Skip navigation
Documentation

Managing 2FA Devices

Contents

Manage phones, hardware tokens, and other two-factor authentication devices from the Duo Admin Panel.

To access the Admin Panel, navigate to https://admin.duosecurity.com , enter your administrator account email address and password, and click Log In. After your login is accepted, you then authenticate using a second factor. You must activate your administrator account for Duo Mobile separately from your user account to use Duo's push authentication. See Managing Administrators for instructions.

Managing 2FA Devices

Listing 2FA Devices

  1. Log in to the Duo Admin Panel and click 2FA Devices in the left sidebar. The default view called "Phones" also includes tablet devices. A list of phones and tablets is shown, along with the attached user(s), if any.

    2FA Devices View

    If you're using Duo's Platform Edition, the default 2FA Devices view includes a number of selectable filters on the left side. You can narrow down the list of devices by OS platform, version, or security feature.

    Platform 2FA Device List

    Click the Reports button in the upper right side of the devices list and select CSV or JSON to download a a list of devices. You can also select URL to obtain a direct link to your current view. If you've filtered your current view, the report only includes the filtered results.

  2. Select a phone by clicking the identifier in the "Device" column. This loads the properties page for that phone or tablet. The device page lists the attached user (or users) information and other information and properties.

    Device Details

    Platform Edition customers see additional security status information when viewing an enrolled device.

    iOS Device Details

    To learn more about the additional 2FA device information visible in Platform Edition, see the Device Insight documentation.

Adding a 2FA Device to a User

Role required: Owner, Administrator, User Manager, or Help Desk.

Administrators can create a new phone or tablet device in Duo and attach it to an existing user. To do this:

  1. Log in to the Duo Admin Panel and click Users in the left sidebar, or enter a username into the search bar at the top of the page.

  2. Select a user by clicking their username. Scroll down to the Phones table on the user's properties page and then click the + Add Phone button.

    Add a device

  3. Select the type of device. If you're adding a phone, you'll also need to enter the phone number.

    Add a device

  4. Click the Add Phone button.

  5. On the next page you'll be asked to add details, the most important being the device's "Type" and "Platform". You can also chose to assign a "Device name", which is very helpful when users have several numberless mobile devices (like tablets). When you've finished entering details, click Save Changes.

    Device properties

Administrators can also attach an existing device to multiple Duo users.

  1. Log in to the Duo Admin Panel and click 2FA Devices in the left sidebar.

  2. Select a phone by clicking the identifier in the "Device" column. Click the Attach a user link on the device's properties page.

    Add a device

  3. Select a Duo user from the drop-down list and click Attach.

    Select a user

  4. The additional user is attached to the 2FA device. A notification bar across the top alerts you that the device is shared between more than one user.

    Add a device

Activating Duo Mobile for a 2FA Device

Adminsistrators can send Duo Mobile activation codes from the Admin Panel. See Managing Users: Activating Duo Mobile.

Reordering User Devices

Role required: Owner, Administrator, User Manager, or Help Desk.

When using Duo's automatic push or phone call authentication the service contacts the first device listed in the user's Devices table (phone1). Attached devices can be reordered so that a different one is used for primary authentication.

  1. Log in to the Duo Admin Panel and click Users in the left sidebar.

  2. Select a user by clicking the username in the "Username" column. Scroll down to the Phones table on the user's properties page, click on the device that should be listed first and drag it into place.

    Reorder devices

  3. The device aliases automatically update (e.g. phone2 becomes phone1).

Dealing With Lost or Stolen Phones

Role required: Owner, Administrator, User Manager, or Help Desk.

If a user loses a mobile device or reports it stolen, you can entirely delete the device from Duo, simultaneously removing it from all associated users. Deleted devices can easily be added back later.

To delete a device:

  1. Log in to the Duo Admin Panel and click Users in the left sidebar.

  2. Select a user by clicking his or her username. Scroll down to the Phones table on the user's properties page and then click on the Alias or Device of the phone to delete.

