.png)
Authored by: Support.com Tech Pro Team
How to setup YubiKey with passbolt
Multi-Factor Authentication is part of Passbolt Pro only and is not available in the Community Edition.
It is important to enable and set up at least one additional multi-factor authentication provider in case the user loses its Yubikey or the Yubicloud service becomes temporarily not available.
During a login attempt, the passbolt will check if the key ID used by the user is the same that was used during setup. To change the key (if the key was lost for example) a user will need to first disable the Yubikey provider in their settings.
In order to use Yubikey OTP, you need to get an API key for Yubicloud, Yubico’s web service for verifying OTPs. Please note that it is no longer possible to host the OTP validation server.
Before using YubiCloud, you need to get an API key from upgrade.yubico.com in order to prevent misuse of the service. You will need to authenticate yourself using a Yubikey One-Time Password and provide your e-mail address as a reference, as well as read and accept the terms of service.
In order to verify a Yubikey OTP passbolt will need to connect to YubiCloud. If you prevent the outgoing connection from Passbolt server to the following domains:
One or more of these domains may be used to try to validate an OTP.
You can configure Yubikey OTP using either the admin interface, config files, or environment variables. If multiple settings providers are used the settings in the admin interface will override the one used in files. Similarly, the settings in files will override environment variables.
Since v2.6 a user interface is provided for administrators to set up MFA providers. Click on “administration†in the top menu, then “multi-factor authentication†on the left menu. You can then enable or disable the Yubikey provider by providing the user id and secret key that you gathered in the previous steps. Click “Save settings†when you are done.
If you are using docker, you can set these environment variables to configure your Yubikey:
Variable nameDescriptionTypePASSBOLT_PLUGINS_MFA_YUBIKEY_SECRETKEYYubicloud secret keystringPASSBOLT_PLUGINS_MFA_YUBIKEY_CLIENTIDYubicloud client idinteger
In your install directory, you can add the following section in /etc/passbolt/passbolt.php
'plugins' => [ 'multiFactorAuthentication' => [ 'providers' => [ 'totp' => true, 'duo' => false, 'yubikey' => true ], 'yubikey' => [ 'clientId' => '01234', 'secretKey' => 'xx/xxxxxx/xxxxxxxxxxxx=' ] ]]
Once you have the Yubikey integration configured and Yubikey plugged into your computer you can proceed with enabling Yubikey as the provider for your user account. It is important you test this to make sure the integration works.
When logged in passbolt go to your profile section and click on “Multi-factor authentication†in the left sidebar. You should see the list of providers that are enabled for this instance. Click on the Yubikey provider. Passbolt will then prompt your to touch your Yubikey to enter a one-time password.
The next time you try login in from a new device, you will be presented with a Yubikey authentication prompt.
Support.com is committed to your privacy
We do not share or sell your data to third parties. We do use cookies and other third-party technologies to improve our site and services. The California Consumer Privacy Act (CCPA) gives you the ability to opt out of the use of cookies, third-party technologies and/or the future sale of your data. Do not sell my personal information.
Support.com is committed to your privacy
Read our Privacy Policy for a clear explanation of how we collect, use, disclose and store your information
