U2F Authenticators and Duo

U2F is here, and Duo is ready! Our two-factor authentication platform now supports U2F hardware devices, which offer secure login approvals resistant to phishing attacks combined with the one-tap convenience you're already used to with Duo Push.

What is U2F?

Universal 2nd Factor, or U2F, is an authentication standard developed by the FIDO Alliance that is designed to be open, secure, private, and easy to use. The U2F device plugs into your USB port and when tapped or when the button is pressed it sends a signed response back to Duo to validate your login. You can learn more on our U2F page.

U2F Requirements

In order to use a U2F device with Duo, make sure you have the following:

  • A supported browser (Chrome 41 or later)
  • An available USB port

Additionally, your administrator must enable the use of U2F tokens in Duo. Check with your organization's support team or help desk to verify that U2F is allowed if you are uncertain.

Enrolling your U2F Token

You can enroll your U2F authentication device during the initial self-enrollment process or, if you have already enrolled in Duo using a different device (like your mobile phone), you can add your U2F token as an additional authentication device from the device management portal.

Initial Enrollment with a U2F Token

Access the Duo enrollment page via a link emailed by your administrator, or when you log in for the first time to a Duo protected resource. Select U2F token from the list of devices, then click Continue.

Make sure that you're not blocking pop-up windows for the enrollment site before continuing.

The U2F enrollment window automatically contacts your second factor device for approval.

Depending on your U2F token model, you'll need to tap, insert, or press the button on your U2F authenticator to proceed.

Congratulations! You have enrolled your U2F token.

The next time you log on using Duo, simply tap or insert your U2F token to log in. Some types of U2F tokens flash as a prompt for you to authenticate. You do not need to explicitly select the U2F token to use it.


Adding a U2F Token From the Duo Prompt

If you previously enrolled other devices in Duo, you can easily add your new U2F token as an additional authenticator as long as your administrator has enabled Duo's self-service portal.

Navigate to your Duo-protected service and log in. At the Duo Prompt you'll see an Add a new device link on the left. Click it and approve the Duo login request using your already enrolled phone or other device.

Proceed with the U2F enrollment process as shown above in Initial Enrollment with a U2F Token.

You've added your U2F token! It is listed with your other enrolled devices.