Duo - Use a Security Key or Yubikey (USB authentication device)

Issue/Question

• What are Security Keys?
• What type of security key can I use?
• Where can I get a Security Key?
• What are the advantages of Security Keys?
• What are the limitations of Security Keys?
• How do I use my Security Key as an authentication device for Duo at OSU?
• How do I sign-up for Duo using my Security Key?

Environment

• Oregon State University
• Employee, Student or Associate
• ONID Account
• Security Key

Explanation

You may use your Security Key as an authentication device for Duo two-step login.

What is a Security Key?

A Security Key is a USB device that can be used with Duo as the second step in Duo two-step login.  You can sign-up for Duo using a Security Key or add a Security Key to your existing Duo account.

What Type of Security Key Can I Use? 

Any device that is FIDO2-compliant will work with OSU Duo.  Duo also supports the older, FIDO U2F standard.

Where Can I get a Security Key?

A FIDO2-compliant security key (such as a Yubikey) can be purchased online for about $25.

Employees should ask their department to purchase them a security key through normal department purchasing methods. 

In February 2024, some users were contacted and told that they could pick up a Yubikey from their IT team or the Service Desk. These Yubikeys were purchased as part of a project to move off of hardware tokens, and only people on the list who received this notification are eligible to receive a Yubikey this way. All other employees need to go through normal department purchasing methods. Employees are not required to purchase a security key with their own funds.

Students who need a security key and have financial concerns should contact the Basic Needs Center.

Advantages of Security Keys

A single Security Key (such as a Yubikey) can be used to secure more than just your ONID account: you can also use it with many personal accounts such as Twitter, Facebook, GitHub, Dropbox, and many financial services. For a list of services that can be used with a Yubikey, see: https://www.yubico.com/works-with-yubikey/catalog/

Limitations of Security Keys

Duo login with a security key does not work in the following situations:

• Login to SSH servers such as FLIP or Shell.ONID. As a work-around to this issue, you can generate a temporary code at: duo.oregonstate.edu
• OSU VPN login on macOS - the embedded browser of the VPN client on macOS does not support webauthn. As a work-around to this issue, you can generate a temporary code at: duo.oregonstate.edu
• Login to the OSU Remote Desktop Server. The Remote Desktop Gateway server only supports Duo push to a mobile device.

Security Keys are USB devices.  Since there are two primary USB standards which are not the same size, USB-A and USB-C, a security key may not be interchangeable between your personal computer and other computers. However, USB A/C adapters are relatively cheap.

Resolution

Before You Begin

Try to make changes to your devices during open hours of the Service Desk: if something doesn't go as expected, the Service Desk can help you resolve problems quickly.

It's best to add new devices before removing an existing device because you may need to complete a Duo authentication to add the new device. If you're changing your mobile phone number, keep your old phone active for Duo until you have the new phone/phone# working with Duo. Be sure to test the new device before removing the existing device.

Add a Security Key to Duo

1. Plug your Security Key into your computer
2. Browse to duo.oregonstate.edu
3. Select the button "Manage devices"
4. Login with your ONID account if prompted 
5. Pass through the Duo prompts until you reach the screen below.
6. Select “Add a device.”
7. Select “Security Key.”
8. Follow the instructions at the link below to complete the security key setup process.
   https://guide.duo.com/universal-prompt#add-security-key

Sign-up for Duo Using A Security Key

1. Browse to duo.oregonstate.edu
2. Click "Sign-up for Duo"
3. You will be directed to the OSU sign-in page; sign in with your ONID account
4. Click on "Sign-Up with Yubikey"
5. Follow the instructions on-screen; if this is your first time signing up for Duo, click the orange button that says "Sign up for Duo."
6. Follow the on-screen instructions until you reach the screen below. Select "Security Key."
7. Follow the on screen instructions to complete setup.

Troubleshooting

1. You may have a password manager or other software that allows you to save passkeys to it. If you do you should be able to follow similar steps to select your security key as an option.

• If the window that opens is similar to the window below. You will see a small security icon at the top of the window. Select that icon to bring up the window that allows you to select Security Key as an option to save your passkey. See the second image below.

Additional information

• https://guide.duo.com/security-keys
• https://www.yubico.com/2018/08/10-things-youve-been-wondering-about-fido2-webauthn-and-a-passwordless-world/