Keys (Hardware Keys) Page – Evo Security

Keys

Add and manage Hardware Keys for users through this page

If being utilized, you can add and associate supported Hardware Keys for your users through this page

Select whether you are adding a single key or doing a batch upload via CSV.

Select the type of key and enter the information.

Associate the key to the correct user and click save at the bottom.

Using Hardware Keys with Evo

We support hardware keys that generate a token (not biometric based), or a One-Time Password (OTP). Or more precisely, hardware keys that are either TOTP or HOTP based.

What current Hardware Keys does Evo Support?

We currently support Yubikey (5 series including FIPS) and FEITIAN (30-second TOTP) keys.

What is OTP?

OTP or One-Time Password is often used in combination with a regular user account and password as an additional security layer for authentication.

An OTP can be retrieved by a mobile (smartphone) application, such as the Evo Secure Login app. A user can also retrieve an OTP from a hardware key, or key fob.

SHA-1 is just one industry standard algorithm that is used to generate an OTP. No matter which algorithm is used, they all require two inputs to generate an OTP code (1) a seed, (2) a moving factor.

The seed is a static value, or secret key, that gets created when you establish a new account with an authentication server. Although the seed doesn’t change, as it is tied to your user. The moving factor will change each time a new OTP is requested.

What is TOTP?

TOTP or Time-Based One-Time Password, uses a seed that is static, and as you’d expect from the name the moving factor for a TOTP is time-based.

The amount of time a TOTP is valid is based on the timestep, which is commonly 30 seconds long. If the password is not used within the time window, a new password must be requested.

What is HOTP?

HOTP or Hash-based Message Authentication Code (HMAC)-based One-Time Password is an event-based OTP.

Each time a HOTP code is requested, and validated the moving factor is incremented based on a counter. The code generated for HOTP is valid until a new code is requested and has been validated by the server.

Based on this, the hardware key generator and server are synced each time a code is requested and validated.

Yubikey Setup

Evo supports the use of Yubikey HardKeys, but those keys must be OATH-HOTP compatible. A very popular brand that is OATH-HOTP compatible is Yubico with their Yubikey 5 models. This guide will help you configure your Yubikey for Evo so that you can use the hardware key for your 2FA/MFA purposes.

NOTE: Using the YubiKey Personalization tool can and will overwrite previous configurations already set on your Yubikey.

1. First, determine if your Yubikey is OATH-HOTP compatible. There are multiple ways to do this on the Yubico website, however a necessary step in configuring your Yubikey will be using the Yubikey Personalization Tool. Download it from here - https://www.yubico.com/support/download/yubikey-personalization-tools/

2. Once downloaded, plug your Yubikey in and run the tool. It should look something like this:

On the bottom right on the side panel, you should notice the OATH-HOTP option with a green check. This lets you know if your device is compatible.

3. With your device still plugged in and the tool running, select the OATH-HOTP option at the top bar. Select the "Quick" Mode.

4. You will now be in the OATH-HOTP Mode for setup, and the screen should look like this:

5. Now, let's set it up!

Select a configuration slot 1. Current functionality only maps to configuration slot 1.

Uncheck "OATH Token Identifier", it is not used by Evo and will cause errors.

Make sure 6 digits is selected.

Unhide your Secret key. This key will be used on the Evo Portal soon, you'll need to copy/paste it. Feel free to regenerate it if you wish.

Once all options are properly configured, click "Write configuration" to write this to the selected configuration slot.

Keep this tool open, it's time to head to your Evo Portal!

1. Log-in to your Evo Portal

2. Click on "My Company" (or select the customer you wish) and choose "Keys".

3. Once on the "Keys" page, select "Add New Keys"

4. Select "Manual"

5. You will now be presented with this window:

Let's use what we have from the Yubikey Personalization Tool to set this up:

For Key type, Make sure HOTP is selected!

For Serial number, notice on the right side of the Yubikey Personalization tool that there is the Serial Numbers in Decimal, Hex, and Modhex. Copy/paste the Decimal version.

For Key Secret, copy the Secret Key from the Personalization Tool and paste it. Notice that it will copy/paste with spaces. You must remove the spaces in order to properly configure this. Failure to do so will result in the token not being saved.

Select the directory where the user exists that you wish to attach the Yubikey to.

Finally, select the user to assign the key to.

