YubiKey U2F Secondary

Secondary authentication with U2F devices

To use U2F devices the user domain must be configured in the node settings. This domain will be used for the U2F AppID, changing the domain later will invalidate any configured U2F devices. The AppID is used to bind the token to an origin to prevent phishing. All other domains used in the Pritunl Zero configuration will be stored in the app.json handler in the user domain allowing services to be added and removed without invalidating U2F devices. A valid LetsEncrypt certificate should also be configured in the Certificates tab.

Pritunl Zero allows U2F devices to authenticate in addition to the primary authentication (local, Google, OneLogin, Okta) and the secondary authentication (Duo, OneLogin Push, Okta Push). The order of authentication is primary, u2f device then secondary.

2132

Next in the Users tab create a test user and assign the role user.

2142

In the Policies tab create a policy with the user role and enable all the device authentication options in the bottom left. This will require the user to authenticate with a U2F device for all activities.

2136

Open the user domain that was configured in the first step and login with the test user credentials.

614

On the first login a prompt will be shown to register the first U2F device. Enter a name for the device then click Register Device.

614

When prompted insert the U2F device and activate it.

614

Once authenticated click U2F Devices to open the list fo configured devices. This allows the user to add or remove U2F devices.

652

To add a second device click Add Device. The user will need to authenticate with an existing U2F device before adding additional devices.

654

Once an existing U2F device has been authenticated enter a name for the new device. Then insert and activate the device when prompted.

652

Both devices will then be shown in the device list. There is no limit to the number of U2F devices a user can configure. If a user removes all U2F devices the account will be disabled and an administrator will need to re-activate the account.

654

Administrators will be able to manage user U2F devices from the user page. Administrators can register new devices without authenticating an existing device.

2140