Tutorial: Use YubiKey as TOTP MFA token
Use a YubiKey as a TOTP MFA token with OpenVPN Connect. Learn how to enroll your hardware token and securely connect using one-time passwords.
Overview
This tutorial shows how to use a YubiKey as a time-based one-time password (TOTP) authenticator when connecting with OpenVPN Connect.
You’ll enroll your YubiKey with your VPN account and use it to generate one-time codes during login.
Tip
This tutorial is for users connecting to Access Server. For other VPN providers or servers, ensure your configuration supports TOTP MFA.
Prerequisites
A YubiKey (or compatible hardware token with TOTP support).
Yubico Authenticator installed on your device.
Note
If TOTP MFA isn't turned on for your account, contact your administrator.
Step 1: Enroll your YubiKey
Open a web browser and sign in to the Client Web UI.
When prompted, note the QR code and enrollment code.
Open the Yubico Authenticator.
Insert or connect your YubiKey.
Click Add account.
Scan the QR code or enter the enrollment code manually.
Confirm the account details, then click Save.
Enter the six-digit code shown in the authenticator.
Click Confirm Code.
Your YubiKey is enrolled now as a TOTP authenticator.
The user account now requires a one-time password during login.
Step 2: Connect using OpenVPN Connect
Open OpenVPN Connect.
Start your VPN connection.
Enter your username and password.
When prompted for MFA:
Open Yubico Authenticator.
Insert or tap your YubiKey (if required).
Enter the six-digit code.
The VPN connection starts after successful authentication.
Tips
TOTP codes refresh every 30 seconds.
Always use the latest code displayed.
Keep your YubiKey accessible when connecting.
Troubleshooting
Issue | Resolution |
|---|---|
Code not accepted | Wait for a new code and try again. |
No MFA prompt | Confirm MFA is enabled for your account. |
YubiKey not detected | Reinsert the device or reopen Yubico Authenticator. |