1. Knowledge Base
  2. Security and Access
  3. Authentication and Account (NetID) Management
  4. Duo
  5. Using a Security Key with Duo

Using a Security Key with Duo

Tags NETID

Security Keys and Duo

The Duo two-factor authentication platform supports security keys, offering secure login approvals resistant to phishing attacks combined with the one-tap convenience of Duo Push.

What are Security Keys?

A security key plugs into your USB port, and when tapped or when the button is pressed, it sends a signed response back to Duo to validate your login. Duo uses the U2F and WebAuthn authentication standards to interact with your security keys. You may also see WebAuthn referred to as “FIDO2”.

Security Key Requirements

To use a security key with Duo, make sure you have the following:

  • A supported browser (Chrome 70 or later, Firefox 60 or later, or Opera 40 or later).
  • An available USB port. A supported security key. WebAuthn/FIDO2 security keys from Yubico or Feitian are good options.
  • U2F-only security keys (like the Yubikey NEO-n) can’t be used with Firefox.

Enrolling a Security Key for Duo Mobile Authentication

Please note that UT Dallas does not provide security keys.

  1. In your web browser, navigate to a resource that is protected by Duo(such as the Office 365 Portal (portal.office.com) or Box (utdallas.box.com))
  2. On the Duo authentication screen, select 'Add a new device' and authenticate before continuing.
  • Note: Ensure that you are not blocking pop-up windows for the enrollment site before continuing.

Duo authentication screen.

  1. Select 'Security Key' as your device and click 'Continue'.

Duo authentication screen for adding a device including Security Key.

  1. A pop-up window will prompt you to tap your security key. When enrolling your security key, you will be prompted to tap to enroll your security key (possibly more than once). 

Screen for entering security key.

  1. Upon its initial setup, you may also be asked to input a PIN if your security key is required.

Screen for entering PIN for the the security key.

  1. You may also be asked if you want to allow Duo to access information about your security key (select 'Allow' or 'Proceed' as applicable).

Screen to grant permission to duosecirty.com to see the make and model of the security key with allow and block buttons.

  1. You have now enrolled your security key. Select 'My Settings and Devices' from the Duo authentication page to ensure that your Security Key has been added to your DUO devices.
  • After authenticating, your Security Key should appear along with your mobile device (if you have one registered).

Duo My settings and devices screen showing added devices.

Authenticating with a Security Key

The next time you log on using Duo, you can tap or insert your security key to log in. Some types of keys flash as a prompt for you to authenticate. You do not need to explicitly select the security key from the drop-down list of available devices to use it for authentication in Chrome if you also enrolled it in Chrome.

  • In other browsers, you may need to select your security key from the drop-down list of your authentication devices.
  • Once you select your security key from the list, click 'Use Security Key' and tap your security key when prompted.

Existing U2F Users: Security Key Update

If you are a user who enrolled a U2F token for Duo authentication before the security key update, you will be prompted to update your security key registration for that device the next time you log in with Chrome using that U2F authenticator. Select Continue and tap the security key. Once the security key registration is updated via Chrome, you can use that security key in both Chrome and Firefox.

Details

Article ID: 348
Created
Mon 11/22/21 12:51 PM
Modified
Thu 2/23/23 1:54 PM

Related Services / Offerings (1)

Duo
Duo is the university two-factor authentication method designed to add a second layer of security to your NetID account. Verifying your identity using a second factor, such as your phone or a security key, prevents anyone but you from logging in, even if they know your password.