Multi-factor Authentication comes in many different formats. Physical tokens historically have been very common and moving forward with FIDO v2 standards will likely continue to be so for many security scenarios where soft tokens (think Authenticator Apps on mobile devices) aren’t possible. Yubico YubiKeys are physical tokens that have a number of properties that make them desirable. They don’t use a battery (so aren’t limited to the life of the battery), they come in many differing formats (NFC, USB-3, USB-C), can hold multiple sets of credentials and support open standards for multi-factor authentication. You can checkout the Yubico YubiKeys range of tokens here.
Yubico YubiKeys ship with a configuration already configured that allows them to be validated against YubiCloud. Before we configure them for a user I wanted a quick way to validate that the YubiKey was valid. You can do this using Yubico’s demo webpage here but for other reasons I needed to write my own. There wasn’t any PowerShell examples anywhere, so now that I’ve worked it out, I’m posting it here.
Prerequisites
You will need a Yubikey. You will need to register and obtain a Yubico API Key using a Yubikey from here.
Validation Script
Update April 2020 Immediately below is version 1 of the script from March 2018. I recently tried reusing the script and made some updates. Version 2 is further below.
Update the following script to change line 2 for your ClientID that you received after registering against the Yubico API above.
Version 2 of the Validation Script
Below is version 2 of the validation script created in April 2021. Just like the version 1 script, update it with your Yubico API Key (Line 4). The main change is to use Invoke-RestMethod for the validation rather than Invoke-Webrequest, and simplified parsing of the response.
Running the script validates that the Key if valid.
Re-running the submission of the same key (i.e I didn’t generate a new OTP) gets the expected response that the Request is Replayed.
Summary
Using PowerShell we can negate the need to leverage any Yubico client libraries and validate a YubiKey against YubiCloud.