Configuring two-factor authentication

NOTE: For cybersecurity purposes, it is strongly recommended that you configure two-factor authentication in your projects; especially in deployments with control functionality.

Power Operation uses a one-time password (OTP) to accomplish two-factor authentication. OTP is implemented in Power Operation using a USB key device called a YubiKey. The YubiKey is designed to fit on a key ring or attached to a badge. It must be plugged into the client machine when the user authenticates.

NOTE: You can export one-time password settings to other servers. See Export and import One-Time Password settings for details.

Ordering YubiKeys

Keep in mind these points when you are ordering or using a YubiKey:

  • You must set "Allow RPC" to TRUE for all roles that are using YubiKey.
  • YubiKey is compatible with all thick clients.
  • YubiKey requires access to a USB port at each client.
  • Each Power Operation I/O Server must have Application Services (Core Service Host) running.
  • Multiple I/O servers may reside on a physical machine. In this case, only one instance of Application Services resides on the machine.
  • YubiKey must be configured and synchronized across all I/O servers (this includes redundant pairs and distributed systems).
  • YubiKey is enabled on each client independently. If YubiKey is enabled on a client, all users on that client must authenticate via YubiKey.
  • It is possible to configure YubiKey on one machine, export the configuration for all users, and import the configuration to all remaining machines.
  • It is not necessary to re-program YubiKey when changing passwords. The YubiKey changes the OTP every time so it is not susceptible to replay attacks.
  • YubiKey is authenticated against all servers that contain at least one I/O Server. All servers must successfully authenticate the OTP for success. If a single server does not authenticate (due to misconfiguration, etc.), the user will not be able to log in.
  • If a machine (with an I/O Server) is not available, it is not included in the authentication scheme. This means that if a primary server is down, the secondary can still successfully authenticate the OTP.
  • If no servers (with I/O servers) are available, the user will not be able to log in on clients that have YubiKey enabled.

Add the Citect parameter

You need to add the parameter that allows Power Operation to communicate with the YubiKey. You can do this before or after you configure the YubiKey.

NOTE: Before you add the parameter, make sure the correct project is active.

To add the parameter:

  1. From Power Operation Studio, click Setup Parameters.
  2. Enter the following:
    • Section Name: Security
    • Name: OneTimePasswordRequired
    • Value: true

  1. Compile the project.

 

Set Allow RPC to TRUE for all YubiKey-user roles

To use YubiKey in Power Operation, you must set Allow RPC to TRUE for all roles that include users with assigned YubiKeys. The default for Power Operation 2024 is FALSE.

To change Allow RPC to TRUE:

  1. In Power Operation Studio, click Security > Roles.
  2. For each YubiKey-user role, change Allow RPC to TRUE.

 

YubiKey configuration

You can autoconfigure a YubiKey or program it manually.

In most cases, you can autoconfigure the YubiKey, thus avoiding the lengthier process of programming it. Autoconfiguration may not work with all YubiKey models; however, all OTP-compliant keys can be manually programmed.

NOTES:

  • Autoconfigure requires that you have a USB port available on your computer.
  • If you do not have a USB port available on the server – because it is in a virtual machine or you do not have physical access– program the key on a remote machine (see Manually configure the YubiKey, below), and then transfer the configuration to the server (see Export and import One-Time Password settings, below).
  • Autoconfigure will not work on virtual machines.
  • You can only have one YubiKey inserted at a time.
  • If autoconfigure will not work, you must manually program the YubiKey. See Manually configure the YubiKey for instructions.

 

Auto-configuring the YubiKey

To auto-configure the YubiKey:

  1. Insert the YubiKey into the USB port of the computer.
  2. In the Application Configuration Utility, click SecurityOne-Time Password.

  4. Click Assign Key.

    5. The grayed-out fields are enabled.

  5. In the User field, type the Power Operation username (or user name from Active Directory) to which you want to assign the YubiKey.
  6. Click Autoconfigure YubiKey. The following message appears:

    7. This message tells you that all settings on the key will be erased, including any key assignments.

  7. To continue, click Yes. The key will receive a new secret key.
  8. Click Accept.

 

Manually configure the YubiKey

If you cannot auto-configure the YubiKey, program and configure it manually.

After you obtain the YubiKey from a third-party vendor, (such as Amazon), download the YubiKey Personalization Tool from the Yubico web site: www.yubico.com; click Products > Services & Software > Personalization Tools > Download YubiKey Configuration Tools.

NOTE: This procedure outlines how to configure a single slot. If you want to use both of the key's configuration slots, download the YubiKey documentation, located under the Support tab of the Yubico website.

To manually configure the key:

  1. Launch the YubiKey Personalization Tool. The following screen appears:

  2. Insert the YubiKey into a USB port of your computer. Click the Yubico OTP Mode link. At the next screen, click Advanced. The following screen appears:

  3. In the Configuration Slot section, select the slot you want to configure.
  4. In the Yubico OTP Parameters section:
    1. Click Public Identity, and then click Generate.
    2. Do not edit the default Public Identity Length.
    3. Click Private Identity and then click Generate.
    4. Beside Secret Key, click Generate.
    5. Make note of the secret key that displays, including all characters and spaces. You will need it when you add the key to the Application Configuration Tool.
  5. In the Actions section, click Write Configuration.
  6. Click the Settings tab. This following screen appears:

  7. Enter the following information:
    1. Under Output Settings, click Enter to enable it; when enabled the button turns blue. Do not enable any of the Tab buttons.

      2. This causes a return and an "OK" to automatically occur when you press the Yubikey as part of login in Power Operation.

    2. Ignore the remaining settings. Click Update Settings at the bottom right of the screen.

      3. The key is programmed.

  8. Next, configure the key on the Power Operation computer:
    1. In the Application Configuration Utility, click Security > One-Time Password.
    2. Click Assign Key.
    3. The fields on the lower half of the screen are enabled.
    4. For User, type the user name that you are adding. This should be a Power Operation Studio user.
    5. For Serial Number, type the number that is printed on the underside of the key.
    6. For Secret Key, enter the Secret Key from the YubiKey Personalization Tool (created previous). Enter the secret key exactly as it was created, including all spaces. After you enter it, the key will be encrypted and will display as bullets (••••) in the future.
    7. Press the button on the top of the YubiKey.
    8. YubiKey String: This field is populated when you press the button in step 6.
    9. Click Accept.
  9. Repeat step 8 for any additional keys.

NOTE: Repeat steps 1 to 8 on each server computer in a redundant or distributed system.

 

Logging in with a programmed YubiKey and One-Time Password

After the key is programmed and associated with a user in Power Operation, and you have enabled YubiKey usage, the user will use the key to log in to the system.

To log in:

  1. Insert the programmed YubiKey into a USB port of the Power Operation server.
  2. Launch Power Operation Runtime, or access runtime via a remote web client.
  3. Run the project you want to view.
  4. In the upper right corner of the Startup screen, click Login.
  5. Enter your name and password and then click OK. The One-time Password screen appears.
  6. Press the button on the YubiKey.

    The one-time password is generated. The key and software communicate behind the scenes to verify the uniqueness of the one-time password and to click OK.

    You can start using runtime screens.

     

Disabling YubiKeys

To disable a YubiKey:

  1. In Power Operation Studio, click Setup Parameters, locate the parameter for the YubiKey.
  2. Change the Value from true to false, and then compile the project.