Has your organization enabled the new Universal Prompt experience? See the Universal Prompt guide for more information and instructions. Duo Push in Universal Prompt

Use Security Keys with the Traditional Duo Prompt

Our two-factor authentication platform supports security keys, offering secure login approvals resistant to phishing attacks combined with the one-tap convenience you're already used to with Duo Push.

What are Security Keys?

A security key plugs into your USB port and when tapped or when the button is pressed it sends a signed response back to Duo to validate your login. Duo uses the WebAuthn authentication standards to interact with your security keys. You may also see WebAuthn referred to as "FIDO2".

Security Key Requirements

In order to use a security key with Duo, make sure you have the following:

  • A supported browser (Chrome 70, Firefox 60, Safari 13 or later), or Microsoft Edge 79 or later. Support for authentication is limited to web applications that show Duo's inline browser prompt.
    • If your organization requires user verification of your security key with a PIN or biometric then you should use the most recent version of your browser.
  • A supported USB security key. WebAuthn/FIDO2 security keys from Yubico or Feitian are good options. We do not support U2F-only security keys (like the Yubikey NEO-n).
    • If your organization requires user verification of your security key with a PIN or biometric then your security key must support FIDO2.

Additionally, your administrator must enable the use of security keys in Duo. Check with your organization's support team or help desk to verify that security keys are allowed if you are uncertain.

Enrolling your Security Key

You can enroll your security key during the initial self-enrollment process or, if you have already enrolled in Duo using a different device (like your mobile phone), you can add your security key as an additional authentication device from the device management portal.

Initial Enrollment with a Security Key

Chrome experience shown unless noted.

Access the Duo enrollment page via a link emailed by your administrator, or when you log in for the first time to a Duo protected resource. Select Security Key from the list of devices and then click Continue.

Security Key Selection in Duo Prompt

Make sure that you're not blocking pop-up windows for the enrollment site before continuing.

Security Key Enrollment

If you're using Safari 14.1 or later, click the Initiate enrollment button to proceed. Other browsers do not require this step.

Safari Security Key Initiation

The security key enrollment window automatically tries to locate your connected security key for approval.

Security Key Prompt

Depending on your security key model, you'll need to tap, insert, or press a button on your device to proceed.

Photo of finger about to tap a security key

When enrolling your security key, you'll be prompted to tap to enroll your security key (possibly more than once).

Browser Prompt for Security Key

If your organization requires user verification and you have not already configured a PIN or biometric for your security key you will need to do that now. If you already set your PIN or configured biometrics for your security key then you'll need to enter your PIN or scan your biometric to complete setup.

Browser Prompt to set Security Key PIN

Follow the browser prompts to complete enrollment of your security key, allowing Duo to access information about your security key during setup.

You'll see whether the security key identification was successful or not.

Security Key Enrollment Success

Congratulations! You have enrolled your security key.

Security Key Added

Adding a Security Key From the Duo Prompt

Chrome experience shown unless noted.

If you previously enrolled other devices in Duo, you can easily add your new security key as an additional authenticator as long as your administrator has enabled Duo's self-service portal.

Navigate to your Duo-protected service and log in. At the Duo Prompt you'll see an Add a new device link on the left. Click it and approve the Duo login request using your already enrolled phone or other device.

Add a New Device Link

Proceed with the security key enrollment process as shown above in Initial Enrollment with a Security Key.

Security Key Selection in Duo Prompt

You've added your security key (in this example, a security key from Yubico)! It is listed with your other enrolled devices.

Security Key Added

Authenticating with a Security Key

Chrome experience shown unless noted.

The next time you log on using Duo, select your security key from the drop-down list of your authentication devices.

YubiKey Security Key Selection in Duo Prompt

Once you select your security key from the list, click Use Security Key.

Begin Security Key Authentication

If you're using Safari 14.1 or later, click the Initiate authentication button to proceed. Other browsers do not require this step.

Safari Security Key Initiation

Insert your security key if it's not already connected, and then tap your security key when prompted. Some types of keys flash as a prompt for you to authenticate.

Security Key Prompt

If your organization requires user verification you'll need to enter your PIN or scan your biometric as well.

Security Key Prompt with PIN User Verification