Click "Assign Key to User"

Voila! You have successfully configured a Yubikey to work with your Evo user! Now when you authenticate, whether through the portal or our credential provider, you can now use the OTP generated from your hard key in order to 2FA/MFA!

FEITAN Hard Keys Setup

Evo now supports the use of FEITIAN Hard Keys (c200 I34 model) for authentication! This was tested and confirmed using the c200 (I34) 30-second TOTP keys, however other keys by this manufacturer should work pending the following:

The keys are TOTP

The keys are 6-digit codes

The keys are 30-second interval

The keys come with a serial number and a secret

Before you upload the keys, all users to be assigned a key must have an Evo account. If the user doesn’t exist be sure to add them as an Evo Cloud user or connect them with your directory of choice (Active Directory (On-Prem or Azure), or Google Workspace).

How to add a single key

Adding a single key is great if you have a new key to assign to user.

To upload a single key, you must have the secret, and serial number in-front of you. Additionally, the user must have an account under your instance of Evo.

TIP: To confirm you’re entering the correct key secret, click the eye in the field to see what you’re typing in plain text. Clicking the eye again will hide the detail entered in the field.

From the left nav menu, select My Company. Alternatively, select Customers and and choose a customer from the list.

From the side navigation, click Keys.

Click Add New Keys.

Click Add Single Key Manually.

Select the key type – TOTP or HOTP.

Enter in the key serial number.

Enter in the key secret.

Select the directory the user has been associated.

Enter and select the email address for the user.

Click Assign Key to User.

That should be it! The next time the user goes to log-in on the portal or the Evo Credential Provider, the user can now use the 6 digit code displayed on the hard key!

How to add keys in bulk

Bulk uploads of keys can be done with a CSV file.

The CSV must contain 4 points of data:

SecretKey: Each key will have a unique secret.

SerialNumber: Each key will have a unique serial number.

Type: TOTP or HOTP

UserEmail: Email address of the user who has been or who will be assigned the key. The user must have an account under your instance of Evo.

The CSV file must have a header row, if the header row is missing the first record will be ignored in the upload. A template is available for download, as located at the bottom of the article.

SecretKey,Type,SerialNumber,UserEmail
1234-5678,TOTP,3456-7890,aberdeen@samplemsp.com
4567-8901,HOTP,1029-3948,baldwin@samplemsp.com

If you have many keys to upload, we recommend breaking the files down to contain no more than 500 keys per file. Each file will need to be uploaded individually.

From the left nav menu, select My Company. Alternatively, select Customers and and choose a customer from the list.

From the side navigation, click Keys.

Click Add New Keys.

Click CSV Upload.

Click the upload image.

Browse to the location the CSV file is stored and select it.

Skip if the correct file has been uploaded. If you have selected the wrong file to upload, hover over the file name and click the trashcan to delete. Repeat steps 7 & 8 to upload the correct file.

Click Complete Key Upload.

How to disable a key

It is best practice to disable keys that are not currently in use, including those that could have been misplaced. This helps to ensure that it no longer functions for anyone who might have recovered it.

Disabling a key, will as expected, prevent it from being used for authentication purposes. If the key is to be used again, it will need to be re-enabled, and if appropriate assigned to a new user.

From the left nav menu, select My Company. Alternatively, select Customers and and choose a customer from the list.

From the side navigation, click Keys.

In the displayed list of keys, find the ones you want to disable. Check the box at the beginning of each row.

Click the actions menu located above the table.

Click Disable.

How to enable a key

Keys should be enabled if they are assigned a user and are actively being used. If the key has been misplaced, or the user is no longer a member of your organization. Recommend that the key is unassigned from the user, disabled or deleted all together.

From the left nav menu, select My Company. Alternatively, select Customers and and choose a customer from the list.

From the side navigation, click Keys.

In the displayed list of keys, find the ones you want to enable. Check the box at the beginning of each row.

Click the actions menu located above the table.

Click Enable.

How to delete a key

It is best practice to delete a key that has been misplaced. If it is ever located, you can very easily add it back in for future assignment.

Deleting keys cannot be undone.

From the left nav menu, select My Company. Alternatively, select Customers and and choose a customer from the list.

From the side navigation, click Keys.

In the displayed list of keys, find the ones you want to delete. Check the box at the beginning of each row.

Click the actions menu located above the table.

Click Delete.