# YubiKey

This tutorial will explain configuring Yubico YubiKeys for single sign-on to Pritunl. Users will authenticate with a YubiKey when downloading VPN profiles and before each VPN connection. YubiKey must be used in combination with another single sign-on provider. VPN re-connections will not require a YubiKey authentication, this can be changed with the [**Two-Step Authentication Cache**](https://docs.pritunl.com/kb/vpn/users/two-step-authentication) settings. The Yubico authentication uses [**Yubico OTP**](https://developers.yubico.com/OTP/). Any YubiKey supporting this can be used including the [**YubiKey 4**](https://www.yubico.com/product/y4/), [**YubiKey 4 Nano**](https://www.yubico.com/product/yk4nano/), [**YubiKey 4C**](https://www.yubico.com/product/yubikey-4c/) and [**YubiKey Neo**](https://www.yubico.com/products/yubikey-hardware/yubikey-neo/).

### Purchase YubiKeys

YubiKeys can be purchased with **Amazon Prime**. All the YubiKeys below are supported.

* [**YubiKey 4 ($40)**](https://www.amazon.com/gp/product/B018Y1Q71M/ref=as_li_tl?ie=UTF8\&tag=pritunl0e-20\&camp=1789\&creative=9325\&linkCode=as2\&creativeASIN=B018Y1Q71M\&linkId=f89a9c0c4705c1514f79260b190c3d36)
* [**YubiKey 4 Nano ($50)**](https://www.amazon.com/gp/product/B018Y1XXT6/ref=as_li_tl?ie=UTF8\&tag=pritunl0e-20\&camp=1789\&creative=9325\&linkCode=as2\&creativeASIN=B018Y1XXT6\&linkId=75768303dd702eec02a94882efa53eac)
* [**YubiKey Neo ($50)**](https://www.amazon.com/gp/product/B00LX8KZZ8/ref=as_li_tl?ie=UTF8\&tag=pritunl0e-20\&camp=1789\&creative=9325\&linkCode=as2\&creativeASIN=B00LX8KZZ8\&linkId=2851cf95c315c44a4ce4d9f49df8e5a3)

### Get Yubico API Key

The Yubico OTP servers require an API key. This can be generated at [**upgrade.yubico.com/getapikey**](https://upgrade.yubico.com/getapikey)

![](https://1783284711-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FhDA4eusSNQcv5QfappvI%2Fuploads%2FXCmuQbKCIPFWDMHp3vaJ%2Fyubikey0.png?alt=media\&token=05ff7c3c-eac6-4169-809f-6ae938d1adb3)

### Configure Pritunl

After generating a Yubico API key open the *Pritunl* settings and set *Single Sign-On* to one of the *Yubico* modes. Then copy the *Integration key* to *Duo Integration Key*, *Secret key* to *Duo Secret Key* and *API hostname* to *Duo API Hostname*.

![](https://1783284711-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FhDA4eusSNQcv5QfappvI%2Fuploads%2FlXkgyrOQFaGrbr9xvGz1%2Fyubikey1.png?alt=media\&token=bb6ff2c9-da9a-402f-8dd5-7d5584a53394)

### Custom Yubico API Servers

By default the offical YubiCloud API servers are used to validate YubiKeys. The servers can be changed by running the command `pritunl set app.sso_yubico_servers '["https://server0", "https://server1"]'`