Skip navigation

Tokens and Passcodes

With multiple passcode configurations, hardware security tokens, and integrations with a broad range of third-party devices, Duo is an easy-to-use two-factor authentication solution that fits seamlessly in your users’ daily workflows.

See Duo Push in Action

What is a Security Token?

Security tokens are physical tools or devices that a user carries to authenticate their identity online for secure login. These devices generate a unique passcode for users to enter to gain access to systems, networks, or applications. Tokens are often in the form of a Bluetooth keyring fob, smart card, or USB.


How Do MFA Soft Tokens Work?

Some websites and online services let users protect their accounts with a mobile-generated passcode. This code must be manually entered and only works for a limited time — typically 30-60 seconds. In the multi-factor authentication process (MFA), a soft token mobile app can generate these time-based one-time passcodes (TOTP) for all third-party sites, letting users keep their accounts in one app.


Soft Token vs. Hard Token

A soft token is a software application, often installed on a mobile device, while a hard token is a physical piece of hardware, like a USB. Both soft and hard security tokens generate passcodes used for multi-factor authentication (MFA) or two-factor authentication (2FA). Duo Push is an example of a soft token for MFA and 2FA—conveniently installed with the Duo Mobile app on your phone.

SMS Passcodes and Phone Callback

Users without internet connectivity or smartphones can still authenticate easily with Duo’s SMS passcode or phone callback options.

To generate an SMS passcode, a user logs into an application with their usual account credentials. Duo will then send them a one-time passcode via text that can be typed into a two-factor authentication prompt on the user’s device.

To use phone callback, simply call any phone number enrolled to a user and let them confirm their identity by answering the call and pressing a key. Access keys can easily be configured and managed via Duo’s administrator dashboard.

Bypass Codes

When other multi-factor authentication (MFA) methods aren’t an option, you can manually generate a bypass code. This feature comes in handy when you need to provide temporary access for a contractor or vendor, or when an employee forgets their laptop or phone but still needs to access their applications.

Choose Your Token

Duo supports standalone, one-time password hardware devices for two-factor authentication. Thanks to Duo’s flexibility, choosing the right 2FA token for your business is easy.

cybersecurity tokens mfa and 2fa with duo security

What Are Examples of Authentication Tokens?

Duo offers hardware tokens that can be used for two-factor authentication (2FA) with the Duo Mobile app. When purchased, these hard tokens automatically connect to your account to protect the integrity and confidentiality of your token seeds and minimize the likelihood of a token compromise. Duo D-100 tokens have an expected minimum battery lifetime of two years.

Duo also supports third-party one-time password (OTP) hardware tokens, like Yubico’s YubiKeys, or any OATH HOTP-compatible tokens. Third-party hardware tokens can be imported into the system by an administrator.

Other Multi-Factor Authentication (MFA) Methods

There’s a solution for every situation.

Duo Push

Duo Push is our most commonly-used second factor of authentication in the form, thanks to its simplicity and reliability as a soft token. Users just download the Duo Mobile app and are automatically prompted to confirm each login attempt — all it takes is a single tap.

Biometrics and Security Keys

Duo's multi-factor authentication solution taps into the power of security keys and biometric authentication methods, such as TouchID via WebAuthn, allowing users to leave the traditional passcode behind.

Cover of image of the Passwordless in the Enterprise ebook cover eBook

Passwordless in the Enterprise

In a world where traditional authentication falls short, organizations are seeking more secure, user-friendly alternatives to passwords and MFA. Learn how your enterprise can evolve to keep your data safe.

Get the Free Guide