Medium-Scale implementation

Through this procedure, the administrator only sets up the settings for the YubiOn Portal while the individual PCs are set up by the users themselves. Medium-scale implementations are recommended for the scale of around one to a hundred PCs. Please read the notes before proceeding with the implementation.

Table of Contents


1. Notes

  • Be sure to check the system requirements before proceeding with the implementation.
  • Check here for available YubiKeys.
  • Windows administrative privileges are required for setting up the PC.
  • Do not change the configuration of YubiKey to Slot1.
    YubiKey has two configurable Slots with features such as One Time Password (OTP) and Challenge Response (used in offline authentication).
    • Slot1: The initial state is configured to Yubico OTP.
      If you change your Slot1 information, you will not be able to use it on YubiOn Portal.
    • Slot2: The initial state is unconfigured.
      If the offline authentication is used, a challenge response setting is required in Slot2.
  • Prior preparation is required to enable offline authentication of the PC.
    Before distributing YubiKey to users, please refer to YubiKey offline settings to configure YubiKey.
  • About the PC identification ID
    YubiOn Portal uses SID or UUID as a terminal identification ID.
    The default identification ID in each OS is as follows
    • Windows: SID
    • macOS: UUID
    *If you have a duplicate Windows SID due to PC kitting or other reasons, you will not be able to use YubiOn Portal. If your SID is duplicated and unavailable, please contact us.

2. Implementation flow

Portal registration
[Administrator Action] Register for the YubiOn Portal. After registration, purchase a paid plan (Standard or higher).
Member registration / Email notifications
[Administrator Action] Register users (members) in YubiOn Portal and send email notifications for setup.
Setup
[User Action] Change the password, register the YubiKeys, and install the software on the PC.
Service settings
[Administrator Action] Configure the service settings for two-factor authentication.
Start Using

3. YubiOn Portal registration

Skip this step if you have already registered.

3-1. New registration

Register your customer information through the YubiOn Portal registration page.

You will receive a confirmation email upon newly registering.
Click on this link to confirm your registration.

3-2. First login

From the login screen, login with your registered email address and password.
Enter the correct email address and password to login to YubiOn Portal.

The first time you log in, the simple settings screen appears.

4. Simple settings

Skip this step if you've already done the simple settings.

4-1. YubiKey registration

Set your YubiKey up for login. Next time you log into the YubiOn Portal, you will require the YubiKey which you set up here.

4-2. Selection of settings

Click on "You do not configure your PC..." as this procedure does not configure the operator's own PC.

5. Switching to a paid plan

If you are already a paid plan customer, please skip this step.

The following explanation assumes the use of a paid plan.

6. Member registration

Batch CSV registration of members (users) to YubiOn Portal.

  1. Click on "Member management" from the menu on the left side of the screen.
  2. Click on the "CSV registration" icon.
  3. Download CSV file for batch registration.
    Click the "Download" icon and download the CSV file for batch registration. Save the "member_registration_sample.csv" file to the desired location.
  4. Enter member information in CSV
    Open "member_registration_sample.csv" and enter member information according to the format below.
  5. Select a CSV file.
    Click on the "Choose File" button.
  6. Click on the CSV file and click the "Open" button.
  7. When you select a file, it will display the CSV file name and the member information to be registered.
  8. Click the "Register" button.

7. Setup

In this procedure, each user (member) is responsible for their own set up. The administrator sends a registration email to each member asking them to register and set up their system. This registration email contains a link to the “Easy Setup” screen from where each member can follow the on-screen instructions for self-setup.

7-1. Distribute YubiKey to users

Distribute a YubiKey to each member before sending the registration email for setup.

Check before YubiKey distribution
Prior preparation is required to enable offline authentication of the PC.
Before distributing the YubiKeys to users, please refer to the YubiKey offline settings to configure the YubiKeys.


7-2. Leave the setup to each member

The following instructions describe how to send the registration email for set up to each member.

About the setup procedure
See also “How to use Windows logon” for the setup procedure for each member.

