Small-Scale implementation

This procedure is for the administrators to perform the settings and PC setup for the YubiOn Portal site. Small-scale implementations are recommended for the scale of one to around a few dozens of PCs which are within easy access of administrators. Please read the notes before proceeding with the implementation.

Table of Contents


1. Notes

  • Be sure to check the system requirements before proceeding with the implementation.
  • Check here for available YubiKeys.
  • Windows administrative privileges are required for setting up the PC.
  • Do not change the configuration of YubiKey to Slot1.
    YubiKey has two configurable Slots with features such as One Time Password (OTP) and Challenge Response (used in offline authentication).
    • Slot1: The initial state is configured to Yubico OTP.
      If you change your Slot1 information, you will not be able to use it on YubiOn Portal.
    • Slot2: The initial state is unconfigured.
      If the offline authentication is used, a challenge response setting is required in Slot2.
  • Prior preparation is required to enable offline authentication of the PC.
    Before distributing YubiKey to users, please refer to YubiKey offline settings to configure YubiKey.
  • About the PC identification ID
    YubiOn Portal uses SID or UUID as a terminal identification ID.
    The default identification ID in each OS is as follows
    • Windows: SID
    • macOS: UUID
    *If you have a duplicate Windows SID due to PC kitting or other reasons, you will not be able to use YubiOn Portal. If your SID is duplicated and unavailable, please contact us.

2. Implementation flow

Portal registration
[Administrator Action] Register for the YubiOn Portal. After registration, purchase a paid plan (Standard or higher).
Member registration / settings
[Administrator Action] Register users (members) and set your YubiKey up through the YubiOn Portal.
Installation
[Administrator Action] Install the software on each PC.
Service settings
[Administrator Action] Configure the service settings for two-factor authentication.
Start Using

3. YubiOn Portal registration

Skip this step if you have already registered.

3-1. New registration

Register your customer information through the YubiOn Portal registration page.

You will receive a confirmation email upon newly registering.
Click on this link to confirm your registration.

3-2. First login

From the login screen, login with your registered email address and password.
Enter the correct email address and password to login to YubiOn Portal.

The first time you log in, the simple settings screen appears.

4. Simple settings

Skip this step if you've already done the simple settings.

4-1. YubiKey registration

Set your YubiKey up for login. Next time you log into the YubiOn Portal, you will require the YubiKey which you set up here.

4-2. Selection of settings

Click on "You do not configure your PC..." as this procedure does not configure the operator's own PC.

5. Switching to a paid plan

If you are already a paid plan customer, please skip this step.

The following explanation assumes the use of a paid plan.

6. Member registration

Register members (users) for the YubiOn Portal.

Click on “Member management” from the menu on the left side of the screen.

Click on the “Member Registration” icon.

In the member registration window, input the “ID/Member name/Email address/Password” to add a new member and click the “Register” button.

Click “OK” when a confirmation message is displayed.
Once the registration is complete, the added members will be displayed in the member list.


7. YubiKey assignment

YubiOn Portal provides two-factor authentication using YubiKey in addition to the ID and Password. In order for member of your organization to take advantage of the two-factor authentication, they must first be assigned a YubiKey.

Click on the member to whom a YubiKey will be assigned to from the member list.

Click the “YubiKey Assignment” button.

Select the input field and plug the YubiKey you want to assign to the member into the USB port.

Tap the YubiKey to input the one-time password.

Click “OK” when a confirmation message is displayed.
When the assignment has been completed, the assigned YubiKeys will be displayed in the YubiKey list.


8. Setup

The following details the steps the administrator can follow to set up the PCs.
To set up two-factor authentication on a PC, one will need to install a Windows Logon Service application, henceforth referred to as Client Tools.

Before Use
Please be sure to check the system requirements before installing the software.
The installation requires Windows administrative privileges. Also, after the installation of the client tool, the PC may reboot. Save important files and close all applications before installation.


8-1. Software download

  1. From the menu on the left side of the screen, click the "PC" icon, then click "Download".
  2. Click "Download" button. The "WlsInstaller_x64.msi" or "WlsInstaller_x86.msi" will be downloaded.
    Save it to any location.

8-2. Software installations

Run "WlsInstaller_x86.msi" or "WlsInstaller_x64.msi"

The installation of the client application, which requires Windows administrator privileges or an administrator password, will start.

Click on "More info". Click the displayed "Run anyway" button.

Install

Read the software license agreement and check the "Agree" checkbox. Then, click on "Install". When the installation is complete, the completion screen will be displayed. When you exit with the "Launch configuration tool after the runtime installation is complete" checked, the configuration tool will automatically start.

Continue to install the required runtime.
At the User Account Control confirmation pop-up, click "Yes".
The installation of the required runtime will be started. After the runtime is installed, a pop-up will appear prompting you to reboot.

Click "Yes" on the confirmation message. The PC will be rebooted and the client tool installation will be completed.

