YUBIKEY FAQ’s FOR EXTERNAL PARTNERS

1.WHAT DOES 2FA MEAN? WHAT IS TWO-FACTOR –AUTHENTICATION?

Two-factor-authentication (2FA) is the proof of a user’s identity by a combination of two different and in particular independent
components (factors).
The factors can be the following ones:

1. Secret knowledge, for example a password or a PIN (personal identification number)

2. A secret-keeping item (possession) like a security token or an app which generate one-time passwords.

2.WHAT IS A YUBIKEY AND HOW DO I USE IT?

The YubiKey is a physical, hardware-based authenticator. It is necessary for a rising number of BMW Group resources that require higher
protection than a mere username and password combination.

To use the YubiKey to authenticate to BMW Group systems and applications, follow these steps:
1. Choose "YubiKey + PIN" as the authentication method.
2. Insert the YubiKey into the USB port of your computer.
3. Now the YubiKey one-time-password needs to be generated. For that, press the button on the YubiKey. The YubiKey will then
automatically generate a 6 digit one-time-password into the field.
4. Enter your PIN.

3. HOW DO I ORDER A YUBIKEY (AS AN EXTERNAL PARTNER)?

Being an external partner, you must order a YubiKey in the ASCL Portal.

1. Create an account on the ACSL Web Store:

(https://ga.acslworld.com/ga2/#/signup/BMW%20PARTNERS?context=bOyfkj4nfWd8ZSKsGHx_WPhWBJYEbZyApTXZJ0gKODs )
or login with an existing account (https://ga.acslworld.com/ga2/#/login )
2. Order directly from Bechtle using the ACSL Web Store.
3. After receipt of the ordered YubiKeys distribute them within your company and have users register the YubiKeys.
If you need assistance with your YubiKey order three options are available within the ACSL Portal:
• Support Tickets - open a support ticket in the portal to get assistance with your order.

• FAQ - might help for some common issues and should be checked before creating a ticket.
• Email: support@acslworld.com

Version 1.1 02/2022

YUBIKEY FAQ’s FOR EXTERNAL PARTNERS

Common ordering issues in ASCL :

• The up to now most often occurred impediment is creating a company’s address if nothing is presented in the field ‘location’ after
the country has been selected in the corresponding field. In this case one must click on the blue button ‘Add Location’ below the
location selection field in order to enter the address of a new location.

• When working with a purchasing system that provides you with a purchase order number enter the latter into the corresponding
entry field in the ACSL-webstore. If the purchasing system of your company sends a written order by (e-)mail to Bechtle GmbH &
Co. KG, it will be ignored, provided that you have entered the purchase order number as a reference number in the ACSL-webstore.
This way the system knows that it must not create the order twice.

4. WILL I RECEIVE AN INVOICE FOR YUBIKEYS PURCHASED IN ASCL?

Yes, you will receive your invoice from Bechtle either by mail, by e-mail or through another communication channel.

5. HOW DO I REGISTER / ASSIGN A YUBIKEY?

YubiKey’s are registered in the Authenticator Enrollment Portal (AEP) accessible over the B2B Portal (search “strong authentication”
under applications or click here). See PDF located in the B2B Portal under Collaboration ->Partnerintegration -> Strong Authentication or
MyBMW IT for instructions.
If you received a YubiKey from a colleague who no longer needs theirs, they will need to un-assign the YubiKey from their account in the
Authenticator Enrollment Portal (AEP) accessible over the B2B Portal (search “strong authentication” under applications or click here).
using the "delete" function before you can register it to yours. If the previous user did not un-assign and is no longer able to do so, please
contact your local helpdesk to get the YubiKey disconnected.

6. WHAT IS A C-NUMBER? FROM WHOM DO I OBTAIN MY C-NUMBER?

The c-number is the identification number of your B2B-user-account. You can get it from the B2B-master-administrator of your
company or find your own c-number in the B2B Portal under My Account -> Personal Data. The c-number always begins with a “c”.

7. WHY DO I NEED A YUBIKEY IF I ALREADY HAVE MOBILE PUSH / SMARTPHONE AS AN

AUTHENTICATION METHOD?
Only some applications offer Mobile Push / Smartphone as an authentication method. If any of the applications you use only offer
YubiKey + PIN, you must have a YubiKey in order to access the application / system.

8. HOW MUCH DOES A YUBIKEY COST?

Please see the ASCL store for the most actual price of a YubiKey. For orientation, the YubiKey 5NFC for Germany costs approx. 36
EUR.
9. ARE DISCOUNTS AVAILABLE FOR BULK ORDERS?
No. The price of a YubiKey in the ACSL-webstore has already been discounted based on the estimated amount of all YubiKeys required for
BMW-applications, i.e. the maximum possible bulk order.

Bulk orders for entire departments / companies are encouraged, as YubiKey’s are not bound to a supplier location.

Version 1.1 02/2022

YUBIKEY FAQ’s FOR EXTERNAL PARTNERS

10. CAN I ORDER A YUBIKEY FROM A STORE OTHER THAN THE ASCL STORE?
No, because the YubiKeys offered in the ACSL-webstore are pre-programmed for use at BMW.

