added.

  •  Microsoft specifies that up to five MFA tokens can be associated with one account.  The limit applies to hardware and software OATH-TOTP implementation including Microsoft Authenticator apps. For example, you can associate three YubiKeys, one Microsoft Authenticator app, and a phone number to an individual account if no other OATH token is being used.

If you have questions about using your Yubikey for Microsoft MFA, please contact the ITS Service Center by email or by calling (716) 673-3407.