Body
Objective
- To provide instruction on setting up and enrolling a YubiKey or Feitian hardware token for use with Duo
- To provide instruction on using your YubiKey or Feitian token to authenticate through VPN
Scope
- On 19 December 2018, Duo Security was implemented as the system-wide, two-factor authentication security application used at Miami University
- This policy affects all current Miami University students, faculty, and staff
- Miami's alumni, retiree, and emeriti populations are not required to enroll in Duo and will continue to use their Miami password
User
- All current Miami University Students, Faculty, and Staff
Environment
- 312306: Duo Security Two-factor Authentication
- YubiKey 4 or 5 Series Security Key
- YubiKey hardware token, Yubi
- U2F hardware device
- U2F authenticator
- U2F security token
- Feitian OTP hardware tokens
- Chrome
Rationale
- Two-factor authentication adds a second layer of security to your Miami account. It allows you to verify your identity using a second factor — your smartphone or other mobile device, or hardware token — and prevents anyone else from logging in to your account
- MUIT recommends and supports the use of a YubiKey hardware device for U2F or OTP authentication with Duo
- MUIT recommends and supports the use of a Feitian hardware token for OTP authentication with Duo
Resolution
Use a YubiKey in U2F mode (Chrome browser):
Note: A YubiKey in U2F mode only works with the Chrome browser. To use a YubiKey with VPN or other browsers, it must be used in OTP mode
- Log in to the Duo Self Service Portal — here's how
- Click Add a new device
- Select U2F
- A pop-up will prompt you to touch the YubiKey
- Click Continue to Login
Use a Yubikey in OTP mode (VPN or other browser):
- MUIT recommends first adding the YubiKey for use in U2F mode before configuring for OTP mode as described in the steps above
- In your Chrome browser, go to the Yubico site to start the YubiKey personalization tool
- Insert the YubiKey into the USB port of your device and wait for it to be recognized by the tool
- Click Yubico OTP mode
- Click Quick
- Select configuration slot 1
- Select slot 2, if slot 1 has already been configured for another use
- Click Regenerate
- Clear the Hide values check box and take note of the serial number (in decimal), Private Identity, and Secret Key
- Click Write Configuration
- It may be necessary to confirm yes to overwrite and supply a logfile name and destination. Overwriting will not affect the YubiKey's use in U2F mode (when using the YubiKey for authenticating through a web browser), but could overwrite a previous configuration for OTP mode. If you currently use your YubiKey in OTP mode for some other purpose and don't want to overwrite that configuration, you should select a different slot than that selected in step 5 above
- To use the YubiKey in OTP mode, you must have the YubiKey configured by a Duo Administrator in the Duo Admin console. To make this request, contact IT Help by calling 513-529-7900 or initiating a live chat session at MiamiOH.edu/ITChat and ask for your YubiKey token to be configured for use with VPN. IT Services will call you back and ask for three pieces of information about your YubiKey — the serial number, private identity and secret key — which you will find in the YubiKey personalization tool
Use a Feitian token in OTP mode
- To use a Feitian token in OTP mode, you must have the token configured by a Duo Administrator in the Duo Admin console
- To make this request, contact IT Help by calling 513-529-7900 or initiating a live chat session at MiamiOH.edu/ITChat and ask for your Feitian token to be configured
- IT Services will call you back and ask for the seed or secret key and serial number for your Feitian token
Notes