To Duo, 2FA authentication devices are associated with users.

Any user that exists in Duo with an associated 2FA device (a phone, a hardware token, a YubiKey, etc.) can log in to any Duo application by default.

If you create 10 Duo users and they all have a 2FA device attached, all 10 of those users could log into MacBook A or MacBook B with Duo.

To your specific questions:

Different from MacBook A this MacBook B never uses Duo Push due to lack of network connection during the early login process. Therefore this user still has “Never authenticated” in his details. Why is this?

A Duo user shows “Never authenticated” until that user performs an online 2FA login.

I was expecting the user B to show up in the list in Duo Mobile, just like the Admin user and user A. But it’s not. Is that normal? Should/Can I add it manually?

The Duo Mobile account list is is per Duo customer account. Once the phone is activated for use with a single user within that Duo customer account, it is essentially activated for any user in that Duo customer account that you associate with that phone. It is correct that you do not see two entries for the same Duo customer account in Duo Mobile after associating the phone with two Duo users in that account.

How was MacBook B “informed” that this special Yubikey is the right one?

Assigning the YubiKey to User B in Duo means that User B can use that same YubiKey to log in to any Duo application, as 2FA devices are attached to the Duo user, not to the system where a Duo client application is installed.

If you want to enforce a 1:1 relationship between a Duo user and a given MacBook (preventing User A from using Duo 2FA on MacBook B or User B from using Duo 2FA on MacBook A) there is a way to do this with the Permitted Groups application option, where you create a Duo group, put the user you want using the Duo application in the group, and then restrict access to that Duo application to members of that group. I don’t recommend this as it doesn’t scale well at all. If you don’t want User B to log on to MacBook A (or whatever) it is much easier to just not have a MacOS login for User B on MacBook A in the first place.

Dear Kristina,

thank you so much for your extensive reply!

Thanks for making clear that devices are associated with users, not i.e. Applications or Access Devices.

One thing is still unclear: The Yubikey is not associated with user A “tino” (as you can see), still I can bypass the (offline) login on MacBook A with it.

Any more ideas who to do this correctly?

The goal is of course to have an online and offline savvy 2FA method for every individual user and 2 admins.

Thanks in advance

Tino

If the MacBook has no connectivity to the Duo service during login then it is subject to the fail mode setting you specified when you installed the Duo for Mac Logon application Should fail open. If you said true, then if the Duo application cannot contact the Duo cloud service at logon then it allows the user to bypass Duo authentication and log in. If you set that to false then no user can log on if the MacBook can’t contact Duo.

Kristina, thanks again.

So it means there is no offline login possible secured with Yubikey associated with DUO.

That’s a pity.