    Phone Table

  3. Click the Delete Phone button near the top of the phone properties page.

    Delete the phone

    Confirm deletion of the phone.

    Confirm phone deletion

Remember

Deleting a phone in this manner removes it from all associated users immediately. When the device is recovered, you can add it to the user again and re-activate Duo Mobile. If you have deployed a Duo application that uses inline enrollment, the user can self-enroll a replacement device. For extra security, you may want to disable the user in Duo until he or she is ready to enroll a replacement device.

If you only need to remove a shared device from a specific user's profile (leaving other users sharing the device unaffected), you can do so:

  1. Log in to the Duo Admin Panel and click Users in the left sidebar.

  2. Select a user by clicking his or her username. Scroll down to the Phones table on the user's properties page and click the Remove button next to the lost or stolen device.

    Click 'Remove Phone From User'

You can later add the device to the user again and re-activate Duo Mobile. If you have deployed a Duo application that uses inline enrollment, the user can self-enroll a replacement device.

If a device is removed from all users sharing it, the device is deleted from Duo.

Listing Hardware Tokens

  1. Log in to the Duo Admin Panel, click 2FA Devices in the left sidebar, then click Hardware Tokens. A list of hardware tokens is shown, along with the attached end user, if any.

    Tokens View

    Administrators with the Owner role see an additional column of administrators attached to hardware tokens.

    Tokens View for Owners

    Click the Reports button in the upper right side of the tokens list and select CSV or JSON to download a a list of tokens. You can also select URL to obtain a direct link to your current view. If you've filtered your current view, the report only includes the filtered results.

  2. Select a token by clicking the identifier in the "Serial Number" column. This loads the properties page for that token. The token page lists the token type and attached end user information.

    Device Details

    Administrators with the Owner role see an additional table with attached administrator user information.

    Device Details for Owners

Importing Hardware Tokens

Role required: Owner, Administrator, User Manager, or Help Desk.

To purchase tokens from Duo, click 2FA Devices in the left sidebar of the Duo Admin Panel, click Hardware Tokens in the submenu, then click the Buy Hardware Tokens button. Enter your billing information if not already present, then select the number of tokens you wish to purchase and enter your shipping information and click the "Place Order" button. Tokens purchased from Duo are automatically imported into your account.

Duo also works with third-party one-time password (OTP) hardware tokens, such as YubiKey OTP or any other SHA-1 OATH HOTP-compatible tokens. TOTP tokens are not recommended for use with Duo, as full support for TOTP token drift and TOTP resync is not available.

Admins need to manually import third-party OTP token information into Duo. When importing tokens, keep in mind that tokens should be unique between Duo accounts.

Duo supports FIDO U2F tokens, but U2F tokens can't be imported or assigned to users from the Admin Panel. Instead, users self-enroll the U2F token via the Duo enrollment prompt or device management portal. See our documentation about enabling U2F authentication and the U2F enrollment process for end users to learn more.

To import third-party OTP tokens into Duo:

  1. Log in to the Duo Admin Panel and click 2FA Devices in the left sidebar, then click Hardware Tokens in the submenu.

  2. Click the +Import Hardware Tokens button.

    Import Tokens

  3. Select the type of token to import from the drop-down menu and then paste in the token information in CSV format. This information is provided by the hardware token manufacturer or vendor. The token serial number cannot exceed 128 characters. Click Import Hardware Tokens.

    Add token information

  4. The tokens are immediately imported and listed in the "Hardware Tokens" table.

    Token import successful

If you need to import a large number of YubiKey tokens you can use Yubico's personalization tool to configure multiple tokens quickly and export a CSV file with the serial number and key information you need to import the YubiKeys into Duo. Deploying more than 500 YubiKeys? Contact us for more information about how to make it easier.

Assigning a Token to an End User

Role required: Owner, Administrator, User Manager, or Help Desk.

