a development team dedicated to Oracle APEX

Integrating YubiKey two-factor authentication with APEX login

leave a comment »

To integrate the low-cost YubiKey device we use a custom APEX authentication scheme in which we manage user names and passwords in a table under our control.

To enable this you need to enter “return name_of_your_custom_authentication_function” in the setup screen for the APEX authentication scheme in the “Login Processing/Authentication Function” box. The APEX popup help for this field gives an excellent guide to the requirements for that function. In our demonstration application we called the function APEXTRAS_YUBICO.auth.

The YubiKey outputs a unique string every time it is activated. This is the one-time password (OTP). Its first 12 characters constitiute the YubiKey ID, the unique identifier for each YubiKey. In other words, the first 12 characters of a YubiKey’s output are always the same, and are always different from those of any other YubiKey.

It is quite simple to incorporate the YubiKey into an APEX Authentication Scheme.

1. Add a column to the user table to hold the YubiKey ID of the YubiKey issued to each user.

2. Then add a third field to the login screen to take the YubiKey output as well as the login name and password.

3. Perform this pseudocode to log in:

Verify the YubiKey OTP
IF the YubiKey OTP passes verification THEN
    Retrieve the user name corresponding to the YubiKey ID
    IF the retrieved user name matches the one entered THEN
        Make the call to APEX_CUSTOM_AUTH.LOGIN to check the hash
        of the entered password against the stored hash of the user's password
    END IF


If this succeeds, then the logged-in user is

a) in possession of a valid YubiKey that is assigned to their account


b) knows the password assigned to that account

To verify the YubiKey OTP you need to submit it (via an HTTP GET) to a YubiKey authentication service. You can either run this somewhere on your own network, or you can use Yubico’s public authentication service.

If you use the Yubico service you will also need two pieces of information about your Yubico account: your API key and your Yubico-issued company user ID: both are available from the Yubico management site. Within our demonstration client the API Key, User ID and the URI of the authentication service need to be entered into the APEXTRAS_YUBICO package as package constants.

The call to the authentication service looks something like this:


id is your company user ID
otp is the one time password you want to verify
h is a hashed MAC (using hashed SHA-1 keyed on your API key) of the query string

The authentication service will respond with a status such as OK, BAD_OTP, REPLAYED_OTP, BAD_SIGNATURE etc

Demonstration of YubiKey two-factor authentication integrated with APEX login.

Authentication Package
APEX After Submit process

Written by Roger

19 March, 2009 at 12:46 pm

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

%d bloggers like this: