Overview
Yubikeys typically get added to Microsoft MFA as Passkeys as they are NFC devices. After May 29th, 2026, Yubikeys will need to be set up as OTP devices in order to access Purdue's VPN. This article covers how to instead set up Yubikeys to use Authentication Codes (OTP) to log in with MFA. Purdue IT does not provide, issue, or supply YubiKeys. Users or departments are responsible for purchasing compatible YubiKeys. Purdue IT can assist with registering or removing YubiKeys from Microsoft Entra accounts but does not manage, support, replace, or distribute physical security keys.
If you would like direct assistance with setting up your Yubikey for use with the VPN, email accounts@purdue.edu to submit a ticket.
Instructions
First, consult this article to see if you have a compatible Yubikey: Using YubiKeys with Microsoft Entra ID MFA OATH-TOTP
Step 0 – Log into Microsoft Security Info Page
If you are new, do not have a MFA method set up, and cannot access https://mysignins.microsoft.com/security-info, you must first get a Temporary Access Pass (TAP) from the Purdue IT Service Desk.
Contact Purdue IT Service Desk
Phone: (765) 494-4000
-
Request a temporary access pass so that you can set up your YubiKey.
-
Complete identity verification.
-
You will receive:
- Temporary Access Pass code
- Go to https://mysignins.microsoft.com/security-info
Existing Users with MFA Methods
-
Go to: https://mysignins.microsoft.com/security-info
-
Enter:
- Username: your Purdue email
-
When prompted for authentication:
-
Depending on where you are installing Yubico Authenticator, please consult the smart phone or computer sections respectively.
Smart Phone Instructions
Step 1: Install Yubico Authenticator
On your smartphone, download Yubico Authenticator from:
- Apple App Store (iOS)
- Google Play Store (Android)
Step 2: Connect Your YubiKey to Your Phone
Open the Yubico Authenticator app and connect your YubiKey to your phone:
- Plug it into your phone or
- Tap it using NFC, if supported. You may also just be prompted to pull down from the top of the app with your finger.
Keep the app open.
Step 3: Open Microsoft Security Info on Your Computer
On your computer, go to:
https://mysignins.microsoft.com/security-info if you haven't already
Sign in with your Purdue account.
Step 4: Add a New Sign‑In Method
- Select + Add sign-in method
- Choose Microsoft Authenticator
- When prompted, select Set up a different authenticator app
A QR code will be displayed on the screen.
Step 5: Add the Account to Your YubiKey
On your phone in the Yubico Authenticator app:
- Tap the + (plus) icon in the top-right corner
- Scan the QR code displayed on your computer
Once scanned, your Purdue account will be added to the YubiKey.
Step 6: Verify the TOTP Code
After setup, the Yubico Authenticator app will display a 6‑digit code for your Purdue account.
This code:
- Changes every 30 seconds
- Is what you will enter when logging into the VPN
On the computer, press Next to move past the QR code and you will be prompted to enter a 6 digit code. Enter the 6 digit code from the Yubico Authenticator to test that you have successfully linked the account to the token.
Computer Instructions
Personal Computers
Purdue Computers
- Please submit a ticket to accounts@purdue.edu to receive further instructions regarding installing Yubico Authenticator
Step 1 – Sign In Using Temporary Access Pass/Existing Method
New Users
-
Go to: https://mysignins.microsoft.com/security-info
-
Enter:
- Username: your Purdue email
-
When prompted for authentication:
- Select Temporary Access Pass
- Enter the TAP code provided
You are now signed in and can register MFA methods
Existing Users with MFA Methods
-
Go to: https://mysignins.microsoft.com/security-info
-
Enter:
- Username: your Purdue email
-
When prompted for authentication:
Step 2 – Get the Secret Key from Entra ID
-
Click: + Add sign-in method
-
Choose: Authenticator App
-
Select:
- I want to use a different authenticator app
- Then click Can’t scan QR Code?
-
Copy:
- Secret key (base32)
- Account name
Step 3 – Add OTP Credential to YubiKey
-
Insert or tap your YubiKey
-
Open Yubico Authenticator
-
Click: Add account.
-
Enter:
- Account name: (paste from Entra)
- Issuer:
Purdue or leave blank
- Secret key: (paste from Entra)
- Leave the rest of the settings default:
- Type: TOTP
- Algorithm: SHA-1
- Digits: 6
- Period: 30 seconds
- Click Save
The OTP account is now stored on the YubiKey
Step 4 – Verify Registration
- Return to the Microsoft setup page and press Next
- Enter the 6-digit code from Yubico Authenticator
- Click Next / Verify
Enrollment completes successfully
Step 5 – Test the YubiKey
- Sign out of your account
- Sign back in
- When prompted:
- Choose Verification Code
- Insert the Yubikey
- Enter the generated code
Using Your YubiKey to Log in to the VPN After May 29th, 2026
When connecting to the VPN using Cisco Secure Client:
- Enter your Purdue username and password
- Open Yubico Authenticator
- Connect your YubiKey to your phone by plugging it in or pulling down in the app.
- Enter the current 6‑digit code
Changing Your Default Sign‑In Method (Optional)
If you wish to make this your default MFA option, follow the instructions in:
Article - How do I Change my Default ...
Set your default method to: App Based Authentication or Hardware Token – Code
Common Questions
“My YubiKey doesn’t have a screen. Where does the code come from?”
The code is displayed in the Yubico Authenticator app when your YubiKey is connected to your phone.
“Can I remove my old YubiKey passkey?”
No. You can leave the YubiKey passkey method in place. It is still valid for other sign‑ins, even though it won’t work for the VPN.
“Do I still need Duo after May 29th, 2026?”
No. After May 29, 2026, Duo will no longer be used for Purdue VPN authentication.
Additional Resources
Still need help? Click the 'Purdue IT Request' button to start a ticket.