To assign a token to an end user:

  1. Click Users in the left sidebar. Select a user by clicking his or her username. Scroll down to the Hardware Tokens table on the user's properties page and then click the +Add Hardware Token button.

    User Token Assignment

  2. Click the drop-down menu to see a list of available tokens. You can also search for a token by typing in the serial number.

    Add token information

    Click a token to select it, and then click Add Hardware Token.

    Add token information

  3. The user's properties page now lists the newly added token.

    Add token information

Tokens can also be associated with users from the token's properties page. A hardware token may be assigned to multiple end users.

  1. Log in to the Duo Admin Panel and click 2FA Devices in the left sidebar, then click Hardware Tokens.

  2. Click on the Serial Number of a token to access the token's properties page. On the token's properties page, scroll down to the Users table and click the + Attach User button.

    Add token information

  3. Select a Duo user from the drop-down list and click Attach.

  4. The token's properties page now lists the attached user.

    Add token information

Assigning a Token to an Administrator

Role required: Owner.

Assigning a hardware token to an Administrator permits token passcode authentication when logging in to the Duo Admin Panel. OTP hardware tokens (but not U2F tokens) may be used for administrator logins.

Only account owners may modify other administrator accounts to add hardware token authenticators. A hardware token may be assigned to multiple administrator users.

To attach a token to an administrator:

  1. Log in to the Duo Admin Panel and click Administrators in the left sidebar.

  2. Click on the administrative user's name to view details.

  3. Click the drop-down menu to see a list of available hardware tokens. You can also search for a token by typing in the serial number.

    Add administrator token information

    Click a token to select it, and then click Save Changes at the bottom of the page.

  4. The administrator's properties page shows the newly added token. Click the Remove link to the right to remove the hardware token from the administrator's account.

    View or remove administrator hardware token

Resynchronizing Tokens

Hardware tokens may occasionally become out of sync with Duo's service. When this happens, passcodes generated by the token fail to authenticate the user. Administrators can manually resynchronize HOTP hardware tokens purchased from Duo or thrid-party vendors. TOTP tokens imported into Duo cannot be resynchronized.

To resynchronize a HOTP hardware token:

  1. Log in to the Duo Admin Panel, click 2FA Devices in the left sidebar, and then click Hardware Tokens.

  2. Click on the Serial Number of a token to access the token's properties page. Once on the token's properties page, click the Resync Token button near the top of the token's properties page.

    Resync the token

  3. Enter the code displayed on the token as the 1st code. Advance to the next token code and enter that number as the 2nd code. Advance to the next token code one more time and enter that number as the 3rd code. Click the Resync Hardware Token button after entering all three token codes.

    Enter token codes for resync

Deleting Tokens

You may delete third-party hardware tokens you previously imported into Duo (but not D100 tokens purchased from Duo).

To delete a third-party hardware token:

  1. Log in to the Duo Admin Panel and click 2FA Devices in the left sidebar. Then click Hardware Tokens.

  2. Click on the Serial Number of a token to access the token's properties page. Once on the token's properties page, click the Delete Hardware Token button near the top of the token's properties page.

    Delete the token

    Confirm deletion of the hardware token.

    Confirm phone deletion

Remember

Deleting a token in this manner removes it from all associated users immediately. If those users still need to authenticate to Duo, ensure that they have another authentication device attached to their user accounts.

While administrators can't import U2F tokens or attach them to users, U2F tokens can be deleted from the Admin Panel.

To delete a U2F token:

  1. Log in to the Duo Admin Panel and click 2FA Devices in the left sidebar; then click U2F Tokens.

  2. Locate the registration ID or user whose U2F token you want to delete in the table, and then click the Remove button on the right.

    Remove U2F token

    Confirm deletion of the U2F token.

    Confirm U2f token deletion

Troubleshooting

Need some help? Try searching our Knowledge Base articles or Community discussions. For further assistance, contact Support.

Ready to Get Started?

Sign Up Free