If you don’t want the user to uninstall it
The optional function “Uninstall Control” can be used to hide the software from the list of installed applications and prevent uninstallation.

Please contact us for more information on using the “Uninstall Control” option.


8-3. PC setup

Start from the start menu.
Skip this step if you already have the client tool running.
In the "Email Address" and "Password" fields, enter the email address and password that you used to register for the YubiOn Portal. Plug the registered YubiKey into the USB port.
Select the "OTP" field and tap on the YubiKey to enter your one-time password.
After entering the information, the setting screen will appear.


Click "Assign accounts and authenticators" in the configuration tool you just launched. Click "Register" button. Select "Account", "Member" and " Authenticator" and click the "OK" button. Click the "OK" button on the Setup Complete pop-up. Click "Exit" to close the configuration tool.

8-4. Distribute YubiKey to users

After completing PC setup, distribute YubiKeys to your users.

Check before YubiKey distribution
Prior preparation is required to enable offline authentication of the PC.
Before distributing the YubiKeys to users, please refer to the YubiKey offline settings to configure the YubiKeys.

If you are setting up multiple people’s PCs, repeat steps 6 - 8 for all required users.

This concludes the set up.

9. Service settings

In the service configuration screen, configure the settings for the two-factor authentication service.

9-1. General service settings

Click the "PC" icon from the menu on the left side of the screen.
Click on "Service setting".
Configure the following settings to match your security policy

Configuration items Configuration Contents Default
1. Cache logon expiration date The number of days available for offline authentication. Disabled
2. Screen lock Lock the screen when the YubiKey is unplugged. Disabled
3. Forced YubiKey logon Make logging onto the PC with YubiKey mandatory. Disabled
4. Authentication failure lock Locks the PC after a certain number of failed log on attempts.
It can also be used to unlock the PC only after a certain amount of time has elapsed.
Disabled
5. Automatic email notification Email notifications when there is a change in PC status or service settings. Enabled
Representative

In the initial view of the service settings, "Default Policy" is selected.
This step is based on the "Default Policy".



9-2. Cache logon settings

Setting an expiration date for offline authentication allows you to log on offline for a specified number of days from the date of the last successful PC logon. If disabled, you will not be able to log on in environments without a network connection.

  1. Click the "Enable" radio button.
  2. Enter the expiration date.
    For free use, only one day can be set up.
  3. Click the "Update" button.

9-3. Screen lock settings

With screen lock enabled, you can lock the screen automatically when you unplug the YubiKey from the PC's USB port.

  1. Check the"Lock screen when unplugging YubiKey" checkbox.
  2. Click the "Update" button.

9-4. Forced YubiKey logon settings

Set the PC to enforce logon using YubiKey when logging on.

  1. Check the "Force a logon using YubiKey" checkbox.
  2. Click the "Update" button.

9-5. Authentication failure lock settings

Set up your PC to enforce logon using YubiKey when logging on.

  1. If the Authentication failure lock setting is enabled, it is possible to prohibit a terminal from logging on after a certain number of failed logon attempts.
  2. Click the "Update" button.

9-6. Unlock settings after an authentication failure lock

  1. Check the "After authentication failure lock, unlock at a certain time"
  2. Enter the time (in minutes) after which the PC can be unlocked.
  3. Click the "Update" button.

9-7. Automatic email notification settings

When there is a change in the status of the PC or service settings, it will automatically notify the members registered in the notification settings. By default, the representative is set as the recipient of the notification.

  1. Click the settings icon in the top right corner of the service settings screen, and then click "Email notification settings".
  2. Toggle the notification settings to enable/disable.
  3. Check the items to receive notifications for.
  4. Click the "Update" button.

10. Operational confirmation

Check whether the user's PC successfully reflects the settings of the group policy.

From the menu on the left side of the screen, click the "PC" icon and then click "Service setting".

10-1. Group policy reflection confirmation

There are three types of group policies: "Reflected", " Unreflected", and "Old policy is reflected".

The following is the procedure to confirm the group policy.

  1. Click on the group policy you wish to review.
  2. Click on the "PC list" tab.
  3. Click on the pull-down under "Status."
    Next, click on "Unreflected.
  4. A list of PCs to which the group policy has not yet been applied is displayed. The "Unreflected" status is indicated by an "X" mark.

The installation procedure is described above.

11. Additional Information


11-1. Two-factor authentication method for YubiOn Portal site

During login to the YubiOn Portal using two-factor authentication, the member's email address, password, and YubiKey are required.

  1. Access the login page.
    Enter your email address in the email address field and click the Confirm button.
  2. Enter the password in the password field.
  3. Plug the YubiKey into the USB port.
  4. Click the YubiKey input field and tap the YubiKey. *The YubiKey's one-time password will be entered automatically and the user will be logged in.
  5. After logging in, the "Dashboard" will be displayed.