Using Security Key for Duo Authentication

Security Keys and Duo

The Duo two-factor authentication platform supports security keys, offering secure login approvals resistant to phishing attacks combined with the one-tap convenience of Duo Push.

What are Security Keys?

A security key plugs into your USB port, and when tapped or when the button is pressed, it sends a signed response back to Duo to validate your login. Duo uses the U2F and WebAuthn authentication standards to interact with your security keys. You may also see WebAuthn referred to as “FIDO2”.

Security Key Requirements

To use a security key with Duo, make sure you have the following:

• A supported browser (Chrome 70 or later, Firefox 60 or later, or Opera 40 or later).
• An available USB port. A supported security key. WebAuthn/FIDO2 security keys from Yubico or Feitian are good options.
• U2F-only security keys (like the Yubikey NEO-n) can’t be used with Firefox.

Enrolling a Security Key 

You can enroll your security key during the initial self-enrollment process or, if you have already enrolled in Duo using a different device (like your mobile phone), you can add your security key as an additional authentication device from the Device Management portal.

1. Navigate to a resource that is protected by Duo, Office.com or Box.
   1. Ensure that you are not blocking pop-up windows for the enrollment site before continuing.
2. Select Other options in the authentication prompt. 

3. Click on Manage Devices from the "Other options" menu. 

4. Select your preferred method to verify your identity.
5. In the Device Management portal, click on Add device. 

6. Select Security key. 

7. A pop-up window will prompt you to insert and tap your security key.
   1. When enrolling your security key, you will be prompted to Tap to Enroll your Security Key (possibly more than once).
8. The security key enrollment window automatically tries to locate your connected security key for approval.

9. Follow the prompts to complete the enrollment of your security key.

10. You may be asked if you want to allow Duo to access information about your security key (select Allow or Proceed as applicable).
11. You'll then see whether the security key identification was successful or not.

Authenticating with Security Key

The next time you log on using Duo, you can tap or insert your security key to log in. Some types of keys flash as a prompt for you to authenticate. You do not need to explicitly select the security key from the drop-down list of available devices to use it for authentication in Chrome if you also enrolled it in Chrome.

• In other browsers, you may need to select your security key from the drop-down list of your authentication devices.
• Once you select your security key from the list, click Use Security Key and tap your security key when prompted.

Existing U2F Users: Security Key Update

If you are a user who enrolled a U2F token for Duo authentication before the security key update, you will be prompted to update your security key registration for that device the next time you log in with Chrome using that U2F authenticator. Select Continue and tap the security key. Once the security key registration is updated via Chrome, you can use that security key in both Chrome and Firefox.