Duo - Use a Security Key or Yubikey (USB authentication device)

Issue/Question

  • What are Security Keys?
  • What are the advantages of Security Keys vs Duo Hardware Tokens?
  • What are the drawback of Security Keys?
  • How do I use my Security Key as an authentication device for Duo at OSU?
  • How do I sign-up for Duo using my Security Key?

Note: Security keys can be used only for web-based login.  They do not work for interactive logins, such as SSH sessions.

Environment

  • Oregon State University
  • Employee, Student or Associate
  • ONID Account
  • Security Key

Explanation

You may use your Security Key as an authentication device for Duo two-step login.

What is a Security Key

A Security Key is a USB device that can be used with Duo as the second step in Duo two-step login.  You can sign-up for Duo using a Security Key or add a Security Key to your existing Duo account.

What Type of Security Key Can I Use?

Any device that is FIDO2-compliant will work with OSU Duo.  Duo also supports the older, FIDO U2F standard.

Advantages of Security Keys vs Duo Hardware Tokens

An OSU Duo Hardware Token can be used only for your ONID account. OSU Duo tokens can also only be purchased at the OSU Beaver Store.

A single Security Key (such as a Yubikey) can be used to secure more than just your ONID account: you can also use it with many personal accounts such as Twitter, Facebook, (personal) Gmail, GitHub, Dropbox, and many financial services. For a list of services that can be used with a Yubikey, see: https://www.yubico.com/works-with-yubikey/catalog/

Risk of Security Keys

A Security Key only works for browser based authentication, and is only supported by specific browsers.  If you need to use Duo in a non-web browser use, such as to connect to Engineering's Flip server or to connect to ONID's shell server, you will not be able to use a security key.  Non-web browser authentication uses require the mobile app or a hardware token.

Security Keys are USB devices.  Since there are two primary USB standards which are not the same size, USB-A and USB-C, a security key may not be interchangeable between your personal computer and other computers, such as those in labs.

Resolution

Before You Begin

Try to make changes to your devices during open hours of the IS Service Desk: if something doesn't go as expected, the Service Desk can help you resolve problems quickly.

It's best to add new devices before removing an existing device because you may need to complete a Duo authentication to add the new device. If you're changing your mobile phone number, keep your old phone active for Duo until you have the new phone/phone# working with Duo. Be sure to test the new device before removing the existing device.

Add a Security Key to Duo

  1. Plug your Security Key into your computer
  2. Browse to duo.oregonstate.edu
  3. Select the button "Manage your Duo devices" 
  4. Login with your ONID account if prompted 
  5. The section for "I want to manage my mobile devices" should already be expanded; if it is not, click on "I want to manage my mobile devices" 
  6. You will need to Duo authenticate again - select "Enter a Passcode" or "Send me a Push" 
  7. Select “+ Add another device” under the OSU logo
  8. Select “Security Key (YubiKey, Feitan, etc.)” and then click “Continue” 
  9. Read the directions on the next screen and click “Continue” again; a pop-up window will open after this 
  10. When the “Insert and tap your Security Key to enroll...” window opens, tap the sensor on your Security Key 
  11. If the window does not advance to the next window remove the Security Key and reconnect it to your computer and tap the sensor again
  12. Enter a PIN for your security key if prompted
  13. You may be prompted to touch the security key again
  14. On the “Allow this site to see your security key” window click “Allow”
  15. Once you have completed adding the security key, it will be listed in your Duo devices 

Sign-up for Duo Using A Security Key

  1. Browse to duo.oregonstate.edu
  2. Click "Sign-up for Duo"
  3. You will be directed to the OSU sign-in page; sign in with your ONID account
  4. Click on "Sign-Up with Yubikey"
  5. Follow the instructions on-screen; if this is your first time signing up for Duo, click the green button that says "Start Setup"
  6. Follow the on-screen instructions to complete setup

Additional information

  • https://guide.duo.com/security-keys
  • https://www.yubico.com/2018/08/10-things-youve-been-wondering-about-fido2-webauthn-and-a-passwordless-world/

 

Details

Article ID: 83300
Created
Wed 7/17/19 4:49 PM
Modified
Thu 10/17/19 1:23 PM