YubiKeys can be used for Multi-factor authentication (MFA) to the JumpCloud® User Portal. Yubico Authenticator for Desktop can be used with Windows® and Mac® machines.
Considerations:
- You can use the YubiKeys listed here with the Yubico Authenticator for Desktop. Identify your YubiKey.
- You can’t use YubiKeys in the Security Key series for JumpCloud TOTP MFA. YubiKeys in the Security Key series don’t support time-based one-time password (TOTP).
- YubiKeys used with JumpCloud TOTP MFA can’t be used with JumpCloud WebAuthn MFA. For WebAuthn MFA, use the YubiKeys in the Security Key series. Learn more: Set Up WebAuthn.
Prerequisites:
- The procedure outlined in this article uses a YubiKey that can be inserted into a USB or USB-C port. The following Yubikeys can be inserted into USB or USB-C drives:
- YubiKey 4C
- YubiKey 4C Nano
- YubiKey 5C
- YubiKey 4C Nano
Setting Up Yubico Authenticator
The following procedure includes steps to be completed by both JumpCloud administrators and JumpCloud users. We recommend that administrators observe users as they complete the user-specific steps in this procedure.
- Requiring MFA for users – JumpCloud admin
- Downloading and installing the Yubico Authenticator for Desktop application on your Windows and macOS machines – JumpCloud user or admin
- Determining the state of the YubiKey – JumpCloud user
- Setting up YubiKey MFA in JumpCloud – JumpCloud user
- Setting up YubiKey MFA in Yubico Authenticator – JumpCloud user
After you complete the procedure, you can use YubiKey as a second factor for MFA.
To set up Yubico Authenticator MFA on a Mac or Windows device:
(JumpCloud Admin) Require MFA for users
- In the JumpCloud Admin Portal, go to the User Security Settings and Permissions sections of a user’s Details tab.
- Select Require Multi-factor Authentication on User Portal.
After you select this option, you can apply an enrollment period for the user as needed. Learn more about enrollment periods: Configure MFA for Your Org.
- Click save user. Users with MFA enabled for their account have an orange unlocked padlock icon in the TOTP MFA Status column of the JumpCloud Admin Portal Users list.
- After you save, the user receives an email message from JumpCloud-Notifications ([email protected]), with the subject “TOTP MFA Now Enabled on your JumpCloud Account.” Users can click a link in this email or log in to the JumpCloud User Portal to set up TOTP MFA for their account.
(JumpCloud User or Admin) Download and install the Yubico Authenticator for Desktop
If a user doesn't have administrator privileges to install applications on their machines, the JumpCloud admin will have to install the Yubico Authenticator for Desktop application for the user.
- Download the Yubico Authenticator application from https://www.yubico.com/products/services-software/download/yubico-authenticator/.
- After downloading completes, install the application on the machine.
(JumpCloud User) Determine the state of the YubiKey
- Open the Yubico Authenticator for Desktop application on the Windows machine. The authenticator application shows a message that reads, “No YubiKey detected.”
- Insert the Yubikey into a USB port.
Mac - If Apple’s Keyboard Setup Assistant launches on your macOS machine, close the window.
- If the Yubikey is new, the Yubico Authenticator application shows a message that reads “No credentials found.” Users create a new set of credentials in Set Up YubiKey MFA in Yubico Authenticator below.
- If the Yubikey has been used previously, credentials for an existing user appear. If they key shown is currently in use by the user for other credentials, you can proceed with setting up YubiKey MFA for the user.
- Otherwise, reset the key by selecting Reset from the Yubico Authenticator File menu. You are warned that this action can’t be undone.
(JumpCloud User) Set Up YubiKey MFA in JumpCloud
- Log in to the JumpCloud User Portal: https://console.jumpcloud.com.
- Click Set Up Authenticator App.
- On the Set Up TOTP MFA Authentication dialog, click Continue.
- You are provided with a QR code and a long, alphanumeric TOTP key. You can either select and copy the key or use the Yubico Authenticator File > Scan QR Code option.
(JumpCloud User) Set Up YubiKey MFA in Yubico Authenticator
- Open the Yubico Authenticator application.
- From the File menu, select New Credential.
- In the New Credential dialog:
- For Issuer, enter JumpCloud User.
- For Account name, enter the user’s email address.
- For Secret Key, paste the TOTP key that was previously copied from the JumpCloud User Portal.
- Click Save Credential.
- In your browser, return to the JumpCloud User Portal Setup Multifactor Authentication dialog.
- Enter a subsequent pair of six-digit codes shown in the Yubico Authenticator application dialog. After you enter the six-digit codes, you are logged into JumpCloud and the Multifactor Setup Complete dialog appears.
- In the JumpCloud Admin Portal, the user now has a green locked padlock icon in the TOTP MFA Status column.
Using YubiKey as a Second-Factor for MFA
After Yubico Authenticator MFA is set up for a JumpCloud user, they can use their YubiKey to get a TOTP to log in to applications that require MFA.