Large-Scale implementation

Through this procedure, the administrator installs the software through kitting or Active Directory, etc. on each PC and enters the required information for the batch of users on the YubiOn Portal’s website. Large-scale implementation is recommended for the scale of one to over a hundred PCs. Please read the notes before proceeding with the implementation.

Table of Contents


1. Notes

  • Be sure to check the system requirements before proceeding with the implementation.
  • Check here for available YubiKeys.
  • Windows administrative privileges are required for setting up the PC.
  • Do not change the configuration of YubiKey to Slot1.
    YubiKey has two configurable Slots with features such as One Time Password (OTP) and Challenge Response (used in offline authentication).
    • Slot1: The initial state is configured to Yubico OTP.
      If you change your Slot1 information, you will not be able to use it on YubiOn Portal.
    • Slot2: The initial state is unconfigured.
      If the offline authentication is used, a challenge response setting is required in Slot2.
  • Prior preparation is required to enable offline authentication of the PC.
    Before distributing YubiKey to users, please refer to YubiKey offline settings to configure YubiKey.
  • About the PC identification ID
    YubiOn Portal uses SID or UUID as a terminal identification ID.
    The default identification ID in each OS is as follows
    • Windows: SID
    • macOS: UUID
    *If you have a duplicate Windows SID due to PC kitting or other reasons, you will not be able to use YubiOn Portal. If your SID is duplicated and unavailable, please contact us.

2. Implementation flow

Portal registration
[Administrator Action] Register for the YubiOn Portal. After registration, purchase a paid plan (Standard or higher).
Software distribution
[Administrator Action] Software is installed on each terminal through kitting, Active Directory, etc.
Batch registration
[Administrator Action] Batch registration of user information in CSV.
Service settings
[Administrator Action] Configure the service settings for two-factor authentication.
PC auto setup
[User Action] The automatic setup is completed when the user logs on to the PC.
Start Using

3. YubiOn Portal registration

Skip this step if you have already registered.

3-1. New registration

Register your customer information through the YubiOn Portal registration page.

You will receive a confirmation email upon newly registering.
Click on this link to confirm your registration.

3-2. First login

From the login screen, login with your registered email address and password.
Enter the correct email address and password to login to YubiOn Portal.

The first time you log in, the simple settings screen appears.

4. Simple settings

Skip this step if you've already done the simple settings.

4-1. YubiKey registration

Set your YubiKey up for login. Next time you log into the YubiOn Portal, you will require the YubiKey which you set up here.

4-2. Selection of settings

Click on "You do not configure your PC..." as this procedure does not configure the operator's own PC.

5. Switching to a paid plan

If you are already a paid plan customer, please skip this step.

The following explanation assumes the use of a paid plan.

6. Setup

The following details the steps the administrator can follow to set up the PCs.
To set up two-factor authentication on a PC, one will need to install a Windows Logon Service application, henceforth referred to as Client Tools.

Before Use
Please be sure to check the System requirements before installing the software.
The installation requires Windows administrative privileges.


6-1. Software downloads

Download software to be installed on each PC.

  1. From the menu on the left side of the screen, click the "PC" icon, then click "Download".
  2. Click "Download" button. The "WlsInstaller_x64.msi" or "WlsInstaller_x86.msi" will be downloaded.
    Save it to any location.

6-2. Software installation

The YubiOn Portal currently does not support automatic software distribution. Instead, please distribute and install the “WlsInstaller_x64.msi” or “WlsInstaller_x86.msi” installer on each PC using one of the following methods.

  • Distribution by PC kitting
  • Distribution by Active Directory Group Policy
  • Distribution by Other Services


7. Batch registration

Register users and their information on the YubiOn Portal through a CSV.

7-1. Download the CSV

From the menu on the left side of the screen, click the “Users” icon.

Click the “Kitting CSV registration” button on the right side of the Member management screen.

Click the “Download CSV sample file” button.

Save the file in any location.

7-2. CSV input

Open the downloaded “member_machine_registration_sample.csv”.
Below is a preview of the Excel file.

View in Excel

Enter registration information referring to the CSV file format below.
When the registration is complete, please save the file.

If you have the same email address registered
If the same email address is input in the CSV more than once, or if you input a previously registered email address, the PC, account and YubiKey will be assigned to the same member.

7-3. CSV batch registration

Login to the YubiOn Portal site.

Click the “Users” icon from the menu on the left side of the screen.

Click the “kitting CSV registration” button on the right side of the member management screen.

Click on “Choose File”.

Click on the “member_machine_registration_sample.csv” file and click the “Open” button.

Confirm that the values displayed in the registration list are correct and click the “Register” button.

  • Full-width character strings are not entered in half-width alphanumeric notation.
  • No unnecessary spaces, character strings, etc. are entered.
  • Email address format is correct.
  • Admin column* is populated with numbers.
    (*) If you are registered as an administrator, the administrator column will display a “check mark”.
    If you are registered as a general, the administrator column will be marked with a “-”.

Click the “OK” button on the registration completion message.
When the members listed in the CSV file are displayed in the member list, the batch registration is complete.

In case of a registration error
If there is a mistake in the CSV, a warning icon will appear on the confirmation screen. Hover over the warning icon to see the error content.
Please correct and re-register the CSV file as instructed.

Modifying content immediately after the completion of batch registration
Refer to the “Bulk deletion method” to perform batch deletion of incorrect data while registering only the correct data from the CSV file.

In the case you want to modify the data individually
Click here to correct the member information.
Click here for YubiKey assignments.
Click here to unassign a YubiKey.
Click here to add an account.
Click here to delete an account.
Click here for account and YubiKey assignment.
Click here to unassign an account and YubiKey.

