Important

THESE ARE PRELIMINARY INSTRUCTIONS THAT CANNOT BE FOLLOWED COMPLETELY YET

Important

THESE ARE PRELIMINARY INSTRUCTIONS THAT CANNOT BE FOLLOWED COMPLETELY YET

YubiKey

Configuring Yubikey for the NOAA RDHPCS

A Yubikey is an “electronic physical keyring” that is plugged into an available USB slot on your computer. Like a keyring, a Yubikey holds (stores) several sets of keys (authentication tokens and certificates), and helps prevent the compromise of accounts used to access computers, networks and web applications by requiring the physical possession of a key for successful login.

../_images/yubi-usbac.png

Important

As of October 1, 2025 YubiKeys or CAC will be required to access the NOAA RDHPCS. Contact your security office to request a Yubikey.

Yubikey Registration

The NOAA Yubikey is issued by your security office.

If you do not have a NOAA issued YubiKey, contact your local I/T staff, your primary email admin, or your security office.

If you do not know any of those details, start by contacting your mail admin. Log into the NOAA Staff Directory. Click your name on the right hand side, then click View my Info. Click the link Primary Mail Admin to send an email to your mail admin to start your Yubikey request.

You must register your NOAA issued YubiKey for use with your NOAA accounts at https://accounts.noaa.gov, and follow the additional steps below to configure and register your Yubikey for RDHPCS use.

Note

If you have lost your NOAA issued Yubikey and have a replacement Yubikey, you will need to delete the lost Yubikey at the AIM MFA page

These steps create a new token on your Yubikey in Slot 2, the Long Press slot. It is separate and different from the Short Press you have been using.

Note

A Long Press means touch and hold for three (3) seconds

Follow these steps to configure Long Press Slot 2 with a Yubico OTP credential. You can safely restart these instructions and re-register the Yubico OTP credential in Long Press Slot 2:

  1. You must have registered your NOAA issued Yubikey at https://accounts.noaa.gov. Navigate to your NOAA Accounts profile page and look at MFA Enrollment for a green checkmark and Yubikey registered

../_images/noaa-accounts-profile.png

Important

DO NOT PROCEED until you have registered your NOAA issued YubiKey at https://accounts.noaa.gov

  1. Download and install the YubiKey Manager

Note

If you are working on a Government Provided System (Government Furnished Equipment (GFE)) you will need to request a software installation from your local I/T office. You may find it simpler and easier to use a personal computer for the following steps.

Note

If you are a GFDL Linux user, the Yubikey Manager package is installed on the GFDL workstations and does not need to be installed. Proceed with Step 3, below.

  1. Insert your NOAA issued Yubikey into an available USB slot

  2. Open the YubiKey Manager from the Start Menu (Windows) or Applications folder (Mac). Linux users, skip ahead to step 4-Linux.

    ../_images/yk-mgr-main.png

  3. From the Applications menu, select OTP.

../_images/yk-mgr-app-otp.png

  1. Under Long Touch (Slot 2), select Configure

../_images/yk-mgr-otp.png

  1. Under Select Credential Type, select Yubico OTP

../_images/yk-mgr-otp-cred.png

  1. Select Next to continue to the Yubico OTP configuration.

  2. Configure Yubico OTP credential

  • Under Yubico OTP, check and set the following:

  • Under Public ID, select Use serial.

  • Under Private ID, select Generate.

  • Under Secret Key, select Generate.

  • Ensure Upload is not checked.

../_images/yk-mgr-otp-register.png

  • Record the Public ID and Secret Key in your favorite plain text editor. You will not be able to retrieve this information again after completion. We will use this information to complete the YubiKey enrollment process.

  • Select Finish to confirm the changes on the YubiKey. The changes will be written to the YubiKey.

    Note

    Slot 2 may show as being configured. It is safe to overwrite.

Skip ahead to step 10.

Note

These set of instructions are for Linux users only

4-Linux: Open a terminal window.

5-Linux: Type (or copy and paste) the following ykman command

ykman otp yubiotp 2 --serial-public-id --generate-private-id --generate-key

Example:

ykman otp yubiotp 1 --serial-public-id --generate-private-id --generate-key
Using YubiKey serial as public ID: vvcccbn*****
Using a randomly generated private ID: a36ad3d*****
Using a randomly generated secret key: 4de7b4a69faa75e779a8b0869b0*****
Program a YubiOTP credential in slot 2? [y/N]: y

  • Record the Public ID and Secret Key in your favorite plain text editor. You will not be able to retrieve this information again after completion. We will use this information to complete the YubiKey enrollment process.

  • Type y and press <ENTER> to confirm the changes on the YubiKey. The changes will be written to the YubiKey.

    Note

    Slot 2 may show as being configured. It is safe to overwrite.

Continue onwards to the next step, step 10.

  1. In a web browser, navigate to the AIM MFA page

../_images/yk-aim.png

  • Enter the Secret Key from Step 9 or 5-Linux.

  • Enter a 6 to 8 digit PIN. You may choose to re-use the PIN you use for your RSA token to make it easier to remember.

  • Confirm the PIN.

  1. Click on Submit Changes to complete the registration.