Security Keys and Duo
Our two-factor authentication platform supports security keys, offering secure login approvals resistant to phishing attacks combined with the one-tap convenience you're already used to with Duo Push.
What are Security Keys?
A security key plugs into your USB port and when tapped or when the button is pressed it sends a signed response back to Duo to validate your login. Duo uses the U2F and WebAuthn authentication standards to interact with your security keys. You may also see WebAuthn referred to as "FIDO2".
Security Key Requirements
In order to use a security key with Duo, make sure you have the following:
- A supported browser (Chrome 70, Firefox 60, Safari 13 or later), or Microsoft Edge 79 or later. Support for authentication is limited to web applications that show Duo's inline browser prompt.
- An available USB port.
- A supported USB security key. WebAuthn/FIDO2 security keys from Yubico or Feitian are good options. U2F-only security keys (like the Yubikey NEO-n) can't be used with Firefox.
Additionally, your administrator must enable the use of security keys in Duo. Check with your organization's support team or help desk to verify that security keys are allowed if you are uncertain.
Enrolling your Security Key
You can enroll your security key during the initial self-enrollment process or, if you have already enrolled in Duo using a different device (like your mobile phone), you can add your security key as an additional authentication device from the device management portal.
Initial Enrollment with a Security Key
Access the Duo enrollment page via a link emailed by your administrator, or when you log in for the first time to a Duo protected resource. Select Security Key from the list of devices and then click Continue.
Make sure that you're not blocking pop-up windows for the enrollment site before continuing.
The security key enrollment window automatically tries to locate your connected security key for approval.
Depending on your security key model, you'll need to tap, insert, or press a button on your device to proceed.
When enrolling your security key, you'll be prompted to tap to enroll your security key (possibly more than once). You may also be asked if you want to allow Duo to access information about your security key (click Allow or Proceed as applicable).
You'll see whether the security key identification was successful or not.
Congratulations! You have enrolled your security key.
Adding a Security Key From the Duo Prompt
If you previously enrolled other devices in Duo, you can easily add your new security key as an additional authenticator as long as your administrator has enabled Duo's self-service portal.
Navigate to your Duo-protected service and log in. At the Duo Prompt you'll see an Add a new device link on the left. Click it and approve the Duo login request using your already enrolled phone or other device.
Proceed with the security key enrollment process as shown above in Initial Enrollment with a Security Key.
You've added your security key (in this example, a security key from Yubico)! It is listed with your other enrolled devices.
Authenticating with a Security Key
The next time you log on using Duo, you can simply tap or insert your security key to log in. Some types of keys flash as a prompt for you to authenticate.
You do not need to explicitly select the security key from the drop-down list of available devices to use it for authentication in Chrome or Edge if you also enrolled it in one of those browsers.
In other browsers, you may need to select your security key from the drop-down list of your authentication devices.
Once you select your security key from the list, click Use Security Key and tap your security key when prompted.
Existing U2F Users: Security Key Update
If you're a user who enrolled a U2F token for Duo authentication before the security key update, you'll be prompted to update your security key registration for that device the next time you log in with Chrome or Edge using that U2F authenticator.
Simply click Continue and tap the security key.
Once the security key registration is updated via Chrome or Edge, you can use that security key in all supported browsers.