.. _yubikey_token: Yubikey ------- .. index:: Yubikey, Yubico AES mode As Yubikey token type, eduMFA refers to Yubico's own AES mode. A Yubikey, configured in this mode outputs a 44 character OTP value, consisting of a 12 character prefix and a 32 character OTP. But in contrast to the :ref:`yubico_token` Cloud mode, in this mode the secret key is contained within the token and your own eduMFA installation. If you have the time and care about privacy, you should prefer the Yubikey AES mode over the :ref:`yubico_token` Cloud mode. There are several possible ways to enroll a Yubikey token in eduMFA. We describe the methods in :ref:`yubikey_enrollment_tools`. Redirect API URLs to /ttype/yubikey ................................... To have a service query not the Yubico Cloud URL, but the eduMFA endpoint ``/ttype/yubikey``, you sometimes need to redirect the default API URL via the local webserver. Yubico servers use ``/wsapi/2.0/verify`` as the path in the validation URL. Some tools (e.g. Kolab 2FA) let the user/admin change the API host, but not the rest of the URL. To redirect the API URL to eduMFA's endpoint ``/ttype/yubikey``, you'll need to enable the following two lines in ``/etc/apache2/site-enabled/edumfa.conf``:: RewriteEngine on RewriteRule "^/wsapi/2.0/verify" "/ttype/yubikey" [PT] If you use nginx there is a similar line provided as a comment to the nginx configuration as well. .. rubric:: Footnotes .. [#ykotp] https://developers.yubico.com/OTP/OTPs_Explained.html