Duo / Enroll a YubiKey or Feitian hardware token

Objective

• To provide instruction on setting up and enrolling a YubiKey or Feitian hardware token for use with Duo
• To provide instruction on using your YubiKey or Feitian token to authenticate through VPN

Scope

• On 19 December 2018, Duo Security was implemented as the system-wide, two-factor authentication security application used at Miami University
• This policy affects all current Miami University students, faculty, and staff
  • Miami's alumni, retiree, and emeriti populations are not required to enroll in Duo and will continue to use their Miami password

User

• All current Miami University Students, Faculty, and Staff

Environment

• 312306: Duo Security Two-factor Authentication
• YubiKey 4 or 5 Series Security Key
  • YubiKey hardware token, Yubi
  • U2F hardware device
  • U2F authenticator
  • U2F security token
• Feitian OTP hardware tokens
• Chrome

Rationale

• Two-factor authentication adds a second layer of security to your Miami account. It allows you to verify your identity using a second factor — your smartphone or other mobile device, or hardware token — and prevents anyone else from logging in to your account
• MUIT recommends and supports the use of a YubiKey hardware device for U2F or OTP authentication with Duo
• MUIT recommends and supports the use of a Feitian hardware token for OTP authentication with Duo

Resolution 

Use a YubiKey in U2F mode (Chrome browser):

Note: A YubiKey in U2F mode only works with the Chrome browser. To use a YubiKey with VPN or other browsers, it must be used in OTP mode

1. Log in to the Duo Self Service Portal — here's how
2. Click Add a new device
3. Select U2F
   • A pop-up will prompt you to touch the YubiKey
4. Click Continue to Login

Use a Yubikey in OTP mode (VPN or other browser):

1. MUIT recommends first adding the YubiKey for use in U2F mode before configuring for OTP mode as described in the steps above
2. In your Chrome browser, go to the Yubico site to start the YubiKey personalization tool
   • YubiKey enrollment requires the use of your Chrome browser
   • Alternatively, the YubiKey Personalization Tool is now available in Self Service for macOS (how to access) and the Software Center for Windows (how to access) 
     • The macOS version is a VPP app from the AppStore and will be automatically upgraded as Yubico publishes new versions to Apple
3. Insert the YubiKey into the USB port of your device and wait for it to be recognized by the tool
4. Click Yubico OTP mode
5. Click Quick
6. Select configuration slot 1
   • Select slot 2, if slot 1 has already been configured for another use
7. Click Regenerate
8. Clear the Hide values check box and take note of the serial number (in decimal), Private Identity, and Secret Key
9. Click Write Configuration 
   • It may be necessary to confirm yes to overwrite and supply a logfile name and destination. Overwriting will not affect the YubiKey's use in U2F mode (when using the YubiKey for authenticating through a web browser), but could overwrite a previous configuration for OTP mode. If you currently use your YubiKey in OTP mode for some other purpose and don't want to overwrite that configuration, you should select a different slot than that selected in step 5 above
10. To use the YubiKey in OTP mode, you must have the YubiKey configured by a Duo Administrator in the Duo Admin console. To make this request, contact IT Help by calling 513-529-7900 or initiating a live chat session at MiamiOH.edu/ITChat and ask for your YubiKey token to be configured for use with VPN. IT Services will call you back and ask for three pieces of information about your YubiKey — the serial number, private identity and secret key — which you will find in the YubiKey personalization tool

Use a Feitian token in OTP mode

• To use a Feitian token in OTP mode, you must have the token configured by a Duo Administrator in the Duo Admin console
• To make this request, contact IT Help by calling 513-529-7900 or initiating a live chat session at MiamiOH.edu/ITChat and ask for your Feitian token to be configured
  • IT Services will call you back and ask for the seed or secret key and serial number for your Feitian token

Notes

• YubiKey U2F enrollment requires the use of your Chrome browser
• Duo works with all Yubico devices except for the FIDO U2F security key
• You may associate multiple hardware token devices with your account
   
• Review Duo Security's User Enrollment Guide
• Review our KB article for YubiKey resource and support links