Duo - YubiKeys and Duo Hardware Tokens

Overview

YubiKeys are hardware security devices produced by YubiCo. They are compatible with the Duo 2-Factor authentication system, and they can be used to provide a second authentication factor in lieu of the Duo Mobile app or a telephone call.

Duo hardware tokens provide one-time passcodes for two-factor authentication and do not require a telephone, smartphone, or connection to a computer.

Purchasing and Recommendations

Purchasing

Hardware security devices must be purchased through Texas A&M. Devices purchased elsewhere will not be authenticated for use with Texas A&M accounts.

Faculty and Staff (departmental purchases)

• Devices can be purchased through https://itselfservice.tamu.edu/ under the heading Software Licensing.
• Available devices are YubiKey 5, YubiKey 5c, and Duo hardware token.
• Purchases must be made with a departmental cost center account

Students, faculty, and staff (personal purchase)

• Devices can be purchased on http://software.tamu.edu/.
• Available devices are YubiKey 5, YubiKey 5c, and Duo hardware token.
• Purchases can be made with a credit card.

Please note, retired faculty cannot purchase Yubikey online from the software center, and must contact Help Desk Central for further instruction.

Pick up location is at Help Desk Central in the Computing Services Center, Room CS00 between Monday - Friday, 8 AM - 5 PM. (Hours may be affected during Holiday and Break times. Please contact Help Desk Central via phone call to verify our walk in area is open.)

Recommendation

• If your computer has an easily accessible, traditional USB port, you can use the YubiKey 5 device.
  
• If your computer uses USB-C ports , you can use the YubiKey 5c device.
  
• If you will need to use Duo 2-factor authentication on a computer without USB ports and will be in a location where you can not have a mobile device with the Duo Mobile app installed, you should use a Duo hardware token.
  

Additional Information

The following technical information is summarized from the YubiCo website. A comparison chart of all current YubiKeys and their features is available.

Common YubiKey features

• Small enough to fit on a keychain
• Connect physically to the computer via a USB port
• Authenticate by pressing a contact pad on the YubiKey
• Support for FIDO Universal 2nd Factor (U2F) authentication
• Support for One Time Password (OTP) generation (except Key)
• Support for Open Authentication (OATH) OTP generation (except Security Key)
• Support for OpenPGP encryption (except Security Key)

Add Yubikey to Duo

If you have purchased a Yubikey from a source other than the University, you will still be able to link the Yubikey to your Duo 2-Factor Authentication account. To add your Yubikey to your Duo account, please walk through the steps below.

1. Navigate to https://gateway.tamu.edu/duo-enroll/.
2. Click Enroll/Manage Devices.
3. Login with your NetID and NetID password.
4. Click Add a new device under the TAMU logo.
5. Authenticate with a push, call, or passcode. If none of these options are available to you, call Help Desk Central at 979.845.8300 for a bypass code.
6. Select U2F.
7. Click Continue and follow the remaining prompts.
8. Your Yubikey can be set to the primary authentication device in the drop down menu on the main Duo page.

U2F Yubikey Not Enrolling Properly

If you have registered a Yubikey but it doesn't seem to be authenticating properly, you can try out the following troubleshooting tips. Please note, Yubikey's are not compatible when logging into SSO using the UIN Logon - you will need to sign in through the NetID log on (icon to the right).

Troubleshooting

1. Clear your browser's cache and cookies, then try authenticating again. https://u.tamu.edu/clearcache
2. Re-enroll the Yubikey in Duo by using these directions:
   1. Navigate to https://gateway.tamu.edu/duo-enroll/.
   2. Click Enroll/Manage Devices.
   3. Login with your NetID and NetID password.
   4. Click Add a new device under the TAMU logo.
   5. Authenticate with a push, call, or passcode. If none of these options work for you, call Help Desk Central at 979.845.8300 for a bypass code.
   6. Select U2F.
   7. Click Continue and follow the remaining prompts.
3. If you have another device enrolled in Duo, see if you can authenticate with that device. If you do not have another device enrolled, try enrolling another device to see if it will work. If your Yubikey does not work but another device does, this indicates a problem with the Yubikey. If you are unable to authenticate on any device, there may be something wrong with your browser or account.
4. See if you can authenticate on other devices. Try a different computer or a smartphone.
5. If you need bypass codes for any of the above troubleshooting tips, or if you are unable to resolve the issue, call Help Desk Central at 979.845.8300 or visit them in person. Their service floor is located in the Computing Services Center, room CS00.