WebAuthn/FIDO2 Security

People who wish to use a physical hardware token for 2-Step verification should pick up a Simple Hardware Token free of charge.  For most users, if you don't have a smartphone or landline available, a Simple Hardware Token is sufficient.

If you purchase your own Feitian FIDO Key or YubiKey, you can take advantage of its ability to function using USB-provided power without needing an internal battery.  Following the instructions below, you may self-register your key as a WebAuthn/FIDO2 security key for use with Duo.

Feitian FIDO Keys

Feitian FIDO Keys can be purchased as a personal security device for 2-step authentication. The keys are available in multiple forms and are compatible with multiple interfaces, including USB-A or USB-C, to fit all of your computers and mobile devices.

YubiKeys

YubiKeys can be purchased at yubico.com/store/ and work with most web services on most devices. 

Enrolling Your Key as a WebAuthn/FIDO2 Security Key Using the Duo Device Management Portal

1. icon-computer Log In to CalNet

From the CAS login screen (ex: https://bpr.calnet.berkeley.edu/account-manager/login/auth), 

Log in to CalNet

2. icon-computer Access the Device Management Portal

  • A 2-Step prompt will appear after you enter your CalNet ID and passphrase. 

  • If you are automatically logged in and the 2-Step prompt is bypassed, try either clearing cache/cookies or using an incognito browser

  • At the bottom of the page, select Other Options

Access Device Management Panel - other options

  • Under your list of existing devices, select Manage Devices

Bottom option is Manage Devices

  • Complete a 2-Step verification.

Complete a 2-step

3. icon-computer Add Your Device

  • Once authenticated, you will land on the Duo Device Management Portal. Your existing devices will be listed. 

  • Select Add a New Device

Device Management Panel Add Device

  • Select Security Key

Add Security Key

  • Select Continue 

yubikey continue

  • When prompted, insert your Key into your computer and touch it

Plug hardware token into device and touch it

Enrollment Completed!

Congratulations! You’ve successfully enrolled your Key.  Now when you log in to campus systems, you will be prompted for a second-step verification. 

Yubikey successfully enrolled


Advanced Use Case -- YubiKey AES and OAUTH-HOTP

Advanced users may wish to enroll a YubiKey using AES or as an OAUTH-HOTP device.  These are not required to use CalNet 2-Step Verification, but advanced users may wish to leverage features of YubiKeys for specific departmental Duo integrations. Find out more at Advanced YubiKey Setup.