YubiKey

YubiKey registration is performed through the 1Kosmos user profile settings in the AdminX portal or through a browser supporting the WebAuthn standard.

Once registered, the key is linked to the user's account and can be used as the primary or secondary authentication factor across all applications and workstations protected by 1Kosmos. The YubiKey's private key never leaves the hardware device, making it highly resistant to remote compromise.

1Kosmos supports the "enroll once, use anywhere" model for FIDO2 keys. A user who registers their YubiKey on one 1Kosmos-enrolled workstation can authenticate at any other 1Kosmos-connected system using the same key without re-registration, as the key is bound to the user account rather than a specific device.

Prerequisites

• Active 1Kosmos tenant: Administrator access to the AdminX portal. Contact 1kosmos.com/contact if not yet provisioned.

• YubiKey model with FIDO2 support: YubiKey 5 Series, YubiKey Bio Series, or Security Key Series by Yubico. FIDO2 support is required; older FIDO U2F-only keys may have limited functionality in the 1Kosmos environment.

• Browser with WebAuthn support: Chrome, Firefox, Safari, or Edge on a system that supports USB or NFC for key registration.

• FIDO2 PIN set on YubiKey (recommended): Setting a PIN on the YubiKey using YubiKey Manager adds user verification to the key registration, enabling higher-assurance authentication.

Integration steps

Step 1: Prepare the YubiKey

• Download and install YubiKey Manager from Yubico's website if not already installed.

• Open YubiKey Manager, connect the YubiKey, and navigate to Applications → FIDO2.

• Set a FIDO2 PIN if one is not already configured. This PIN is entered during YubiKey registration and authentication in high-assurance scenarios.

Step 2: Register the YubiKey in 1Kosmos

• Log in to the 1Kosmos AdminX portal or navigate to your user profile.

• Under the Devices tab or Security Keys section, click Add Security Key.

• When prompted, insert the YubiKey into a USB port (or hold near an NFC reader for NFC-capable keys). Touch the YubiKey's capacitive sensor when the light blinks.

• If prompted, enter the YubiKey FIDO2 PIN.

• Enter a descriptive name for the key (e.g., "YubiKey - Primary") and click Done. The device appears in the Devices tab of the user profile.

Step 3: Test YubiKey authentication

• Log out of the 1Kosmos portal. Navigate back to the login page and click Sign in with Security Key.

• Insert the YubiKey and touch the sensor when prompted.

• Confirm you are logged in to the 1Kosmos portal. The same flow applies to any application or workstation protected by 1Kosmos using the same user account.

Step 4: Enable YubiKey for Windows workstation authentication (optional)

• If your organization uses 1Kosmos for Windows workstation login, the YubiKey can also be used at the Windows login screen on endpoints where the 1Kosmos Credential Provider is installed.

• From the Windows login screen, select the 1Kosmos option, insert the YubiKey, and touch the sensor when prompted. Authentication is completed without a password.

Integration notes

YubiKey supports multiple authentication protocols including FIDO2, FIDO U2F, OTP, PIV, and OpenPGP. The 1Kosmos integration uses FIDO2/WebAuthn specifically.

Ensure the FIDO2 application is not blocked or reset on the YubiKey before registration. If a YubiKey is lost or stolen, administrators can remove the key from the user's device list in the AdminX portal. Users should register a backup key where possible to avoid lockout.

The 1Kosmos platform links the FIDO2 key to the user account, not to a specific workstation or browser, enabling cross-device portability once registered.