HOW TO: Reset your Yubikey in WHMCS

This article will explain how to reset your Yubikey code inside of WHMCS.

If you don't know what a Yubikey is, or what WHMCS is, this probably won't be very helpful to you. Maybe one day soon I'll do a write up on both of these amazing tools, but for now, check out another blog article. In a nutshell, a Yubikey is a little USB device that generates one-time passwords to authenticate accounts. So, if you're using a system that's protected with your Yubikey, you'll need your username and password as always AND THEN you'll need to plug in your USB Yubikey to generate an additional password. This way even if somebody steals your username and password, your account is safe. WHMCS is a really great client management, billing and support solution for online businesses that Sites Done Right uses to manage our clients. WHMCS gives you a "backup code" in case you lose your Yubikey for some reason. But, if for some reason that backup code doesn't work or you lose that too, then you're trapped outside your account. Unless of course, you keep reading and follow the instructions below...

Oh, you're still here? Great! Let's get that code reset! First thing you'll need is access to your MySQL database. Most people use PHPMyAdmin for editing their database. If you can't edit your database, you're going to need to contact your webhost and ask. If you can edit your database, you'll be able to override the code. I know what you may be thinking: "wait, if I edit the database to reset the code, can it be considered secure?" Well, yeah. If someone has access to your database, you've got bigger problems than a malformed Yubikey code.

STEP 1: Go into the database where you installed WHMCS. Find the "tbladmins" table. (That's where your WHMCS login information is.)

STEP 2: Find the row with the login you want to edit. (Hint: Check the username). Once you find it, hit "Edit" to edit that row's information.

First thing is to go into the database...

STEP 3: The value for "authmodule" should be "yubico" and the "authdata" should have a bunch of weird code in it. That's the code we need to change so you can get back in. You have 2 options here, you can reset your entire key and get it working again now. Or you can just reset your backup code and then use it to get back in. I've made a tool below to regenerate the code but in order to reset your Yubikey, I need to know the first 12 characters. Every time you generate a code, the first 12 characters never change. That's your fixed public id and it's used to identify the particular device when the OTP string is received so the right AES key can be retrieved to decrypt the dynamic OTP part. You can safely enter your Yubico password in the tool below. I don't save it and even if I did, without your username, password and what site you're from, it's useless to anyone anyway.

a:2:{s:12:"yubicoprefix";s:40:"02451c9120ff65158f8f1decc8b3fa4b26101327";s:10:"backupcode";s:40:"02451c9120ff65158f8f1decc8b3fa4b26101327";}

If you don't trust entering your Yubico into this page, you can just put the first 12 characters of your Yubico code into Input 2. If you don't want to enter your Yubico password at all, here's an alternative:

a:2:{s:12:"yubicoprefix";s:40:"02451c9120ff65158f8f1decc8b3fa4b26101327";s:10:"backupcode";s:40:"02451c9120ff65158f8f1decc8b3fa4b26101327";}

What this does is set your backup code to "sitesdoneright". Now after you login to WHMCS and it asks for your Yubico code, hit "Can't Access Your 2nd Factor Device? Login using Backup Code". Then enter "sitesdoneright" and it will let you in and reset the "sitesdoneright" backup code to a random 16 letter code again. From here you can remove the Yubico from your admin account and re-add it. Hope this helps and try not to lose your backup code this time!!