Duo + Yubikey + Office apps not working

I’m not sure if this is a Duo issue, a Yubico issue, or a Microsoft issue, or all 3.

We have Office 365 (Azure + On Prem hybrid) protected using Conditional Access policies to use Duo. Our new users are issued with a Yubikey 5 NFC or Yubikey 5C (if on Mac), which is great except it doesn’t seem to be a recognized device by Office applications (Outlook, Teams, any of the Office suite).

When setting up the devices, we have to use Bypass Codes to initially setup Office, or if the password is changed post-initial setup before the users have registered another device like a phone.

This is somewhat embarrassing and I also don’t understand why the apps don’t work. I’ve tested the Yubikey through Edge using Yubikeys U2F and OTP tests, and the key is acknowledged and seems to work just fine. It’s the apps themselves that don’t seem to like it.

Is anybody else finding this?

1 Like

I have the same issue. We use Duo I am unable to progress through login on my local apps once we have switched.

1 Like

Thank goodness, I thought it was just me! I’ve struggled to find a definitive search term that encapsulates this issue, and so far haven’t been able to find a solution.

Usually this is because the embedded browser that thick client apps use to render the login page and Duo Prompt don’t support U2F/Security Keys.

For most Windows versions, the embedded browser used by the apps is IE or Edge. On macOS, the embedded browser used is Safari. None of those are supported by Duo for use with U2F or WebAuthN security keys.

Here are some links:

Thanks Kristina.
I thought that was the case, but running Yubico’s U2F test in Edge works just fine (i.e. it recognizes the key, prompts for input, accepts input), but not at a Duo prompt. Why would that be?

Duo supports Yubikey U2F/WebAuthn in Chrome and Firefox (as mentioned in all the documents I linked). Edge is neither Chrome nor Firefox. :slight_smile:

If you’d like to be added to a feature request for Edge Yubikey support, please contact your Duo account executive or customer success manager, or Duo Support.

I suppose the question I was really asking was - if U2F is implicitly supported by Edge, why does Duo not support it when it’s basically an intrinsic piece of a major software suite like Office :wink:

I will reach out to submit the feature request.