Note: The PC name and PC ID cannot be modified later. Refer to “Bulk deletion method” to delete and register again via the CSV.


8. Distribute YubiKey to users

After the CSV registration is completed, YubiKey will be distributed to users.

Things to check before distributing YubiKey
Preparation is required to enable offline authentication of the device.
Before distributing YubiKey to users, please set up YubiKey with reference to YubiKey Offline Settings.


9. Service settings

In the service configuration screen, configure the settings for the two-factor authentication service.

9-1. General service settings

Click the "PC" icon from the menu on the left side of the screen.
Click on "Service setting".
Configure the following settings to match your security policy

Configuration items Configuration Contents Default
1. Cache logon expiration date The number of days available for offline authentication. Disabled
2. Screen lock Lock the screen when the YubiKey is unplugged. Disabled
3. Forced YubiKey logon Make logging onto the PC with YubiKey mandatory. Disabled
4. Authentication failure lock Locks the PC after a certain number of failed log on attempts.
It can also be used to unlock the PC only after a certain amount of time has elapsed.
Disabled
5. Automatic email notification Email notifications when there is a change in PC status or service settings. Enabled
Representative

In the initial view of the service settings, "Default Policy" is selected.
This step is based on the "Default Policy".



9-2. Cache logon settings

Setting an expiration date for offline authentication allows you to log on offline for a specified number of days from the date of the last successful PC logon. If disabled, you will not be able to log on in environments without a network connection.

  1. Click the "Enable" radio button.
  2. Enter the expiration date.
    For free use, only one day can be set up.
  3. Click the "Update" button.

9-3. Screen lock settings

With screen lock enabled, you can lock the screen automatically when you unplug the YubiKey from the PC's USB port.

  1. Check the"Lock screen when unplugging YubiKey" checkbox.
  2. Click the "Update" button.

9-4. Forced YubiKey logon settings

Set the PC to enforce logon using YubiKey when logging on.

  1. Check the "Force a logon using YubiKey" checkbox.
  2. Click the "Update" button.

9-5. Authentication failure lock settings

Set up your PC to enforce logon using YubiKey when logging on.

  1. If the Authentication failure lock setting is enabled, it is possible to prohibit a terminal from logging on after a certain number of failed logon attempts.
  2. Click the "Update" button.

9-6. Unlock settings after an authentication failure lock

  1. Check the "After authentication failure lock, unlock at a certain time"
  2. Enter the time (in minutes) after which the PC can be unlocked.
  3. Click the "Update" button.

9-7. Automatic email notification settings

When there is a change in the status of the PC or service settings, it will automatically notify the members registered in the notification settings. By default, the representative is set as the recipient of the notification.

  1. Click the settings icon in the top right corner of the service settings screen, and then click "Email notification settings".
  2. Toggle the notification settings to enable/disable.
  3. Check the items to receive notifications for.
  4. Click the "Update" button.

10. Automatic setup of each PC by the user

The end user completes the setup automatically by logging on to the PC while connected to the network.

Conditions for automatic setup
1. The software installation on the PC is already complete
2. CSV batch registration on YubiOn Portal site must be completed
3. Log on to the PC while it is connected to the network.

The first time you log on with your Windows password only, the automatic setup is complete.
If the automatic setup is done correctly, you can use two-factor authentication from the next logon.

For more information on user operations, see How to use Windows logon (for large scale implementation).

If you don’t want the user to uninstall it
The optional function “Uninstall Control” can be used to hide the software from the list of installed applications and prevent uninstallation.

Please contact us for more information on using the “Uninstall Control” option.


11. Operational confirmation

Check whether the user's PC successfully reflects the settings of the group policy.

From the menu on the left side of the screen, click the "PC" icon and then click "Service setting".

11-1. Group policy reflection confirmation

There are three types of group policies: "Reflected", " Unreflected", and "Old policy is reflected".

The following is the procedure to confirm the group policy.

  1. Click on the group policy you wish to review.
  2. Click on the "PC list" tab.
  3. Click on the pull-down under "Status."
    Next, click on "Unreflected.
  4. A list of PCs to which the group policy has not yet been applied is displayed. The "Unreflected" status is indicated by an "X" mark.

The installation procedure is described above.

12. Additional Information


12-1. Two-factor authentication method for YubiOn Portal site

During login to the YubiOn Portal using two-factor authentication, the member's email address, password, and YubiKey are required.

  1. Access the login page.
    Enter your email address in the email address field and click the Confirm button.
  2. Enter the password in the password field.
  3. Plug the YubiKey into the USB port.
  4. Click the YubiKey input field and tap the YubiKey. *The YubiKey's one-time password will be entered automatically and the user will be logged in.
  5. After logging in, the "Dashboard" will be displayed.

12-2. Batch deletion method

Information registered in CSV format can be deleted from a member’s (user’s) e-mail address in a batch.

  1. Click on "Member management" from the menu on the left side of the screen.
  2. Click on the "Batch delete members" icon.
  3. Download the CSV file for batch deletion.
    Click the "Download" icon to download the CSV file for bulk deletion. Save the "member_deletion.csv" file to any location.
  4. Open the "member_deletion.csv" file and enter the e-mail address of the member you wish to delete.
  5. Select a CSV file.
    Click on the "Choose File" button.
  6. Select the CSV file and click the "Open" button.
  7. Selecting a file displays the CSV file name and the member information to be deleted.
    If all is correct, click the "Delete" button.