Multi-Factor Authentication (MFA), Hardware Tokens and Security Keys
Important Note:
The USB Security Key currently sold by the Webstore (Security Key NFC by Yubico) uses modern and secure WebAuthn/FIDO2 authentication standards.
The Duo Universal Prompt used by Urbana, Chicago, and Springfield login pages support these standards. Some AITS login pages use the Duo Universal Prompt as well.
However, the older custom Duo prompts cannot be used with the Security Keys sold by the Webstore. AITS is in the process of transitioning their applications to the new Duo Universal Prompt.
As of the time of writing, some major applications using the older prompt (and thus incompatible with these Security Keys) include:
- iBuy
- System Human Resource Services (https://www.hr.uillinois.edu/) where earnings statements and My UI Info can be accessed.
Additionally, the NetID Center does not support registering security keys. Registration must be done via a Duo Universal Prompt when logging into an Urbana M365 (Outlook, Teams, etc.) or Shibboleth (Canvas, Box, etc.) application. Currently only the Urbana Duo application has the device management option turned on. See section below for instructions.
(New) Duo Universal Prompt | Older Duo Prompt Security Keys sold by Webstore are not supported at these prompts! |
---|---|
Obtaining a Hardware Token
Only tokens purchased through the University of Illinois Webstore are fully supported for authentication with Duo. They are set up with the private identity and secret key for the University's MFA service. The University has a tightly controlled provisioning process to meet the University's security needs.
While any staff or faculty member can purchase a token through the University of Illinois Webstore, you may want to check with your manager or department lead on the process for providing tokens to its employees. Students are also eligible to purchase hardware tokens. Upon purchase, tokens can be delivered via campus mail or USPS at no charge. Tokens can only be used with University resources. Unit purchases are considered property of the University and token use must comply with all appropriate policies.
Important info regarding security keys:
As stated at the top of the article, the new security keys sold by the Webstore are compatible with the Duo Universal Prompt, but not with the AITS custom Duo prompt.
Users can also bring their own WebAuthn/FIDO2 compatible security keys for authenticating at a Duo Universal Prompt (Urbana, Chicago, and Springfield login pages), with the following caveats:
- Like with the security keys sold by the Webstore, these will not be able to be used for authentication at AITS-hosted Duo prompts when logging into their services such as Banner, HR systems, My UI Info, etc. Because of this, we recommend that you have a backup authentication option set up.
- Support is limited for security keys not purchased through the Webstore.
Hardware Token Options
There are currently three hardware token options sold by the Webstore:
Token Type | Security Key (USB-A) | OTP C100 |
---|---|---|
Product Image | ||
Description | A small USB device that you insert into your computer. You press a button on the token to authenticate when prompted. The Security Key is the preferred option in terms of accessibility, particularly for those visually impaired. User will need access to the USB device in order to authenticate. If it is not within reach, the OTP C100 would be a better option. |
A small electronic device that can be attached to a keyring. It has a single button that you press to generate a passcode that you then manually enter into the screen when prompted. |
Dimensions | 18mm x 45mm x 3.3mm | 29mm x 62mm x 11mm |
Weight | 3.0g | 14.4g |
Price | See University of Illinois WebStore. | See University of Illinois WebStore. |
Requirements | Any computing device with a USB-A port | No hardware requirements |
Registering and Using your Hardware Token or Security Key
Note: The Security Key model currently sold by the Webstore (Security Key NFC by Yubico) is not compatible with the custom Duo prompt used at some AITS login pages.
Please follow the instructions for your device:
Security Key (from Webstore or B.Y.O.D.)
As mentioned above, only the Duo Universal Prompt (Urbana, Chicago, Springfield, and some AITS login screens) support the new Security Keys sold by the Webstore.
The NetID Center does not support registration of Security Keys. Registration must be done via a Duo Universal Prompt when logging into an Urbana M365 (Outlook, Teams, etc.) or Shibboleth (Canvas, Box, etc.) application.
Currently only the Urbana Duo application has the device management option turned on, so these instructions apply for Urbana users.
Register
- For Urbana users, make sure you are logging into a M365 or Shibboleth application. It might be easiest to open an Incognito or Private Browsing window so that you know you will be prompted by Duo (otherwise you may be automatically signed in).
From a Duo Universal Prompt, click on Other options then Manage devices. - After authenticating, you will be in the device management portal.
- Click on Add a device, then click on Security key.
- Click on Continue.
- Follow the prompts from your browser and operating system for adding your security key.
- Plug in and touch your security key. If prompted, enter the PIN for your security key.
- Your device is ready for use, with the icon showing the security key.
Use
When prompted, touch your security key to authenticate.
C100 OTP Token
Register
The C100 OTP Token can only be registered via the NetID Center.
- Visit the NetID Center at https://identity.uillinois.edu
- Click Login and login with your NetID and password then authenticate with 2FA if applicable
- Click Manage my 2FA
- Click + Add a new device
- Click Hardware Token
- Type in the serial number of your device which can be found on the back of the hardware token.
- Click Continue
- Confirm Token by pressing the red button on your token. It will generate and display 6-digit code. Manually enter this code into the box and select Enter.
- Your hardware token is now ready for use.
Use
Duo Universal Prompt
Select the option for hardware token and then enter the code from your device.
AITS Custom Duo Prompt
Select the option for hardware token and then enter the code from your device.
Additional Information
Forgotten hardware tokens
If you forgot your token and cannot log into the system requiring 2FA, visit NetID Center - Get temporary passcode at the bottom of the page.
Lost hardware tokens
If you lose your hardware token, you should immediately sign into the NetID Center using an alternate method or by generating a bypass code. Once in the NetID Center, click on "Manage my 2FA". Here, select the lost token and click the red trash can icon to remove it. This way the token cannot be used by someone else to access your account. If you find the token, you can follow the above steps again to register it to your account once more.
Registering a hardware token to another employee
Tokens can be reassigned for use by another employee. The new owner of the token can register it to themselves by following the instructions listed above.
Hardware Token Issues
- Please note: Faulty tokens will be replaced up to 6 months from the time of purchase. Please reference your purchase receipt number when requesting a replacement.
- Urbana - Digital Computer Lab 1211
- Springfield - Information Security Office, Human Resources Building (HSB), Room 133
- Chicago - Please email consult@uic.edu and a staff member will follow up for an appointment.
- Urbana consult@illinois.edu, (217) 244-7000
- System Offices (217) 333-3102
- Springfield (217) 206-6000
- Chicago (312) 413-0003 option 9
See Also
- Multi-Factor Authentication (MFA), Introduction
- Multi-Factor Authentication (MFA), How to Use
- Multi-Factor Authentication (MFA), Enrollment
- Multi-Factor Authentication (MFA), Device Management
- Multi-Factor Authentication (MFA), Troubleshooting
- Multi-Factor Authentication (MFA), Hardware Tokens and Security Keys