Validating a Yubico YubiKeys’ One Time Password (OTP) using Single Factor Authentication and PowerShell

Multi-factor Authentication comes in many different formats. Physical tokens historically have been very common and moving forward with FIDO v2 standards will likely continue to be so for many security scenarios where soft tokens (think Authenticator Apps on mobile devices) aren’t possible. Yubico YubiKeys are physical tokens that have a number of properties that make them desirable. They don’t use a battery (so aren’t limited to the life of the battery), they come in many differing formats (NFC, USB-3, USB-C), can hold multiple sets of credentials and support open standards for multi-factor authentication. You can checkout the Yubico YubiKeys range of tokens here.

Yubico YubiKeys ship with a configuration already configured that allows them to be validated against YubiCloud. Before we configure them for a user I wanted a quick way to validate that the YubiKey was valid. You can do this using Yubico’s demo webpage here but for other reasons I needed to write my own. There wasn’t any PowerShell examples anywhere, so now that I’ve worked it out, I’m posting it here.

Prerequisites

You will need a Yubikey. You will need to register and obtain a Yubico API Key using a Yubikey from here.

Validation Script

Update April 2020 
Immediately below is version 1 of the script from 
March 2018. 
I recently tried reusing the script and made 
some updates.
Version 2 is further below.

Update the following script to change line 2 for your ClientID that  you received after registering against the Yubico API above.

Version 2 of the Validation Script

Below is version 2 of the validation script created in April 2021. Just like the version 1 script, update it with  your Yubico API Key (Line 4). The main change is to use Invoke-RestMethod for the validation rather than Invoke-Webrequest, and simplified parsing of the response.

Running the script validates that the Key if valid.

Yubico Yubikeys validation success

Re-running the submission of the same key (i.e I didn’t generate a new OTP) gets the expected response that the Request is Replayed.

Yubico Yubikeys Validation Failed

Summary

Using PowerShell we can negate the need to leverage any Yubico client libraries and validate a YubiKey against YubiCloud.