WebAuthn/FIDO2 Security

People who wish to use a physical hardware token for 2-Step verification should pick up a Simple Hardware Token free of charge.  For most users, if you don't have a smartphone or landline available, a Simple Hardware Token is sufficient.

If you purchase your own Feitian FIDO Key or YubiKey, you can take advantage of its ability to function using USB-provided power without needing an internal battery.  Following the instructions below, you may self-register your key as a WebAuthn/FIDO2 security key for use with Duo.


Feitian FIDO Keys

Feitian FIDO Keys can be purchased as a personal security device for 2-step authentication. The keys are available in multiple forms and are compatible with multiple interfaces, including USB-A or USB-C, to fit all of your computers and mobile devices.


YubiKeys

YubiKeys can be purchased at yubico.com/store/ and work with most web services on most devices. 


Enrolling Your Key as a WebAuthn/FIDO2 Security Key Using the Duo Device Management Portal

1. icon-computer Log In to CalNet

From the CAS login screen, 

Log in to CalNet

2. icon-computer Access the Device Management Portal

  • A 2-Step prompt will appear after you enter your CalNet ID and passphrase. 

  • At the bottom of the page, select Other Options

Access Device Management Panel - other options

  • Under your list of existing devices, select Manage Devices

Bottom option is Manage Devices

  • Complete a 2-Step verification.

Complete a 2-step

3. icon-computer Add Your Device

  • Once authenticated, you will land on the Duo Device Management Portal. Your existing devices will be listed. 

  • Select Add a New Device

Device Management Panel Add Device

  • Select Security Key

Add Security Key

  • Select Continue 

yubikey continue

  • When prompted, insert your Key into your computer and touch it

Plug hardware token into device and touch it

Enrollment Completed!

Congratulations! You’ve successfully enrolled your Key.  Now when you log in to campus systems, you will be prompted for a second-step verification. 

Yubikey successfully enrolled


Enrolling Your Key as a WebAuthn/FIDO2 Security Key Using CalNet Account Manager

Add Another Device

  1. After enrolling your first device, insert your security key into your computer's USB port.

    Insert Token

  2. Log into CalNet Account Manager using an existing 2-Step device.
  3. Select the Manage 2-Step Verification link from the panel on the left.
  4. You will need to perform the 2-Step process a second time at the 2-Step Device Control Panel.
  5. Within My Settings & Devices, select Add another device

  6. At "What type of device are you adding?", select Security Key and click Continue

  7. A prompt will appear with instructions on what to do if you do not see the pop-up window. Click Continue.

  8. Insert your security key, and when you see this prompt, tap it.

Enrollment Completed!

Congratulations! You have successfully enrolled your security key. When you log in with your CalNet ID, you will be prompted for a second-step verification. Insert your security key and tap it to log in.


Advanced Use Case -- YubiKey AES and OAUTH-HOTP

Advanced users may wish to enroll a YubiKey using AES or as an OAUTH-HOTP device.  These are not required to use CalNet 2-Step Verification, but advanced users may wish to leverage features of YubiKeys for specific departmental Duo integrations. Find out more at Advanced YubiKey Setup.