Multi-Factor Authentication (MFA), Hardware Tokens and Security Keys
Hardware tokens and security keys are small, portable devices that can be used for Multi-Factor Authentication (MFA). If you don't have a device compatible with the Duo Mobile app, or do not want to use a personal device for MFA, you can use a hardware token purchased from the Webstore instead. Hardware tokens also do not depend on connectivity to the internet.
Obtaining a Hardware Token
Only tokens purchased through the University of Illinois Webstore are fully supported for authentication at both Duo Prompts. They are set up with the private identity and secret key for the University's MFA service. The University has a tightly controlled provisioning process to meet the University's security needs.
While any staff or faculty member can purchase a token through the University of Illinois Webstore, you may want to check with your manager or department lead on the process for providing tokens to its employees. Students are also eligible to purchase hardware tokens. Upon purchase, tokens can be delivered via campus mail or USPS at no charge. Tokens can only be used with University resources. Unit purchases are considered property of the University and token use must comply with all appropriate policies.
Users can also bring their own WebAuthn/FIDO2 compatible security keys for authenticating at a Duo Universal Prompt (Urbana, Chicago, and Springfield login pages), with the following caveats:
- These will not be able to be used for authentication at AITS-hosted Duo prompts such as at the NetID Center or when logging into uillinois.edu sites (Banner, HR systems, My UI Info, etc). Because of this, we recommend that you have a backup authentication option set up.
- Support is limited for security keys not purchased through the Webstore.
Hardware Token Options
There are currently two hardware token options sold by the Webstore:
| Token Type | Yubikey (USB-A) | OTP C100 |
|---|---|---|
| Product Image |  |
 |
| Description | A small USB device that you insert into your computer. You press a button on the token to generate and automatically enter a passcode into the Duo prompt. The Yubikey is the preferred option in terms of accessibility, particularly for those visually impaired. User will need access to the USB device in order to authenticate. If it is not within reach, the OTP C100 would be a better option. |
A small electronic device that can be attached to a keyring. It has a single button that you press to generate a passcode that you then manually enter into the screen when prompted. |
| Dimensions | 18mm x 45mm x 3.3mm | 29mm x 62mm x 11mm |
| Weight | 3.0g | 14.4g |
| Price | University of Illinois WebStore | University of Illinois WebStore |
| Requirements | Any computing device with a USB-A port | No hardware requirements |
Registering and Using your Hardware Token or Security Key
Note: The Yubikey model currently sold by the Webstore (Yubikey 5 NFC) can be used as a standard U2F hardware token, or it can be used as a security key using more modern and secure WebAuthn/FIDO2 authentication standards. Currently, only the Duo Universal Prompt used by Urbana, Chicago, and Springfield login pages support these standards. Instructions on how to enable this extra functionality will be mentioned below.
Please follow the instructions for your device:
Yubikey Hardware Token functionality
Register
To register your Yubikey as a basic U2F hardware token, you must use the NetID Center.
- Visit the NetID Center at https://identity.uillinois.edu
- Click Login and login with your NetID and password then authenticate with 2FA if applicable
- Click Manage my 2FA
- Click + Add a new device
- Click Hardware Token
- Type in the serial number of your device which can be found on the back of the hardware token.
- Click Continue
- Insert the Yubikey in the USB port of your computer with the gold button facing up. It will take a few seconds to register the first time.
- Make sure that CAPS Lock is off, then press the gold button on the Yubikey. It will generate a passcode for you and your device will be registered.
- Your hardware token is now ready for use.
Use
Select the option for Yubikey, make sure your device is plugged in, and that CAPS Lock is off. Then press the gold button on the Yubikey.
Duo Universal Prompt
AITS Custom Duo Prompt
Yubikey or B.Y.O.D. WebAuthn/FIDO2 Security Key functionality (more secure)
As mentioned above, only the Duo Universal Prompt (Urbana, Chicago, and Springfield login screens) support this newer authentication method.
Register
- From a Duo Universal Prompt, click on Other options then Manage devices.
- After authenticating, you will be in the device management portal.
- Click on Add a device, then click on Security key.
- Click on Continue.
- Follow the prompts from your browser and operating system for adding your security key.
- Plug in and touch your security key. If prompted, enter the PIN for your security key.
- Your device is ready for use. If your Yubikey was purchased from the Webstore and you set it up in the NetID Center, it will appear twice (once for each protocol).
Use
When prompted, touch your security key to authenticate.
C100 OTP Token
Register
The C100 OTP Token can only be registered via the NetID Center.
- Visit the NetID Center at https://identity.uillinois.edu
- Click Login and login with your NetID and password then authenticate with 2FA if applicable
- Click Manage my 2FA
- Click + Add a new device
- Click Hardware Token
- Type in the serial number of your device which can be found on the back of the hardware token.
- Click Continue
- Confirm Token by pressing the red button on your token. It will generate and display 6-digit code. Manually enter this code into the box and select Enter.
- Your hardware token is now ready for use.
Use
Duo Universal Prompt
Select the option for hardware token and then enter the code from your device.
AITS Custom Duo Prompt
Select the option for hardware token and then enter the code from your device.
Additional Information
Forgotten hardware tokens
If you forgot your token and cannot log into the system requiring 2FA, visit NetID Center - Get temporary passcode at the bottom of the page.
Lost hardware tokens
If you lose your hardware token, you should immediately sign into the NetID Center using an alternate method or by generating a bypass code. Once in the NetID Center, click on "Manage my 2FA". Here, select the lost token and click the red trash can icon to remove it. This way the token cannot be used by someone else to access your account. If you find the token, you can follow the above steps again to register it to your account once more.
Registering a hardware token to another employee
Tokens can be reassigned for use by another employee. The new owner of the token can register it to themselves by following the instructions listed above.
Hardware Token Issues
- Please note: Faulty tokens will be replaced up to 6 months from the time of purchase. Please reference your purchase receipt number when requesting a replacement.
- Urbana - Digital Computer Lab 1211
- Springfield - Information Security Office, Human Resources Building (HSB), Room 133
- Chicago - Please email consult@uic.edu and a staff member will follow up for an appointment.
- Urbana consult@illinois.edu, (217) 244-7000
- System Offices (217) 333-3102
- Springfield (217) 206-6000
- Chicago (312) 413-0003 option 9