Multi-Factor Authentication (MFA), Hardware Tokens and Security Keys

Hardware tokens and security keys are small, portable devices that can be used for Multi-Factor Authentication (MFA). If you don't have a device compatible with the Duo Mobile app, or do not want to use a personal device for MFA, you can use a hardware token purchased from the Webstore instead. Hardware tokens also do not depend on connectivity to the internet.

Important Note:

The USB Security Key sold by the Webstore (Security Key NFC by Yubico) uses modern and secure WebAuthn/FIDO2 authentication standards and is supported by Duo Universal Prompt.

These security keys currently DO NOT work with the UIC Virtual Private Network (VPN).

To Register your USB Security Key follow the instructions in the section below .

Screenshot showing a FIDO Security Key being used at the Duo Universal Prompt

Obtaining a Hardware Token

Only tokens purchased through the University of Illinois Webstore are fully supported for authentication with Duo. They are set up with the private identity and secret key for the University's MFA service. The University has a tightly controlled provisioning process to meet the University's security needs.

While any staff or faculty member can purchase a token through the University of Illinois Webstore, you may want to check with your manager or department lead on the process for providing tokens to its employees. Students are also eligible to purchase hardware tokens. Shipping/Delivery information is detailed during your ordering process. Tokens can only be used with University resources. Unit purchases are considered property of the University and token use must comply with all appropriate policies.

Important info regarding security keys:

The new security keys sold by the Webstore are compatible with the Duo Universal Prompt.

Users can also bring their own WebAuthn/FIDO2 compatible security keys for authentication through the Duo Universal Prompt, with the following caveats:

Similar to security keys sold through the Webstore, we strongly recommend users to set up a backup authentication method.
Support is limited for security keys not purchased through the Webstore.

Hardware Token Options

There are currently three hardware token options sold by the Webstore:

Token Comparison
Token Type	Security Key (USB-A)	Security Key (USB-C)
Product Image
Description	A small USB device that you insert into your computer. You press a button on the token to authenticate when prompted. The Security Key is the preferred option in terms of accessibility, particularly for those visually impaired. User will need access to the USB device in order to authenticate.	A small USB device that you insert into your computer. You press a button on the token to authenticate when prompted. The Security Key is the preferred option in terms of accessibility, particularly for those visually impaired. User will need access to the USB device in order to authenticate.
Dimensions	18mm x 45mm x 3.3mm	18mm x 45mm x 3.3mm
Weight	3.0g	3.0g
Price	See University of Illinois WebStore.	See University of Illinois Webstore
Requirements	Any computing device with a USB-A port	Any computing device with a USB-C port

Registering and Using your Hardware Token or Security Key

Important: These security keys currently do not work with the UIC Virtual Private Network (VPN).

Please follow the instructions for your device:

Security Key (from Webstore or B.Y.O.D.)

As mentioned above, only the Duo Universal Prompt support the new Security Keys sold by the Webstore.

Registration must be completed via a Duo Universal Prompt when logging into login.microsoft.com using your University's login credentials.

Register

Navigate to login.microsoft.com using an Incognito or Private Browsing window so that you will be prompted by Duo (otherwise you may be automatically signed in).
From a Duo Universal Prompt, click on Other options then Manage devices.
After authenticating, you will be in the device management portal.
Click on Add a device, then click on Security key.
Click on Continue.
Follow the prompts from your browser and operating system for adding your security key.
Plug in and touch your security key. If prompted, enter the PIN for your security key.
Your device is ready for use, with the icon showing the security key.

Use

When prompted, touch your security key to authenticate.

Duo Universal Prompt security key

Additional Information

Forgotten hardware tokens

If you forgot your token and cannot log into the system requiring 2FA, visit NetID Center - Get temporary passcode at the bottom of the page.

Lost hardware tokens

If you lose your hardware token, you should immediately sign into the NetID Center using an alternate method or by generating a bypass code. Once in the NetID Center, click on "Manage my 2FA". Here, select the lost token and click the red trash can icon to remove it. This way the token cannot be used by someone else to access your account. If you find the token, you can follow the above steps again to register it to your account once more.

Registering a hardware token to another employee

Tokens can be reassigned for use by another employee. The new owner of the token can register it to themselves by following the instructions listed above.

Hardware Token Issues

If your Yubikey is not authenticating, make sure that CAPS LOCK is turned off and try again. If still an issue, please proceed with the below steps:

Please note: Faulty tokens will be replaced up to 6 months from the time of purchase. Please reference your purchase receipt number when requesting a replacement.

If you work remotely and can not come to campus, please email or call your University Service Desk for assistance:

Urbana: consult@illinois.edu, (217) 244-7000
System Offices: (217) 333-3102
Springfield: (217) 206-6000
Chicago: help.uic.edu, (312) 413-0003 option 2