11. ARE THERE ANY ONGOING COSTS TO USING A YUBIKEY?

No. There are only one-time costs for the purchase.

12. DOES A YUBIKEY EXPIRE?

A YubiKey does not have an expiry date.

13. HOW LONG WILL IT TAKE UNTIL MY YUBIKEY ORDER ARRIVES?

Depending on the demand for YubiKeys at he time of ordering, please plan for a 2-3 week delivery process.

14. HOW DO I RETURN A YUBIKEY IF I NO LONGER REQUIRE IT?

Please un-assign the YubiKey from their account in the Authenticator Enrollment Portal (AEP) accessible over the B2B Portal (search
“strong authentication” under applications or click here) using the "delete" function. Afterwards, hand the YubiKey to your manager so
another colleague can use it in future.

15. CAN MULTIPLE PEOPLE SHARE ONE YUBIKEY?

No. A YubiKey cannot be shared by multiple accounts / users (no 1:m-relationship between YubiKey and user-accounts possible).

16. MY USB-PORT IS LOCKED DUE TO COMPANY POLICY. HOW DO I USE A YUBIKEY UNDER
THESE CIRCUMSTANCES?
BMW uses DriveLock as an application to prohibit the use of USB storage media until a request for permission has been approved.
YubiKeys as virtual keyboards are not affected by this. If all USB ports are locked for your company’s computers in general, ask your
responsible system administrator to include an exception rule for virtual keyboards in the security policy for USB ports.

As an alternative, you can also use the NFC function of the YubiKey and generate the code without inserting the YubiKey. Then copy the
generated tokencode into the login field.

17. DOES EACH BMW APPLICATION / SYSTEM REQUIRE ITS OWN YUBIKEY? TO WHAT IS THE
YUBIKEY BOUND?
No. BMW-applications use the same application-independent security backend. This means the YubiKey is bound to the account to
which it was registered / enrolled, but not to an application / system.

Version 1.1 02/2022

YUBIKEY FAQ’s FOR EXTERNAL PARTNERS

18. DO FOREIGN SUBSIDIARIES OF A COMPANY WITH A GERMAN OFFICE NEED TO CREATE

THEIR OWN CUSTOMER ACCOUNT IN ASCL?
They do not necessarily have to, but it is recommended since it facilitates the process.

Shipping costs are included in the price of each YubiKey in the ACSL-webstore. They are higher for the dispatch to a foreign country than
for shipment within Germany. If YubiKeys are ordered centrally in Germany and after receipt are bundled and shipped internally to foreign
countries some distribution cost might be saved. Beside the own organisation of shipment there will be customs duties to be paid when
exporting to foreign countries.

19. CAN MULTIPLE YUBIKEYS BE INSERTED INTO THE USB PORT OF MY PC AT THE SAME TIME?
The YubiKey 5 models used for strong authentication at BMW possess a touch-sensitive button. As long as you do not press more than
one of these buttons on the YubiKeys plugged into his computer at once, they will not interfere with each other. After logging in to the
desired application, the YubiKey can be removed immediately from the computer.

20. MY QUESTION WAS NOT ANSWERED. WHO CAN I CONTACT?

All general questions concerning YubiKey should be addressed to the IT Service Desk, phone: +49 89 382-55455 (English), E-Mail:
asz.hotline@bmw.de

Questions concerning the B2B Portal should be addressed to https://b2b.bmw.com/de/web/b2b/help.

YUBIKEY PIN FAQ ON THE NEXT PAGE

Version 1.1 02/2022

PIN FAQ’s FOR EXTERNAL PARTNERS

1. WHAT IS THE PIN FOR?

The PIN is needed as the second factor when using „YubiKey + PIN“ as the authentication method. You must therefore register both the
YubiKey and the PIN in order to use „YubiKey + PIN“ to login to the application / system.

2. HOW DO I CREATE / REGISTER A PIN?

The PIN is registered in the Authenticator Enrollment Portal (AEP) accessible over the B2B Portal (search “strong authentication” under
applications or click here). See PDF located in the B2B Portal under Collaboration ->Partnerintegration -> Strong Authentication or
MyBMW IT for instructions.
3. HOW CAN I CHANGE MY PIN?
To change your PIN, access the Authenticator Enrollment Portal (AEP) accessible over the B2B Portal (search “strong authentication”
under applications or click here). In the Authenticator Overview press “PIN”. Then click modify, enter your new PIN twice and save.

4. HOW DO I RESET A FORGOTTEN PIN?

Open the Authentication Enrollment Portal (AEP) accessible over the B2B Portal (search “strong authentication” under applications or
click here), press “forgot my PIN” and follow the process.

5. WHO DO I CONTACT IF I NEED ASSISTANCE?

All general questions concerning the YubiKey PIN should be addressed to the IT Service Desk, phone: +49 89 382-55455 (English), E-
Mail: asz.hotline@bmw.de

Questions concerning the B2B Portal should be addressed to https://b2b.bmw.com/de/web/b2b/help.

Version 1.1 02/2022