Skip navigation

Duo Security is now a part of Cisco

About Cisco

Documentation

Managing 2FA Devices

Last Updated: May 7th, 2019

Contents

Manage phones, hardware tokens, and other two-factor authentication devices from the Duo Admin Panel.

To access the Admin Panel, navigate to Duo Admin Panel , enter your administrator account email address and password, and click Log In. After your login is accepted, you then authenticate using a second factor. You must activate your administrator account for Duo Mobile separately from your user account to use Duo's push authentication. See Managing Duo Administrators for instructions.

The browser used to access the Admin Panel must support TLS 1.2, which most modern browsers do by default. If you are concerned about compatibility, please update your browser or check your browser’s SSL implementation here: https://www.ssllabs.com.

Managing 2FA Devices

Listing 2FA Devices

  1. Log in to the Duo Admin Panel and click 2FA Devices in the left sidebar. The default view called "Phones" also includes tablet devices. A list of phones and tablets is shown, along with the attached user(s), if any.

    If you're using Duo's Duo Beyond or Duo Access plans, the default 2FA Devices view includes a number of selectable filters on the left side. You can narrow down the list of devices by OS platform, version, or security feature.

    2FA Device List

    MFA and Free editions see a breakdown of phone devices by type, followed by the device list.

    MFA 2FA Phones View

    Click the Export button in the upper right side of the devices list and select CSV, JSON, or PDF to download a a list of devices. You can also select URL to obtain a direct link to your current view. If you've filtered your current view, the report only includes the filtered results.

  2. Select a phone by clicking the identifier in the "Device" column. This loads the properties page for that phone or tablet. The device page shows the user(s) attached to that phone, and other information and properties like the phone number, the type of device, the model and operating system, etc.

    Duo Beyond and Duo Access plan customers van view device security information about enrolled devices, like the screen lock status.

    Access and Beyond Device Details

    MFA plan users do not see the "Device Security" information, but all other details are present.

    MFA Device Details

    To learn more about the additional 2FA device information visible in the Duo Beyond and Duo Access plans, see the Device Insight documentation.

Adding a 2FA Device to a User

Role required: Owner, Administrator, User Manager, or Help Desk.

Administrators can create a new phone or tablet device in Duo and attach it to an existing user. To do this:

  1. Log in to the Duo Admin Panel and click Users in the left sidebar, or enter a username into the search bar at the top of the page.

  2. Select a user by clicking their username. Scroll down to the Phones table on the user's properties page and then click the Add Phone button (you can also add a tablet to the user this way).

    Add a device

  3. Select the type of device. If you're adding a phone, you'll also need to enter the phone number. If you're adding a tablet, then the phone number field disappears. Click the Add Phone button.

    Add a device

  4. On the next page you'll be asked to add details, the most important being the device's "Type" and "Platform". You can also chose to assign a "Device name", which may be helpful when users have several numberless mobile devices (like tablets). When you've finished entering details, click Save Changes.

    Device properties

    If you've added an office phone dialed via extension, click Show extension settings to expose additional fields for entering the phone extension and added a delay before or after dialing the extension (helpful if the Duo call needs to wait for an audio prompt to complete before continuing).

    Extension Settings

Administrators can also attach an existing device to multiple Duo users.

  1. Log in to the Duo Admin Panel and click 2FA Devices in the left sidebar.

  2. Select a phone by clicking the identifier in the "Device" column. Click the Attach a user link on the device's properties page.

    Attach User to Phone

  3. Select a Duo user from the drop-down list and click Attach.

    Select a user

  4. The additional user is attached to the 2FA device. A notification bar across the top alerts you that the device is shared between more than one user.

    Shared device

You can add up to 100 2FA phone and tablet devices to a user, or associate one 2FA device with up to 100 users.

Activating Duo Mobile for a 2FA Device

Adminsistrators can send Duo Mobile activation codes from the Admin Panel. See Managing Users: Activating Duo Mobile.

Reordering User Devices

Role required: Owner, Administrator, User Manager, or Help Desk.

When using Duo's automatic push or phone call authentication the service contacts the first device listed in the user's Devices table (phone1). Attached devices can be reordered so that a different one is used for primary authentication.

  1. Log in to the Duo Admin Panel and click Users in the left sidebar.

  2. Select a user by clicking the username in the "Username" column. Scroll down to the Phones table on the user's properties page, click on the device that should be listed first and drag it into place.

