Use FIDO2 key in Duo
In web-based applications that use Duo's Universal Prompt, a FIDO2 key can be used as a second factor instead of the Duo Mobile App. At the bottom of the page you will find a brief explanation of what web-based applications or the Universal Prompt means in this context.
Since not all Cisco Duo protected applications work with the web-based Universal Prompt, a FIDO2 key can only be added as an additional second factor after the initial registration via the Duo Mobile App has been successfully completed or after a Duo hardware token has been linked to your account.
If you still want to add a FIDO2 key as the sole second factor, please contact the helpdesk with your request. After successfully adding a FIDO2 key, you will be given the option to use a security key / passkey to confirm your identity in Duo's Universal Prompt.
Please understand that we cannot provide detailed technical support for the various products available on the market that are compatible with FIDO2. If you have any basic questions, please consult the manufacturer's documentation. In our implementation, only external FIDO2 keys (roaming authenticators) are supported, but not so-called platform authenticators such as Touch ID etc.
The following guide shows how to add a YubiKey with activated FIDO2 support in Cisco Duo. The operating system used is Windows 11 and the YubiKey was connected via USB. In other operating systems or with other FIDO2 keys, the steps may differ slightly but the general procedure is the same. Screenshots are in german for now but an english version will follow soon.
Instructions
1. Log in to the Duo device administration. This is only possible if you have already successfully completed the initial registration or a Duo hardware token has been linked to your account before.
Did you receive a link from our helpdesk by email on request instead? Then please start directly with step 3 of these instructions.
2. click on Add device in the Duo device management.
3. Select Security key as the new device.
4. Select Continue.
5. Communication with your security key is handled under Windows 11 via Windows Security. Select here that your key should be saved on your security key and click Next.
6. Windows Security will now prompt you to connect the security key via USB.
7. Enter the FIDO2 PIN of your security key when you are prompted to do so. If you have not yet set up a FIDO2 PIN, you may be prompted to do so.
8. The security key may request a physical confirmation depending on the model.
9. If the setup was successful, you will receive a success message.
10. You may receive a separate request from your browser to allow passing on information about your security key.
11. The security key is then successfully registered for Duo and you can select it as a second factor in supported applications to confirm your identity.
Supported applications
What does "web-based applications" or "universal prompt" mean?
Where can I not use my FIDO2 key as a second factor?
Contact
If you have any questions or problems, please contact the ITCC-Helpdesk