Using multiple authentication factors is an effective way of preventing someone from accessing your sensitive data even if they manage to get hold of your username or password. For a brief introduction to the topic, read the article Authentication Factors.

OneLogin supports both VeriSign VIP Access and Yubico's YubiKey for one-time password generation. These solutions fall the "something you have" category, which means that if you successfully authenticate, the authenticating party knows that the user has the key in their possession. This significantly reduces the chances of someone else hacking into that user's account.

Enabling OTP

In order to use OTP with OneLogin, one of your account's admins has to turn it on. This is done under Security -> OTP.

OneLogin lets you use VIP Access and YubiKey at the same time, which is an advantage if you have different users with different needs. For example, someone who works from an office all day maybe prefer YubiKey because of its easy-of-use while someone who travels may prefer VIP Access because always it's in their phone.

OTP can be required for all administrators only, all users or select users. 

Registering OTP Devices

In order for an OTP device to be used, it must be associated with a user. This can be done manually by the administrator user by user, but that's not practical on a large scale, especially with VIP Access where only the employee has access to the device. If OTP is required for a user, the user will be prompted to register the device at the first successful login.

Configuring users

Once OTP is enabled for, you will be able to register the device on the individual users as shown below. Go to People -> Users and select a user. This is also where you deregister OTP devices.

To register a YubiKey, insert the key in the USB port and press the button. This will insert a 30 long string in the field of which the first 12 will be stored on the user. These 12 character uniquely identify the key and are now tied to this user.

To register VIP Access, enter the Credential ID shown in the mobile application.

Make sure you that you register your own key before you log out, or you will not be able to log in again.

When is OTP Required?

Use the required setting to enforce whether users have to use OTP at every login or just when they log in from an unknown or expired browser.

Logging in

Once OTP has been turned all, all users will see a login page as shown below. Once Email and Password have been entered, a YubiKey or VIP Access field will appear.

YubiKey users simply press the button while the key is inserted in the USB port and the one-time password will automatically be inserted in the OTP field. VIP Access users will have to launch their VIP Access Mobile application and manually enter the generated one-time password within 30 seconds.