    Reorder devices

  3. The device aliases automatically update (e.g. phone2 becomes phone1).

Dealing With Lost or Stolen Phones

Role required: Owner, Administrator, User Manager, or Help Desk.

If a user loses a mobile device or reports it stolen, you can entirely delete the device from Duo, simultaneously removing it from all associated users. Deleted devices can easily be added back later.

To delete a device:

  1. Log in to the Duo Admin Panel and click Users in the left sidebar.

  2. Select a user by clicking their username. Scroll down to the Phones table on the user's properties page and then click on the Alias or Device of the phone to delete.

  3. Click on Delete Phone near the top of the phone properties page. You'll need to confirm deletion of the phone.

    Confirm phone deletion

Remember

Deleting a phone in this manner removes it from all associated users immediately. When the device is recovered, you can add it to the user again and re-activate Duo Mobile. If you have deployed a Duo application that uses inline enrollment, the user can self-enroll a replacement device. For extra security, you may want to disable the user in Duo until they are ready to enroll a replacement device.

If you only need to remove a shared device from a specific user's profile (leaving other users sharing the device unaffected), you can do so:

  1. Log in to the Duo Admin Panel and click Users in the left sidebar.

  2. Select a user by clicking their username. Scroll down to the Phones table on the user's properties page and click the trash icon next to the lost or stolen device to remove it.

You can later add the device to the user again and re-activate Duo Mobile. If you have deployed a Duo application that uses inline enrollment, the user can self-enroll a replacement device.

If a device is removed from all users sharing it, the device is permanently deleted from Duo.

Managing OTP Hardware Tokens

Duo supports authentication using one-time password (OTP) hardware tokens. These can be tokens purchased directly from Duo, or certain token models purchased from a third-party and imported into Duo. Once a token is present in Duo, it can be assigned to end users or administrators (or both).

Listing Hardware Tokens

  1. Log in to the Duo Admin Panel, click 2FA Devices in the left sidebar, then click Hardware Tokens. A list of hardware tokens is shown, along with the attached end user, if any.

    Tokens View

    Administrators with the Owner role see an additional column of administrators attached to hardware tokens.

    Tokens View for Owners

    Click the Reports button in the upper right side of the tokens list and select CSV, JSON, or PDF to download a a list of tokens. You can also select URL to obtain a direct link to your current view. If you've filtered your current view, the report only includes the filtered results.

  2. Select a token by clicking the identifier in the "Serial Number" column. This loads the properties page for that token. The token page lists the token type and attached end user information.

    Device Details

    Administrators with the Owner role see an additional table with attached administrator user information.

    Device Details for Owners

Purchasing Duo Hardware Tokens

Role required: Owner or Billing.

To purchase tokens from Duo, click Billing in the left sidebar of the Duo Admin Panel, click Hardware Tokens in the submenu, then click the Buy Hardware Tokens button. Enter your billing information if not already present, then select the number of tokens you wish to purchase and enter your shipping information and click the "Place Order" button.

Tokens purchased from Duo are automatically imported into your account, therefore Duo does not provide the token seeds directly to you (nor can you export the seed information from your account). This protects the integrity and confidentiality of your Duo token seeds and minimizes the likelihood of token compromise. If you wish to maintain control of your token seeds, please purchase third-party tokens from another vendor and import them into Duo.

Importing Third-Party Hardware Tokens

Role required: Owner, Administrator, User Manager, or Help Desk.

Duo also works with third-party one-time password (OTP) hardware tokens, such as YubiKey OTP or any other non-proprietary SHA-1 OATH HOTP-compatible tokens. TOTP tokens are not recommended for use with Duo, as full support for TOTP token drift and TOTP resync is not available.

Admins need to manually import third-party OTP token information into Duo. When importing tokens, keep in mind that tokens should be unique between Duo accounts.

Protect your token seeds!

Protect your third-party token seed information as sensitive and confidential information. A compromise of your token seeds could potentially result in 2FA bypass.

To import third-party OTP tokens into Duo:

  1. Log in to the Duo Admin Panel and click 2FA Devices in the left sidebar, then click Hardware Tokens in the submenu.

  2. Click the Import Hardware Tokens button.

  3. Select the type of token to import from the drop-down menu and then paste in the token information in CSV format. This information is provided by the hardware token manufacturer or vendor. The token serial number cannot exceed 128 characters. Do not include any spaces. Click Import Hardware Tokens when finished entering the token information.

