Not sure if this is the right forum category (if not, maybe a mod could move it?) The following is text I sent to the Duo support email address hoping to get an answer, but unsurprisingly in retrospect, they refused, since I’m not a customer. Hope someone can answer me here. I’m a staff member at a US university, who is a software developer, but not involved with the ITS org at the university that uses some Duo product (not sure which) as part of our central auth system (CAS). From here on I’ll quote my email, with minimal changes, so I don’t have to edit too much:
At my university, we are using your product to integrate with our CAS to provide (among other things of course) the ability to do 2FA with Yubikeys. However the way the software is set up, I am required a buy a new Yubikey 4 blank from our ITS. This is apparently (as I understand it) because the only way to register the Yubikey into the Duo software is to copy/paste code numbers that are emitted from the programming phase of the Yubico software.
The problem for me is that I already have some Yubikeys and don’t want to buy new ones. I’ve been through a long back-and-forth with our point person on this end trying to get an answer to the question “WHY can’t I just REGISTER my existing Yubikeys in Duo?” Finally, after I met her in person and listened in detail to all the steps in the workflow, that I understood what I have mentioned above - that it seems the ONLY way to register a key is to program (or reprogram) it immediately before registering, so that the internal PKC codes can be pasted directly into Duo.
If you are working in support at Duo, I’m sure you must understand that the concept of the Yubikey was never intended to be one in which you have a different Yubikey on your keychain for each and every site that you need to authenticate to. The idea is that you can have just ONE, and use it with many different sites.
In my (reasonably technologically well-informed) imagination, there shouldn’t be anything needed to register my existing key beyond plugging it in somewhere, being prompted to press the key’s button when it flashes, and…being done. This is how it worked when I registered my key with fastmail.com. This is how it worked when I registered my key with facebook.com*. Those registrations both happened right over the web from my own PC. I hope you can imagine how frustrating it is for me to learn that it’s not just this simple when I want to use my existing key at work. Even if I need to travel in person to my ITS office to get a registration done, that is not a problem at all.
Can you explain to me whether there is, in fact, a way to register my existing keys with whatever is the software product that my university is using, WITHOUT reprogramming them (which would mean that our ITS staff over here are insufficiently familiar with your software) or whether they are in fact correct, and there is NO WAY to register an existing key without reprogramming it?
Edit: I have seen this. But I can’t quite make sense of the fact that it says “Duo supports 3P OTP tokens”, presumably also pre-programmed ones, but still explains that you need to provide these internal numbers. My understanding is that these numbers cannot be retrieved from a Yubikey once it is programmed.
* I suppose I should point out that my university is only supporting OTP, not U2F, and with facebook I’m using U2F.