Using YubiKey for Secure Login Authentication to LuxSci
LuxSci supports a range of options for securing your access to the web interface. These include Two-factor authentication (via email, SMS, or via integration with DuoSecurity), Social Logins (e.g. using your facebook, LinkedIn, Google+, Yahoo, Twitter, MSN, etc. account as your login), OpenID, and IP access restrictions (so you can limit access to your computer or region or country).
What many don’t know is that you can also use YubiKey (by yubico), a very popular secure hardware token that plugs into your computer’s USB port (or uses NFC in some cases so you don’t have to plug it in) and allows you to verify your identity via its presence.
At LuxSci, you can use your YubiKey as your login to WebMail or for two-factor authentication. This capability is not new, it has been possible for years, but it is not as well known as it should be.
How to enable YubiKey Logins for LuxSci
- Login to LuxSci normally using your username and password
- Go to your Account > Security > Social Login/OpenID configuration page
- Click on “Add a Social Login or OpenID”.
- Choose “OpenID” from the dialog box
- You will get a pop-up window asking you for your “OpenID” address
- EntertheOpenID address foryourYubikey
- This will be: http://openid.yubico.com/server.php/idpage?user=YUBIKEYID
- Authenticate yourself with your YubiKey
- Done — you can now login to LuxSci using just your YubiKey.
How to Login with your YubiKey?
- Go to https://webmail.luxsci.com
- Click on “Social Login/OpenID”
- Choose “OpenID”
- Enter your your YubiKey OpenID if it is not already pre-filled
- Authenticate with your YubiKey
- You are in!
How to Turn Off Username/Password Logins?
For added security, you can disable use of your username/password as a means of logging in to your LuxSci WebMail account — so the only valid login scheme is use of your YubiKey. To do this,
- Return to your Account > Security > Social Login/OpenID configuration page in LuxSci.
- Check the box “Restrict Web Interface logins to the use of Social/OpenID logins only.”
- Press “Update”
Once you do this, you will only be able to login to WebMail using one of the Verified OpenIDs / Social Logins that you have here enabled. This setting does not affect access via POP, IMAP, SMTP, FTP, or ActiveSync…. only WebMail.
What about YubiKey for Two Factor Authentication?
YubiKey is especially popular for being a second factor for logging in to accounts. E.g. you enter your username and password, and then you validate yourself via your YubiKey and you are in. This is better it doesn’t permit someone access just because they grabbed your YubiKey!
LuxSci supports two factor authentication with YubiKey via integration with DuoSecurity. If you have not yet done so:
- Get your account with DuoSecurity (Its FREE for up to 10 people, and inexpensive for more).
- Login to yourDuoSecurity account
- Choose “Integrations”
- Create a “+ New Integration”
- Select integration type of “Web SDK”
- Call the Integration Name “LuxSci” (or whatever you like) and press “Create Integration”
- Copy the Integration key, Secret key, and API hostname
- Login to LuxSci as an account administrator
- Go to “Account > Advanced Administration > Security > Duo Security Two Factor“
- Enter the keys and hostname
- Set the Status or “Required” or “Optional” (for if all users in your account must use it, or if they can self select use of Duo).
- If you chose “Optional”, then go to your “Account > Security > Two-Factor Authentication” page and select “DuoSecurity” as your Two Factor authentication method of choice.
This enables Duo Security for Two Factor Authentication at LuxSci. Once you have your YubiKey, you can login to your Duo Security account and add this as a valid authenticator:
- Login to DuoSecurity
- Click on “Devices” Then “Hardware tokens”
- Click “+ Import Hardware tokens”
- Choose “YubiKey AES” as the device type
- Enter the “CSV token data” as per the instructions on the page (you will need your YubiKey serial number ,private identity, and secret key.
- Press “Import Hardware Tokens”
- Click on Users
- Click on the user login in question
- Click on “+ Add Hardware Token”
- Associate the newly added YubiKey with this user as a valid authentication device.
We really do recommend using DuoSecurity for business class two factor authentication for many reasons including:
- Centralized user management
- Support for Apps on many phones
- Multiple types of authentication: e.g. SMS, phone call, push to app, and hardware tokens. You can have multiple enabled so that you have backup options (e.g. if your phone is destroyed).
- Administrators can define override codes to let someone in “just in case”.
- Great logging and reporting of use (which is very good for compliance).