1210783 - Unclear whether YubiAES is supported for YubiKey enrollment on login.mozilla.com

Status: RESOLVED WONTFIX

(Websites :: login.mozilla.com, defect)

Description

[Ed Morley [:emorley]]

I've just received a YubiKey for use with MozillaVPN.

On https://login.mozilla.com/enroll_yubikey it only lists instructions for how to set up the YubiKey with OATH-HOTP mode, whereas this page mentions YubiAES can be used instead:
https://mana.mozilla.org/wiki/pages/viewpage.action?pageId=40049559

If using YubiAES is possible, could we update the instructions on https://login.mozilla.com/enroll_yubikey ?
(and related, I've filed https://github.com/mozilla-it/duo_openvpn/issues/9)

Alternatively if not, could someone who has access edit the mana page above.

Thanks :-)

(It's also not clear whether these type of bugs belong in "Enterprise Information Security::General" or "Infrastructure & Operations::Infrastructure: OpenVPN" - the deps of bug 1201193 have been in a mixture of components)

Comment 1

[Rob Tucker [:rtucker]]

I don't know anything about YubiAES or if it will work. I do not have a device that supports it.

Comment 2

[:Atoll]

I believe "YubiAES" is a mistaken form of "YubiKey" native auth, as in the Yubi standard thing that's in the first slot by default.

I have a YubiKey configured using Yubi native auth in my Duo account already, using login.mozilla.com 'Enroll new device' -> 'Yubikey' option.

So you can do that instead of OATH-HOTP mode. You'll probably have to provide the necessary values from the Yubi tool yourself. I don't know if we have any docs for that or not.

Comment 3

[Rob Tucker [:rtucker]]

login.mozilla.com supports webauthn via Duo. Going to close this out as webauthn is the direction we wish to go.