People who wish to use a physical hardware token for 2-Step verification should pick up a Simple Hardware Token free of charge. For most users, if you don't have a smartphone or landline available, a Simple Hardware Token is sufficient.
If you purchase your own Feitian FIDO Key or YubiKey, you can take advantage of its ability to function using USB-provided power without needing an internal battery. Following the instructions below, you may self-register your key as a WebAuthn/FIDO2 security key for use with Duo.
Feitian FIDO Keys
Feitian FIDO Keys can be purchased as a personal security device for 2-step authentication. The keys are available in multiple forms and are compatible with multiple interfaces, including USB-A or USB-C, to fit all of your computers and mobile devices.
YubiKeys can be purchased at yubico.com/store/ and work with most web services on most devices.
Enrolling Your Key as a WebAuthn/FIDO2 Security Key Using the Duo Device Management Portal
- You must already have enrolled at least one device—smartphone, tablet or basic cell phone
1. Log In to CalNet
From the CAS login screen (ex: https://bpr.calnet.berkeley.edu/account-manager/login/auth),
2. Access the Device Management Portal
A 2-Step prompt will appear after you enter your CalNet ID and passphrase.
- If you are automatically logged in and the 2-Step prompt is bypassed, try either clearing cache/cookies or using an incognito browser
At the bottom of the page, select Other Options
Under your list of existing devices, select Manage Devices
Complete a 2-Step verification.
3. Add Your Device
Once authenticated, you will land on the Duo Device Management Portal. Your existing devices will be listed.
Select Add a New Device
- Select Security Key
- Select Continue
- When prompted, insert your Key into your computer and touch it
Congratulations! You’ve successfully enrolled your Key. Now when you log in to campus systems, you will be prompted for a second-step verification.
Enrolling Your Key as a WebAuthn/FIDO2 Security Key Using CalNet Account Manager
- You must already have enrolled at least one device—smartphone, tablet, or basic cell phone—in CalNet Account Manager.
Add Another Device
- After enrolling your first device, insert your security key into your computer's USB port.
- Log into CalNet Account Manager using an existing 2-Step device.
- Select the Manage 2-Step Verification link from the panel on the left.
- You will need to perform the 2-Step process a second time at the 2-Step Device Control Panel.
- Within My Settings & Devices, select Add another device
- At "What type of device are you adding?", select Security Key and click Continue
- A prompt will appear with instructions on what to do if you do not see the pop-up window. Click Continue.
- Insert your security key, and when you see this prompt, tap it.
Congratulations! You have successfully enrolled your security key. When you log in with your CalNet ID, you will be prompted for a second-step verification. Insert your security key and tap it to log in.
Advanced Use Case -- YubiKey AES and OAUTH-HOTP
Advanced users may wish to enroll a YubiKey using AES or as an OAUTH-HOTP device. These are not required to use CalNet 2-Step Verification, but advanced users may wish to leverage features of YubiKeys for specific departmental Duo integrations. Find out more at Advanced YubiKey Setup.