Purpose of Knowledge Article
- A Yubikey is an alternative token to Google Authenticator. While Google Authenticator runs on your phone, Yubikey is a USB form factor device you plug into your computer.
- You must open an IT support ticket to be issued a Yubikey so we can schedule an appointment with you. Setup takes 15-30 minutes.
- Two forms of government-issued identification must be provided for IT to assign a Yubikey. These include driver's licenses, passports, and Berkeley Lab ID cards.
- There is a labor charge of $100/hr if you would like a Yubikey delivered and configured. Email [email protected] or open a Help Desk ticket if you require on-site assistance.
- The cost per Yubikey is approximately $50 which must be paid using a valid project ID and activity code. You may purchase more than one Yubikey to use at different locations.
Resolution
| 1 | You may resync your Yubikey by clicking on the "Resync" link at https://identity.lbl.gov/mfa/resync. |
|
| 2 | Enter your Berkeley Lab Identity Username in the Username field. Insert the Yubikey into your computer, and while the cursor is on the "One-Time Password 1" field, tap the gold, circular "Y" symbol on the top of the Yubikey 4. Tap on the metal will generate an OTP key and auto-populate the field. Then, move the cursor to the second field, "One-Time Password 2" and press the gold, circular "Y" symbol on the top of the Yubikey 4. You will see an OTP key auto-populate the field. Note, if you are using the Yubikey 4 Nano, then press the rounded front of the key protruding from the USB port instead of pressing the gold, circular "Y". Then, click "Resync". |
|
| Instructions | View | |
|---|---|---|
| 1 | On the MFA homepage, you may verify if the Yubikey is working by clicking on the "Test" link below your device's nickname. |
|
| 2 | With the Yubikey in the USB port, press on the Yubikey's gold, circular "Y" symbol or the rounded front-end to generate the OTP. Click "Test Now". If it is successful, you will see the message, SUCCESS! You can test again or click "Done". |
|
- To remove Yubikey from your account, please contact [email protected] and include the serial number of the Yubikey that you want to remove.
- Include your LBNL username and/or employee ID number.
- Be sure to add another MFA before submitting the request to ensure you have continuous access to your LBNL account.
Yubikeys can be reassigned to new employees at the lab.
- It is recommended that you email [email protected] to request an appointment to have it done.
- If you are onsite, you may drop by Building 46, Room 125 (ring the doorbell if your card does not grant you access). Technician availability is subject to change.
If you have misplaced your Yubikey and any account password associated with it may have been stolen or shared by mistake (Example: Berkeley Lab Identity (LDAP) or Windows Active Directory (AD) account):
- Go to https://password.lbl.gov/ to reset your Berkeley Lab Identity (LDAP) password
- Go to Self-service AD Account Management to reset your Windows AD password
- If you want to obtain a new Yubikey, email [email protected] with a Project-Activity ID code. The replacement cost is $50 and must be paid with a project ID and activity code
If you have misplaced/damaged your Yubikey, but any account password associated with it is still secure:
- Wait 24 hours to make sure the Yubikey is lost. If needed, you can continue to use Google Authenticator on your smartphone to obtain a token.
- If the Yubikey hasn’t been found in 24 hours, please go to https://identity.lbl.gov/mfa/ and disable the Yubikey. Email [email protected] with a Project-Activity ID if you want to obtain a new Yubikey.
Note that there is a $50 fee to replace the Yubikey. At the time of reporting the damage/loss, please provide a project-activity ID to expedite this process. If you eventually find the misplaced Yubikey, please contact [email protected] and the IT staff will coordinate with you to collect it.
