MFA: Setting up YubiKey for Microsoft Authentication

Summary

This article provides instructions for setting up Multi-Factor Authentication (MFA) for your USNH Microsoft (M365) account via a YubiKey security key.  YubiKey is a physical security key which enables strong multi-factor authentication into a variety of systems.  Enterprise Technology & Services recommends YubiKeys in situations where phone (either phone call or text message) or authenticator app is not an option. 

We recommend that you consult the YubiKey Facts & Purchasing Guide for information where to buy a YubiKey.  Additionally, YubiKey offers an online quiz for selecting the right YubiKey for your needs at: https://www.yubico.com/quiz/ 

Product Quick Facts:

  • YubiKeys are small USB devices that are inserted into a desktop or laptop computer USB port / Lighting connector
  • Pressing the top or side button on the YubiKey generates and automatically enters a passcode on MFA prompts
  • YubiKey 5 series meet Microsoft’s Modern Authentication hardware requirements

 

IMPORTANT:  Before beginning the steps below, you must complete the initial set up of your YubiKey per the manufacturer's instructions at: https://www.yubico.com/setup/ 

 

Choose the option you prefer:

Note: These instructions were created using a Yubikey 5C NFC (both FIPS and non FIPS) and while other current Yubikey models should work, they may have a slightly different registration process.

 

How-To

Task: To set up Multi-factor Authentication (MFA) for your USNH Microsoft account using a Yubikey (security key) without other MFA methods - requires calling the Help Desk first

 

IMPORTANT: ET&S strongly recommends that you set up one or more backup MFA methods to use if your Yubikey is lost or stolen. 

The YubiKey MFA registration process requires that you first validate who you are via a confirmation code. If you plan to add multiple MFA methods, we recommend you add those other methods first.  Once you have another sign-in method(s), such as a phone and/or the Microsoft authenticator app, you can go ahead and self-register your Yubikey without needing to call the Help Desk.

If you do not have any other MFA methods available, proceed with these instructions to set up your YubiKey with the assistance of the Help Desk.

 

Instructions

Note: These instructions assume you are using a computer and have your YubiKey ready.  They also assume that you have completed the initial set up of your Yubikey per the manufacturer's instructions.

Step 1 - Call the Technology Help Desk to obtain a Temporary Access Pass, also known as a One Time Passcode (OTP).  

  • KSC: (603) 358-2532
  • PSU: (603) 535-2929
  • UNH/USNH: (603) 862-4242

Step 2 - After the One Time Passcode (OTP) has been issued to you, on your computer, go to: myaccount.microsoft.com 

Step 3 - Click on UPDATE INFO in the Security info tile.

Security info box with "UPDATE INFO" link

 

Step 4 - You should see Temporary access pass (One Time Passcode) listed in your Security info profile. Click Add sign-in method.  

Security info screen with option for "Temporary access pass" 

 Step 5 -  Click the Choose a method drop down and select Security key

Add a method > choose "Security key"

 

Step 6 - Click Add then Next

Security key box, click "Next"

 

Step 7 - Under Verify your identity, click Use Temporary Access Pass

Verify your identity > Use Temporary Access Pass

 

Step 8 - Enter the Temporary Access Pass (OTP) that you received from the Help Desk in Step 1 and click Next

Enter Temporary Access Pass

 

Step 9 - Under Security key, select USB device for Yubikey 5C NFC (both FIPS and non FIPS).

Choose the type of security key that you have: USB device or NFC device.

 

Step 10 - Have your YubiKey ready.  Click Next

Have your security key ready then click Next.

 

Step 11 - When prompted, plug your YubiKey into the USB port, then touch the button or sensor on your YubiKey.

Step 12 - A browser pop-up should appear where you must create a YubiKey PIN. Type the PIN you want in the blank and click Next.. 

Note: This is a PIN that you createKeep it safe and do not share it with anyone. If you lose or forget your YubiKey PIN, you will have to work with the YubiKey YubiKey Manager application to reset your PIN, or work with the YubiKey manufacturer directly. ET&S has no access to assist with lost YubiKey PINs.  This is why ET&S strongly recommends you have a alternate method(s) set up for MFA.

PIN required - create a PIN and type it in the blank then click Next.

 

Step 13 - When prompted, touch your YubiKey again to complete the request.

touch your security key

 

Step 14 - Click Allow to allow this site to see your security key.

Allow this site to see your security key? Click "Allow"

 

Step 15 - Name your Security key, then click Next.

Name your security key then click Next

 

Step 16 - Success - you're all set!  Click Done.

Security key - you're all set

 

Outcome

The Security info tab should now display Security key as a sign-in method.  You can now use your YubiKey for MFA for M365 when required.

Security info tab with "Security key" listed

 

Back to top

 


Task: YubiKey Self-registration - To set up Multi-factor Authentication (MFA) for your USNH Microsoft account using a Yubikey (security key) in addition to other MFA methods - requires having at least one additional MFA sign-in method such as phone and/or authenticator app

 

IMPORTANT:  Associating your YubiKey with your USNH Microsoft account requires that you first set up a phone number or the Microsoft Authenticator app as the primary method of MFA.  This is because the YubiKey MFA registration process must first validate who you are by sending a confirmation code to initiate the set up. 

Once the Yubikey is set up, you may choose to remove the phone or authenticator app from your sign-in methods.  However, ET&S strongly recommends that you keep one or more backup MFA methods to use if your Yubikey is lost or stolen.   

If you do not have any other MFA methods available, see the instructions above to set up MFA using a Yubikey (security key) without other MFA methods - requires calling the Help Desk first.

 

Instructions

Note: These instructions assume you are using a computer and have your YubiKey ready.  They also assume that you have completed the initial set up of your Yubikey per the manufacturer's instructions.

Step 1 - On your computer, go to: myaccount.microsoft.com 

Step 2 - Click on UPDATE INFO in the Security info tile

Security info box with "UPDATE INFO" link

 

Step 3 - Click Add sign-in method

Security info with list of MFA sign-in methods and link to "Add sign-in method"

 

Step 4 - Click the Choose a method drop down and select Security key

Add a method > choose "Security key"

 

Step 5 - Click Add then Next

Security key box, click "Next"

 

Step 6 - You will be prompted to sign into your USNH M365 account.  Use your existing MFA method to approve the sign in when asked.

Step 7 - Continue from Step 9 in the instructions above to complete the YubiKey registration process.

 

Outcome

The Security info tab should now display Security key as a sign-in method.  You can now use your YubiKey for MFA for M365 when required.

Back to top

 

Further Readings

MFA: Setting up Multi-Factor Authentication (MFA) for M365

MFA: Adding Backup Multi-Factor Authentication (MFA) Methods

MFA: YubiKey Facts & Purchasing Guide

YubiKey Selection Quiz 

 

Need additional help?

Visit the Technology Help Desk Support page to locate your local campus contact information or to submit an online technology support request.  For password issues you must call or visit the Help Desk in person.