# YubiKey

This tutorial will explain configuring Yubico YubiKeys for single sign-on to Pritunl. Users will authenticate with a YubiKey when downloading VPN profiles and before each VPN connection. YubiKey must be used in combination with another single sign-on provider. VPN re-connections will not require a YubiKey authentication, this can be changed with the [**Two-Step Authentication Cache**](/kb/vpn/users/two-step-authentication.md) settings. The Yubico authentication uses [**Yubico OTP**](https://developers.yubico.com/OTP/). Any YubiKey supporting this can be used including the [**YubiKey 4**](https://www.yubico.com/product/y4/), [**YubiKey 4 Nano**](https://www.yubico.com/product/yk4nano/), [**YubiKey 4C**](https://www.yubico.com/product/yubikey-4c/) and [**YubiKey Neo**](https://www.yubico.com/products/yubikey-hardware/yubikey-neo/).

### Purchase YubiKeys

YubiKeys can be purchased with **Amazon Prime**. All the YubiKeys below are supported.

* [**YubiKey 4 ($40)**](https://www.amazon.com/gp/product/B018Y1Q71M/ref=as_li_tl?ie=UTF8\&tag=pritunl0e-20\&camp=1789\&creative=9325\&linkCode=as2\&creativeASIN=B018Y1Q71M\&linkId=f89a9c0c4705c1514f79260b190c3d36)
* [**YubiKey 4 Nano ($50)**](https://www.amazon.com/gp/product/B018Y1XXT6/ref=as_li_tl?ie=UTF8\&tag=pritunl0e-20\&camp=1789\&creative=9325\&linkCode=as2\&creativeASIN=B018Y1XXT6\&linkId=75768303dd702eec02a94882efa53eac)
* [**YubiKey Neo ($50)**](https://www.amazon.com/gp/product/B00LX8KZZ8/ref=as_li_tl?ie=UTF8\&tag=pritunl0e-20\&camp=1789\&creative=9325\&linkCode=as2\&creativeASIN=B00LX8KZZ8\&linkId=2851cf95c315c44a4ce4d9f49df8e5a3)

### Get Yubico API Key

The Yubico OTP servers require an API key. This can be generated at [**upgrade.yubico.com/getapikey**](https://upgrade.yubico.com/getapikey)

![](/files/BJJ8GbiC8eZZq6GHnuil)

### Configure Pritunl

After generating a Yubico API key open the *Pritunl* settings and set *Single Sign-On* to one of the *Yubico* modes. Then copy the *Integration key* to *Duo Integration Key*, *Secret key* to *Duo Secret Key* and *API hostname* to *Duo API Hostname*.

![](/files/QvmwYPmmFzJqFobXdT1g)

### Custom Yubico API Servers

By default the offical YubiCloud API servers are used to validate YubiKeys. The servers can be changed by running the command `pritunl set app.sso_yubico_servers '["https://server0", "https://server1"]'`


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://docs.pritunl.com/kb/vpn/sso/yubikey.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.