Multi-Factor Authentication (MFA), Hardware Tokens and Security Keys

Hardware tokens and security keys are small, portable devices that can be used for Multi-Factor Authentication (MFA). If you don't have a device compatible with the Duo Mobile app, or do not want to use a personal device for MFA, you can use a hardware token purchased from the Webstore instead. Hardware tokens also do not depend on connectivity to the internet.

Important Note:

The USB Security Key currently sold by the Webstore (Security Key NFC by Yubico) uses modern and secure WebAuthn/FIDO2 authentication standards.

The Duo Universal Prompt used by Urbana, Chicago, and Springfield login pages support these standards. Some AITS login pages use the Duo Universal Prompt as well.

However, the older custom Duo prompts cannot be used with the Security Keys sold by the Webstore. AITS is in the process of transitioning their applications to the new Duo Universal Prompt.

As of the time of writing, some major applications using the older prompt (and thus incompatible with these Security Keys) include:

Additionally, the NetID Center does not support registering security keys. Registration must be done via a Duo Universal Prompt when logging into an Urbana M365 (Outlook, Teams, etc.) or Shibboleth (Canvas, Box, etc.) application. Currently only the Urbana Duo application has the device management option turned on. See section below for instructions.

Table showing the visual differences between the Duo Universal Prompt and the AITS custom Duo prompt
(New) Duo Universal Prompt Older Duo Prompt
Security Keys sold by Webstore are not supported at these prompts!
Screenshot showing a FIDO Security Key being used at the Duo Universal Prompt Screenshot showing a Yubikey being used at the older AITS Duo prompt

Obtaining a Hardware Token

Only tokens purchased through the University of Illinois Webstore are fully supported for authentication with Duo. They are set up with the private identity and secret key for the University's MFA service. The University has a tightly controlled provisioning process to meet the University's security needs.

While any staff or faculty member can purchase a token through the University of Illinois Webstore, you may want to check with your manager or department lead on the process for providing tokens to its employees. Students are also eligible to purchase hardware tokens. Upon purchase, tokens can be delivered via campus mail or USPS at no charge.  Tokens can only be used with University resources.  Unit purchases are considered property of the University and token use must comply with all appropriate policies.

Important info regarding security keys:

As stated at the top of the article, the new security keys sold by the Webstore are compatible with the Duo Universal Prompt, but not with the AITS custom Duo prompt.

Users can also bring their own WebAuthn/FIDO2 compatible security keys for authenticating at a Duo Universal Prompt (Urbana, Chicago, and Springfield login pages), with the following caveats:

  • Like with the security keys sold by the Webstore, these will not be able to be used for authentication at AITS-hosted Duo prompts when logging into their services such as Banner, HR systems, My UI Info, etc. Because of this, we recommend that you have a backup authentication option set up.
  • Support is limited for security keys not purchased through the Webstore.

Hardware Token Options

There are currently three hardware token options sold by the Webstore:

Token Comparison
 Token Type Security Key (USB-A) OTP C100
Product Image  Image showing USB-A and USB-C Yubikey Security Keys  OTP C100
Description A small USB device that you insert into your computer.  You press a button on the token to authenticate when prompted.

The Security Key is the preferred option in terms of accessibility, particularly for those visually impaired.

User will need access to the USB device in order to authenticate.  If it is not within reach, the OTP C100 would be a better option.
A small electronic device that can be attached to a keyring.  It has a single button that you press to generate a passcode that you then manually enter into the screen when prompted.
Dimensions 18mm x 45mm x 3.3mm 29mm x 62mm x 11mm
Weight 3.0g 14.4g
Price See University of Illinois WebStore. See University of Illinois WebStore.
Requirements Any computing device with a USB-A port No hardware requirements

Registering and Using your Hardware Token or Security Key

Note: The Security Key model currently sold by the Webstore (Security Key NFC by Yubico) is not compatible with the custom Duo prompt used at some AITS login pages.

Please follow the instructions for your device:

Security Key (from Webstore or B.Y.O.D.) 

