Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
4453
Views
5
Helpful
8
Replies

Duo + Yubikey + Office apps not working

MorsePacific
Level 1
Level 1

‎09-30-2019 01:50 PM

I’m not sure if this is a Duo issue, a Yubico issue, or a Microsoft issue, or all 3.

We have Office 365 (Azure + On Prem hybrid) protected using Conditional Access policies to use Duo. Our new users are issued with a Yubikey 5 NFC or Yubikey 5C (if on Mac), which is great except it doesn’t seem to be a recognized device by Office applications (Outlook, Teams, any of the Office suite).

When setting up the devices, we have to use Bypass Codes to initially setup Office, or if the password is changed post-initial setup before the users have registered another device like a phone.

This is somewhat embarrassing and I also don’t understand why the apps don’t work. I’ve tested the Yubikey through Edge using Yubikeys U2F and OTP tests, and the key is acknowledged and seems to work just fine. It’s the apps themselves that don’t seem to like it.

Is anybody else finding this?

8 Replies 8

TimBloom
Level 1
Level 1

‎10-01-2019 06:21 AM

I have the same issue. We use Duo I am unable to progress through login on my local apps once we have switched.

MorsePacific
Level 1
Level 1
In response to TimBloom

‎10-01-2019 06:47 AM

Thank goodness, I thought it was just me! I’ve struggled to find a definitive search term that encapsulates this issue, and so far haven’t been able to find a solution.

DuoKristina
Cisco Employee
Cisco Employee
In response to MorsePacific

‎10-01-2019 08:00 AM

Usually this is because the embedded browser that thick client apps use to render the login page and Duo Prompt don’t support U2F/Security Keys.

For most Windows versions, the embedded browser used by the apps is IE or Edge. On macOS, the embedded browser used is Safari. None of those are supported by Duo for use with U2F or WebAuthN security keys.

Here are some links:
https://guide.duo.com/security-keys
https://help.duo.com/s/article/2253?language=en_US
https://help.duo.com/s/article/5326?language=en_US

Duo, not DUO.
0 Helpful

jbclements
Level 1
Level 1
In response to DuoKristina

‎12-27-2021 02:14 PM

This answer makes sense to me, but in 2021, Safari does support webauthn; I just tested this by opening safari, visiting our website (my.calpoly.edu), and using my yubikey to authenticate. Despite this, when I try to log to (say) OneDrive, I get a pop-up with the message “Your authentication methods are not available. Please use Chrome, Firefox, Safari, or Edge in order to use your security key(s), or contact your IT administrator for assistance.”

I see several possible causes for this; it could be that the version of safari that’s delivered to microsoft’s pop-up window has webauthn disabled for some reason; in this case, Apple’s the one that needs to take action to fix this. Or, it could be the case that Microsoft is constructing the 2FA window in a way that fences out the use of webauthn; in this case, Microsoft is the one that needs to take action to fix this. Finally, it could be Duo’s problem, and a server configured not to allow webauthn login on popups such as this.

As others have mentioned, chasing down issues where there are three responsible parties is … challenging. Can you shed any light on this?

Thanks in advance for any help you can provide!

0 Helpful

DuoKristina
Cisco Employee
Cisco Employee
In response to jbclements

‎01-01-2022 09:02 AM

Without knowing anything about your configuration it’s likely a combination of causes.

Which Duo prompt does your organization use? Duo’s traditional prompt, delivered in a iframe, requires a pop-up to enable the webauthn interaction. Duo Universal Prompt, delivered via OIDC redirect, does away with this pop-up requirement. It may be that your org is still on the traditional prompt and the embedded browser used by the OneDrive thick client does not permit pop-ups.

Duo, not DUO.

MorsePacific
Level 1
Level 1

‎10-01-2019 08:14 AM

Thanks Kristina.
I thought that was the case, but running Yubico’s U2F test in Edge works just fine (i.e. it recognizes the key, prompts for input, accepts input), but not at a Duo prompt. Why would that be?

0 Helpful

DuoKristina
Cisco Employee
Cisco Employee
In response to MorsePacific

‎10-01-2019 01:12 PM

Duo supports Yubikey U2F/WebAuthn in Chrome and Firefox (as mentioned in all the documents I linked). Edge is neither Chrome nor Firefox.

If you’d like to be added to a feature request for Edge Yubikey support, please contact your Duo account executive or customer success manager, or Duo Support.

Duo, not DUO.
0 Helpful

MorsePacific
Level 1
Level 1
In response to DuoKristina

‎10-01-2019 01:37 PM

I suppose the question I was really asking was - if U2F is implicitly supported by Edge, why does Duo not support it when it’s basically an intrinsic piece of a major software suite like Office

I will reach out to submit the feature request.

0 Helpful
Quick Links
     
                  Duo Release Notes   Duo Discussion Forums      
 
 
Customers Also Viewed These Support Documents