    Add token information

  4. The tokens are immediately imported and listed in the "Hardware Tokens" table.

    Token import successful

If you need to import a large number of YubiKey tokens you can use Yubico's personalization tool to configure multiple tokens quickly and export a CSV file with the serial number and key information you need to import the YubiKeys into Duo. Deploying more than 500 YubiKeys? Contact us for more information about how to make it easier.

Assigning a Hardware Token to an End User

Role required: Owner, Administrator, User Manager, or Help Desk.

To assign an OTP token to an end user:

  1. Click Users in the left sidebar. Select a user by clicking their username. Scroll down to the "Hardware Tokens" table on the user's properties page and then click the Add Hardware Token button.

    Token import successful

  2. Click the drop-down menu to see a list of available tokens. You can also search for a token by typing in the serial number. Click a token to select it, and then click Add Hardware Token.

    Add token information

  3. The user's properties page now lists the newly added token.

    Add token information

OTP Tokens can also be associated with users from the token's properties page. A hardware token may be assigned to multiple end users.

  1. Log in to the Duo Admin Panel and click 2FA Devices in the left sidebar, then click Hardware Tokens.

  2. Click on the serial number of a token to access the token's properties page. On the token's properties page, scroll down to the Users table and click the Attach User button.

    Attach User to Token

  3. Select a Duo user from the drop-down list and click Attach.

  4. The token's properties page now lists the attached user.

    Token Attached to User

A Duo user can have up to 100 tokens.

Assigning a Hardware Token to an Administrator

Role required: Owner.

Duo Beyond, Access, and MFA plan customers may assign a hardware token to an Administrator to permit token passcode authentication when logging in to the Duo Admin Panel. OTP-generating hardware tokens (but not U2F-only security keys) may be used for administrator logins.

Only account owners may modify other administrator accounts to add hardware token authenticators. A hardware token may be assigned to multiple administrator users.

To attach a token to an administrator:

  1. Log in to the Duo Admin Panel and click Administrators in the left sidebar.

  2. Click on the administrator's user name to view details.

  3. Click the drop-down menu to see a list of available hardware tokens. You can also search for a token by typing in the serial number.

    Add administrator token information

    Click a token to select it, and then click Save Changes at the bottom of the page.

  4. The administrator's properties page shows the newly added token. Click the Remove link to the right to remove the hardware token from the administrator's account.

    View or remove administrator hardware token

Resynchronizing Tokens

Hardware tokens may occasionally become out of sync with Duo's service. When this happens, passcodes generated by the token fail to authenticate the user. You can manually resynchronize HOTP hardware tokens purchased from Duo or third-party vendors from the Admin Panel. TOTP tokens imported into Duo cannot be resynchronized.

To resynchronize a HOTP hardware token:

  1. Log in to the Duo Admin Panel, click 2FA Devices in the left sidebar, and then click Hardware Tokens.

  2. Click on the Serial Number of a token to access the token's properties page. Once on the token's properties page, click the Resync Token button near the top of the token's properties page.

    Resync the token

  3. Enter the code displayed on the token as the 1st code. Advance to the next token code and enter that number as the 2nd code. Advance to the next token code one more time and enter that number as the 3rd code. Click the Resync Hardware Token button after entering all three token codes.

    Enter token codes for resync

Deleting Tokens

You may delete third-party hardware tokens you previously imported into Duo (but not D100 tokens purchased from Duo).

Remember

Deleting a token in this manner removes it from all associated users immediately. If those users still need to authenticate to Duo, ensure that they have another authentication device attached to their user accounts.

To delete a third-party hardware token:

  1. Log in to the Duo Admin Panel and click 2FA Devices in the left sidebar. Then click Hardware Tokens.

  2. Click on the Serial Number of a token to access the token's properties page. Once on the token's properties page, click the Delete Hardware Token button near the top of the token's properties page.

    Delete the token

    Confirm deletion of the hardware token.

    Confirm hardware token deletion

Managing WebAuthn Devices

The Web Authentication API, or WebAuthn for short, lets services utilize device authenticators — portable ones like security keys or built-in ones like Apple's Touch ID — to authenticate users using a public-private keypair instead of a password.

