Yubico OTP with automated registration/getapikey?

Question

We like to use Yubico/Yubikeys to enable users to use a 2nd factor in our applications. For this, an administrator has to provision yubikeys to users.

We want to do this in .net and found this library: https://developers.yubico.com/yubico-dotnet-client/

Now according to this site, we need to register first to get a clientid and an apikey (https://upgrade.yubico.com/getapikey/)

My question is: Do I have to automate this website call for every Yubikey I want to provision? Isnt there a supported way to do this via code? How do I un-register a key (if it gets lost or breaks)?

thx Michi

Answer 1

Do I have to automate this website call for every Yubikey I want to provision?

No, you don't need to to create a new clientId/apiKey for each Yubikey. You only need that for using Yubico's API (YubiCloud) in your application.

---

How do I un-register a key (if it gets lost or breaks)?

To identify a Yubikey, you will use the publicId.

A Yubico OTP is a 44-character, one use, secure, 128-bit encrypted Public ID and Password, near impossible to spoof. The OTP is comprised of two major parts: the first 12 characters remain constant and represent the Public ID of the YubiKey device itself. The remaining 32 characters make up a unique passcode for each OTP generated.

OTPs Explained

So for register a new or remove a old (or lost) Yubikey, you will add or remove that Yubikey from your application.

You can use Yubico's PublicId after you validate the OTP.

https://github.com/Yubico/yubico-dotnet-client