Using Security Key for Duo Authentication

Security Keys and Duo

The Duo two-factor authentication platform supports security keys, offering secure login approvals resistant to phishing attacks combined with the one-tap convenience of Duo Push.

What are Security Keys?

A security key plugs into your USB port, and when tapped or when the button is pressed, it sends a signed response back to Duo to validate your login. Duo uses the U2F and WebAuthn authentication standards to interact with your security keys. You may also see WebAuthn referred to as “FIDO2”.

Security Key Requirements

To use a security key with Duo, make sure you have the following:

  • A supported browser (Chrome 70 or later, Firefox 60 or later, or Opera 40 or later).
  • An available USB port. A supported security key. WebAuthn/FIDO2 security keys from Yubico or Feitian are good options.
  • U2F-only security keys (like the Yubikey NEO-n) can’t be used with Firefox.

Enrolling a Security Key 

You can enroll your security key during the initial self-enrollment process or, if you have already enrolled in Duo using a different device (like your mobile phone), you can add your security key as an additional authentication device from the Device Management portal.

Note: UT Dallas does not provide security keys.
  1. Navigate to a resource that is protected by Duo, Office.com or Box.
    1. Ensure that you are not blocking pop-up windows for the enrollment site before continuing.
  2. Select Other options in the authentication prompt. 

Other options located in authentication prompt.

  1. Click on Manage Devices from the "Other options" menu. 

Manage Devices is located at the bottom of the Other options menu

  1. Select your preferred method to verify your identity.
  2. In the Device Management portal, click on Add device

Add Device icon on Device Maangement portal

  1. Select Security key

Security is the second option for adding new device.

  1. A pop-up window will prompt you to insert and tap your security key.
    1. When enrolling your security key, you will be prompted to Tap to Enroll your Security Key (possibly more than once).
  2. The security key enrollment window automatically tries to locate your connected security key for approval.

Security inserted on device to start enrollment

  1. Follow the prompts to complete the enrollment of your security key.

Prompt allowing you to cancel during the security key enrollment process.

  1. You may be asked if you want to allow Duo to access information about your security key (select Allow or Proceed as applicable).
  2. You'll then see whether the security key identification was successful or not.

Successful enrollment of security key.

Authenticating with Security Key

The next time you log on using Duo, you can tap or insert your security key to log in. Some types of keys flash as a prompt for you to authenticate. You do not need to explicitly select the security key from the drop-down list of available devices to use it for authentication in Chrome if you also enrolled it in Chrome.

  • In other browsers, you may need to select your security key from the drop-down list of your authentication devices.
  • Once you select your security key from the list, click Use Security Key and tap your security key when prompted.

Existing U2F Users: Security Key Update

If you are a user who enrolled a U2F token for Duo authentication before the security key update, you will be prompted to update your security key registration for that device the next time you log in with Chrome using that U2F authenticator. Select Continue and tap the security key. Once the security key registration is updated via Chrome, you can use that security key in both Chrome and Firefox.

Note: In 2022, Google announced they will no longer support the U2F API in Chrome. Visit Duo's Guide to end of support for U2F to learn more.
Print Article

Details

Article ID: 348
Created
Mon 11/22/21 12:51 PM
Modified
Wed 3/13/24 8:19 AM

Related Services / Offerings (1)

Duo
Duo is the university two-factor authentication method designed to add a second layer of security to your NetID account. Verifying your identity using a second factor, such as your phone or a security key, prevents anyone but you from logging in, even if they know your password.