YubiKey OATH Token Enrollment
About OATH Tokens | Back to Top |
The lab uses the OATH tokens on YubiKeys as another means of multi-factor authentication (MFA). This MFA method can be used to connect to the Virtual Private Network (VPN), login nodes (such as login.jlab.org, acclogin.jlab.org, scilogin.jlab.org, hallgw.jlab.org) to get to Farm and QCD interactive nodes, and when logging into jlab.org on the web. Unlike MobilePASS, MobilePASS+, or Google Authenticator, which are apps that can be installed on your phone, OATH tokens require a YubiKey from the CST Helpdesk (hardware device; the same device we put Smart Cards on if you have one).
To obtain an OATH token:
- If you already have a YubiKey, please email helpdesk@jlab.org requesting an OATH token be assigned to it, noting the Serial Number written in small numbers on one side of the YubiKey.
- If you do not have a YubiKey, please visit the helpdesk in person at the F-Wing of the CEBAF Center.
When in doubt, please consider visiting the helpdesk in person for help enrolling this hardware token. Some small form-factor YubiKeys are known to have issues and need reconfiguring, which we must do with the YubiKey plugged into a computer at the helpdesk.
Setting Up Your OATH Token | Back to Top |
1. Acquire a YubiKey
YubiKeys are provisioned in-person at the CST Helpdesk in most cases. Some remote users have theirs mailed to them.
2. Provide the Serial Number of the YubiKey
On the side or back of the YubiKey, there should be an 8-digit serial number. Please share this with the helpdesk, and we will use this number to assign the token to you.
3. Initialize the Token
Once assigned, an initial 6-digit PIN will be associated with the token. Visit vpn.jlab.org, leave the dropdown as 'JLAB-CryptoCard-Token' and login:
Username: Your JLab CUE Username
Password:
- Plug the YubiKey into your machine
- Type your initial 6-digit PIN into the password box
- Tap the golden sensor on the YubiKey to append your OATH token's 6-digit One-Time Passcode (OTP) to your PIN
- The OTP should end with a carriage return, which often 'enter's or 'submit's your login for you
- The OTP should end with a carriage return, which often 'enter's or 'submit's your login for you
4. Set Your Own PIN
After the initial login, you should be prompted to set your own PIN. Enter a 6-8 digit number you will input as your PIN before tapping the YubiKey when authenticating using this OATH token.
How do I sign in using an OATH Token? | Back to Top |
Username: JLab CUE Username
Password: OATH Token PIN, followed by OTP inputted by tapping the gold YubiKey sensor
You username will be the same one you use for the 'jlab' wifi and jlab.org, but your "password" will be the PIN that you set followed by the auto-generated OTP from tapping your YubiKey's golden sensor. No spaces in between.
Acronyms
- MFA: multi factor authentication
- Systems using MFA require you to present two or more verification factors to access them
- CUE: common user environment
- Your JLab CUE username and password are the ones you use to sign into jlab.org
- OTP: one-time-passcode
- This is the 6-digit code generated by your MFA token
- (OTP) PIN: one-time-passcode personal identification number
- Each MFA token you set up will have a 6-8 digit PIN associated with it
- While PINs may have the same numbers, they are each distinct, and distinct from your Smart Card login PIN(s)