Tutorial: Use TOTP Hardware Tokens for MFA (RFC 6238) in Access Server (YubiKey)
Use hardware tokens such as YubiKey for TOTP-based multi-factor authentication (MFA) in OpenVPN Access Server. Learn how to enable MFA and enroll a hardware token for a secure user login.
Overview
This tutorial shows how to use hardware tokens, such as YubiKey 5 NFC, Protectimus Slim NFC, or Token2, for multi-factor authentication (MFA) in Access Server using time-based one-time passwords (TOTP).
You'll enable TOTP MFA in Access Server and enroll a hardware token as the authenticator.
Prerequisites
A hardware token that supports TOTP (for example, YubiKey 5 NFC).
Yubico Authenticator installed on your device (Windows, macOS, iOS, or Android).
Note
This guide uses YubiKey as an example. If you use another token, such as Protectimus or Token2, refer to the vendor's documentation for setup instructions.
TOTP MFA isn't enabled by default. You can enable it globally, per group, or per user. Refer to the steps for your preferred method:
Sign in to the Client Web UI.
When prompted, note the QR code and enrollment code.
Open the Yubico Authenticator.
Insert or connect your hardware token so it's detected.
Click Add account.
Scan the QR code or enter the enrollment code manually.
Confirm the account details, then click Save.
Enter the six-digit code shown in the authenticator.
Click Confirm Code.
The hardware token is enrolled as a TOTP authenticator.
The user account now requires a one-time password during login.
Download or use an existing connection profile.
Import it into OpenVPN Connect.
Start a connection.
When prompted, enter the six-digit code from the Yubico Authenticator.
✅ Pass: Connection succeeds and displays connection statistics.
❌ Fail: Authentication fails → verify MFA is enabled, and the token is enrolled correctly.
If you lose access to your hardware token, you'll need an administrator to reset your MFA enrollment.