  1. Select "Member management" from the menu on the left side of the screen.
  2. Click "Registration Email Notification".
  3. A list of IDs, member names, and email addresses is displayed in the member list.
  4. Select the members to be notified by email by clicking on the checkboxes.
  5. Click the "Send" button.

If you don’t want the user to uninstall it
The optional function “Uninstall Control” can be used to hide the software from the list of installed applications and prevent uninstallation.

Please contact us for more information on using the “Uninstall Control” option.


8. Service settings

In the service configuration screen, configure the settings for the two-factor authentication service.

8-1. General service settings

Click the "PC" icon from the menu on the left side of the screen.
Click on "Service setting".
Configure the following settings to match your security policy

Configuration items Configuration Contents Default
1. Cache logon expiration date The number of days available for offline authentication. Disabled
2. Screen lock Lock the screen when the YubiKey is unplugged. Disabled
3. Forced YubiKey logon Make logging onto the PC with YubiKey mandatory. Disabled
4. Authentication failure lock Locks the PC after a certain number of failed log on attempts.
It can also be used to unlock the PC only after a certain amount of time has elapsed.
Disabled
5. Automatic email notification Email notifications when there is a change in PC status or service settings. Enabled
Representative

In the initial view of the service settings, "Default Policy" is selected.
This step is based on the "Default Policy".



8-2. Cache logon settings

Setting an expiration date for offline authentication allows you to log on offline for a specified number of days from the date of the last successful PC logon. If disabled, you will not be able to log on in environments without a network connection.

  1. Click the "Enable" radio button.
  2. Enter the expiration date.
    For free use, only one day can be set up.
  3. Click the "Update" button.

8-3. Screen lock settings

With screen lock enabled, you can lock the screen automatically when you unplug the YubiKey from the PC's USB port.

  1. Check the"Lock screen when unplugging YubiKey" checkbox.
  2. Click the "Update" button.

8-4. Forced YubiKey logon settings

Set the PC to enforce logon using YubiKey when logging on.

  1. Check the "Force a logon using YubiKey" checkbox.
  2. Click the "Update" button.

8-5. Authentication failure lock settings

Set up your PC to enforce logon using YubiKey when logging on.

  1. If the Authentication failure lock setting is enabled, it is possible to prohibit a terminal from logging on after a certain number of failed logon attempts.
  2. Click the "Update" button.

8-6. Unlock settings after an authentication failure lock

  1. Check the "After authentication failure lock, unlock at a certain time"
  2. Enter the time (in minutes) after which the PC can be unlocked.
  3. Click the "Update" button.

8-7. Automatic email notification settings

When there is a change in the status of the PC or service settings, it will automatically notify the members registered in the notification settings. By default, the representative is set as the recipient of the notification.

  1. Click the settings icon in the top right corner of the service settings screen, and then click "Email notification settings".
  2. Toggle the notification settings to enable/disable.
  3. Check the items to receive notifications for.
  4. Click the "Update" button.

9. Operational confirmation

Check whether the user's PC successfully reflects the settings of the group policy.

From the menu on the left side of the screen, click the "PC" icon and then click "Service setting".

9-1. Group policy reflection confirmation

There are three types of group policies: "Reflected", " Unreflected", and "Old policy is reflected".

The following is the procedure to confirm the group policy.

  1. Click on the group policy you wish to review.
  2. Click on the "PC list" tab.
  3. Click on the pull-down under "Status."
    Next, click on "Unreflected.
  4. A list of PCs to which the group policy has not yet been applied is displayed. The "Unreflected" status is indicated by an "X" mark.

The installation procedure is described above.

10. Additional Information


10-1. Two-factor authentication method for YubiOn Portal site

During login to the YubiOn Portal using two-factor authentication, the member's email address, password, and YubiKey are required.

  1. Access the login page.
    Enter your email address in the email address field and click the Confirm button.
  2. Enter the password in the password field.
  3. Plug the YubiKey into the USB port.
  4. Click the YubiKey input field and tap the YubiKey. *The YubiKey's one-time password will be entered automatically and the user will be logged in.
  5. After logging in, the "Dashboard" will be displayed.