As mentioned above, only the Duo Universal Prompt (Urbana, Chicago, Springfield, and some AITS login screens) support the new Security Keys sold by the Webstore.

The NetID Center does not support registration of Security Keys. Registration must be done via a Duo Universal Prompt when logging into an Urbana M365 (Outlook, Teams, etc.) or Shibboleth (Canvas, Box, etc.) application.

Currently only the Urbana Duo application has the device management option turned on, so these instructions apply for Urbana users.

Register

  1. For Urbana users, make sure you are logging into a M365 or Shibboleth application. It might be easiest to open an Incognito or Private Browsing window so that you know you will be prompted by Duo (otherwise you may be automatically signed in).
    From a Duo Universal Prompt, click on Other options then Manage devices.
    Duo Universal Prompt Manage Devices option
  2. After authenticating, you will be in the device management portal.
  3. Click on Add a device, then click on Security key.
  4. Click on Continue.
  5. Follow the prompts from your browser and operating system for adding your security key.
  6. Plug in and touch your security key. If prompted, enter the PIN for your security key.
  7. Your device is ready for use, with the icon showing the security key.
    Device added, showing new security key

Use

When prompted, touch your security key to authenticate.

Duo Universal Prompt security key

C100 OTP Token

Register

The C100 OTP Token can only be registered via the NetID Center.

  1. Visit the NetID Center at https://identity.uillinois.edu
  2. Click Login and login with your NetID and password then authenticate with 2FA if applicable
  3. Click Manage my 2FA
  4. Click + Add a new device
  5. Click Hardware Token
  6. Type in the serial number of your device which can be found on the back of the hardware token.  
  7. Click Continue
  8. Confirm Token by pressing the red button on your token.  It will generate and display 6-digit code.  Manually enter this code into the box and select Enter.
  9. Your hardware token is now ready for use.

Use

Duo Universal Prompt

Select the option for hardware token and then enter the code from your device.

Universal prompt hardware token screen

AITS Custom Duo Prompt

Select the option for hardware token and then enter the code from your device.

Additional Information

Forgotten hardware tokens

If you forgot your token and cannot log into the system requiring 2FA, visit NetID Center - Get temporary passcode at the bottom of the page.

Lost hardware tokens

If you lose your hardware token, you should immediately sign into the NetID Center using an alternate method or by generating a bypass code. Once in the NetID Center, click on "Manage my 2FA". Here, select the lost token and click the red trash can icon to remove it. This way the token cannot be used by someone else to access your account. If you find the token, you can follow the above steps again to register it to your account once more.

Registering a hardware token to another employee

Tokens can be reassigned for use by another employee.  The new owner of the token can register it to themselves by following the instructions listed above.

Hardware Token Issues

If your Yubikey is not authenticating, make sure that CAPS LOCK is turned off and try again.  If still an issue, please proceed with the below steps:
  • Please note: Faulty tokens will be replaced up to 6 months from the time of purchase.  Please reference your purchase receipt number when requesting a replacement.
If your token is not generating a code or is not registering properly, you can visit your University Service Desk.  They can troubleshoot the issue or possibly exchange your token.  
  • Urbana - Digital Computer Lab 1211
  • Springfield - Information Security Office, Human Resources Building (HSB), Room 133
  • Chicago - Please email consult@uic.edu and a staff member will follow up for an appointment.
If you work remotely and can not come to campus, please email or call your University Service Desk for assistance:
  • Urbana consult@illinois.edu, (217) 244-7000
  • System Offices (217) 333-3102
  • Springfield (217) 206-6000
  • Chicago (312) 413-0003 option 9



Keywords:
MFA, 2FA, multi-factor 2-factor authentication, Two-factor authentication, Duo, Duo Security, Verify, UI Verify, enrollment, multi-factor, multifactor, security, AITS, token, yubikey, c100, register, claim, fob, key fob usb-c usb c 
Doc ID:
72159
Owned by:
Identity and Access Management in University of Illinois Technology Services
Created:
2017-03-29
Updated:
2024-07-11
Sites:
University of Illinois at Springfield, University of Illinois System, University of Illinois Technology Services