Duo supports a variety of WebAuthn secondary authentication methods when logging in using the browser-based Duo Prompt:

  • Security keys from Yubikey, Feitian, etc. in Chrome v70+ and Firefox v60+
  • Touch ID in Chrome on macOS

When WebAuthn security keys and Touch ID are enabled in your application's effective authentication methods policy, end users can self-enroll security keys via the Duo enrollment prompt or device management portal.

When a user enrolls a security key in Chrome, it is "dual-enrolled" as both a U2F and a WebAuthn device. The end user can authenticate using that security key in any supported browser, and in Chrome can authenticate with the security key as soon as the Duo Prompt loads, without explicitly selecting the security key from the drop-down list of enrolled factors. Logging in with Chrome using a security key that was initially enrolled in a browser other than Chrome does not initiate this dual-enrollment.

When a user enrolls a security key in a supported browser other than Chrome, it is enrolled only as a WebAuthn device (no dual-enrollment). It can be used to authenticate in any supported browser, but must be explicitly selected from the drop-down list of enrolled factors.

Touch ID support is currently limited to Chrome browsers on macOS. The end user must select Touch ID from the drop-down list of enrolled factors to authenticate.

See the security key enrollment process for end users to learn more.

Duo administrators may enroll U2F security keys (but not WebAuthn or Touch ID devices) for end users, and also delete any type of U2F or WebAuthn device after registration from the Duo Admin Panel.

Listing WebAuthn and U2F devices

  1. Log in to the Duo Admin Panel, click 2FA Devices in the left sidebar, then click WebAuthn & U2F. A list of registered WebAuthn and U2F devices is shown, along with the associated end user.

    WebAuthn & U2F View

  2. Click on any user's name to view additional information about that user.

Assigning a U2F Security Key to an End User

Before your users can utilize WebAuthn or U2F security keys for authentication, you must make sure you've enabled WebAuthn security keys in your Duo policies.

You might want to enroll a security key on behalf of a Duo user (for example, if you're on-boarding new hires ahead of their start dates). You can do this from the Admin Panel. Before you start, you need to have the security key to be assigned in hand as you'll need to physically tap it to complete registration.

Duo admins may only enroll security keys from the Admin Panel as U2F devices. Therefore, these keys may only be used in Chrome at first. Once a user authenticates in Chrome using the U2F security key registered by the Duo admin, the user is prompted to complete WebAuthn enrollment for that security key (effectively dual-enrolling the security key as described earlier). This registers the U2F security key as a WebAuthn device too, which can be used in other browsers supported by Duo for WebAuthn (currently Firefox).

Role required: Owner, Administrator, User Manager, or Help Desk.

To assign a security key to an end user:

  1. Insert the security key into an available slot on your computer.

  2. Log in to the Duo Admin Panel and click Users in the left sidebar (you must be directly logged in as an administrator for that Duo customer account).

  3. Select a user by clicking their username. Scroll down to the "WebAuthn & U2F" table on the user's properties page and then click the Add Security Key (U2F) button.

    U2F User Token Assignment

  4. A pop-up dialog asks you to touch the U2F token to enroll it.

    Tap Token When Prompted

    Tap the security key inserted in your computer to complete enrollment.

    U2F Enrollment Success

  5. The user's properties page now lists the newly added security key.

    U2F Token Added to User

  6. Remove the security key from your computer and deliver it to the end user.

Duo admins can only enroll one security key on behalf of a user, but end users can enroll additional tokens themselves via self-service device management. A Duo user can have up to 100 U2F tokens or security keys.

It's not possible to move existing enrolled U2F tokens or security keys between Duo users. If you want to reassign a U2F token from one user to another, you must delete the token from the first user, and then perform enrollment again on behalf of the second user.

Deleting WebAuthn Authenticators or U2F Tokens

  1. Log in to the Duo Admin Panel and click 2FA Devices in the left sidebar; then click WebAuthn & U2F.

  2. Locate the device ID or the user whose WebAuthn or U2F device you want to delete in the table, and then click the trash can icon on the right.

    WebAuthn & U2F View

  3. Confirm deletion of the WebAuthn authenticator.

    Confirm WebAuthn device deletion

You can also delete a U2F or WebAuthn device directly from a Duo user's page. Scroll down to the WebAuthn & U2F table and click the trash icon to remove a device.

Remove WebAuthn device

Troubleshooting

Need some help? Try searching our Knowledge Base articles or Community discussions. For further assistance, contact Support.