YubiKey U2F Secondary

Secondary authentication with U2F devices

To use U2F devices the user domain must be configured in the node settings. This domain will be used for the U2F AppID, changing the domain later will invalidate any configured U2F devices. The AppID is used to bind the token to an origin to prevent phishing. All other domains used in the Pritunl Zero configuration will be stored in the app.json handler in the user domain allowing services to be added and removed without invalidating U2F devices. A valid LetsEncrypt certificate should also be configured in the Certificates tab.

Pritunl Zero allows U2F devices to authenticate in addition to the primary authentication (local, Google, OneLogin, Okta) and the secondary authentication (Duo, OneLogin Push, Okta Push). The order of authentication is primary, u2f device then secondary.


Next in the Users tab create a test user and assign the role user.


In the Policies tab create a policy with the user role and enable all the device authentication options in the bottom left. This will require the user to authenticate with a U2F device for all activities.


Open the user domain that was configured in the first step and login with the test user credentials.


On the first login a prompt will be shown to register the first U2F device. Enter a name for the device then click Register Device.


When prompted insert the U2F device and activate it.


Once authenticated click U2F Devices to open the list fo configured devices. This allows the user to add or remove U2F devices.


To add a second device click Add Device. The user will need to authenticate with an existing U2F device before adding additional devices.


Once an existing U2F device has been authenticated enter a name for the new device. Then insert and activate the device when prompted.


Both devices will then be shown in the device list. There is no limit to the number of U2F devices a user can configure. If a user removes all U2F devices the account will be disabled and an administrator will need to re-activate the account.


Administrators will be able to manage user U2F devices from the user page. Administrators can register new devices without authenticating an existing device.