Registering an existing Yubikey

dji1 · ‎01-11-2019

Not sure if this is the right forum category (if not, maybe a mod could move it?) The following is text I sent to the Duo support email address hoping to get an answer, but unsurprisingly in retrospect, they refused, since I’m not a customer. Hope someone can answer me here. I’m a staff member at a US university, who is a software developer, but not involved with the ITS org at the university that uses some Duo product (not sure which) as part of our central auth system (CAS). From here on I’ll quote my email, with minimal changes, so I don’t have to edit too much:

At my university, we are using your product to integrate with our CAS to provide (among other things of course) the ability to do 2FA with Yubikeys. However the way the software is set up, I am required a buy a new Yubikey 4 blank from our ITS. This is apparently (as I understand it) because the only way to register the Yubikey into the Duo software is to copy/paste code numbers that are emitted from the programming phase of the Yubico software.

The problem for me is that I already have some Yubikeys and don’t want to buy new ones. I’ve been through a long back-and-forth with our point person on this end trying to get an answer to the question “WHY can’t I just REGISTER my existing Yubikeys in Duo?” Finally, after I met her in person and listened in detail to all the steps in the workflow, that I understood what I have mentioned above - that it seems the ONLY way to register a key is to program (or reprogram) it immediately before registering, so that the internal PKC codes can be pasted directly into Duo.

If you are working in support at Duo, I’m sure you must understand that the concept of the Yubikey was never intended to be one in which you have a different Yubikey on your keychain for each and every site that you need to authenticate to. The idea is that you can have just ONE, and use it with many different sites.

In my (reasonably technologically well-informed) imagination, there shouldn’t be anything needed to register my existing key beyond plugging it in somewhere, being prompted to press the key’s button when it flashes, and…being done. This is how it worked when I registered my key with fastmail.com. This is how it worked when I registered my key with facebook.com*. Those registrations both happened right over the web from my own PC. I hope you can imagine how frustrating it is for me to learn that it’s not just this simple when I want to use my existing key at work. Even if I need to travel in person to my ITS office to get a registration done, that is not a problem at all.

Can you explain to me whether there is, in fact, a way to register my existing keys with whatever is the software product that my university is using, WITHOUT reprogramming them (which would mean that our ITS staff over here are insufficiently familiar with your software) or whether they are in fact correct, and there is NO WAY to register an existing key without reprogramming it?

Thank you.

Edit: I have seen this. But I can’t quite make sense of the fact that it says “Duo supports 3P OTP tokens”, presumably also pre-programmed ones, but still explains that you need to provide these internal numbers. My understanding is that these numbers cannot be retrieved from a Yubikey once it is programmed.

* I suppose I should point out that my university is only supporting OTP, not U2F, and with facebook I’m using U2F.

DuoKristina · ‎01-14-2019

This response assumes that you are not the Duo admin for the organization and has no access to the Duo Admin Panel.

Duo end users cannot self-enroll hardware tokens (including YubiKeys) in the system. Only an admin can do that on behalf of a user.

There is no hard requirement from Duo that a YubiKey already programmed for OTP be reprogrammed again before adding it to Duo. You would just need to provide the Duo Admin with the serial number and key from your existing token.

Maybe the ITS representative you spoke with is not aware of this, or isn’t sure how to view the key info for a token when it’s already programmed.

Maybe your ITS org feels there is no secure way for you to communicate the key information to them so they want to have someone reprogram it and copy the info directly from the YubiKey Personalization tool into Duo.

Maybe they are protecting your information by not keeping a record of your token key information when that token may be used with non-university systems.

Maybe they just don’t want to have tokens that grant access to their systems also used with systems they do not control.

Assuming the ITS Duo admins are aware that there is no technical requirement from Duo to reprogram the YubiKey, it sounds like there is some IT policy decision at play, and we can’t really provide any assistance with that.

But, if you were just looking for a “Duo says it would work without reprogramming” response, well… you got it.

Duo, not DUO.

dji1 · ‎01-15-2019

@DuoKristina Thank you for the very concise and helpful answer. Your assumption is correct. I guess my remaining question comes down to your comment

or isn’t sure how to view the key info for a token when it’s already programmed.

I was under the impression that key info was in principle unretrievable after programming, but I’m getting the feeling that’s not exactly true. If that’s the case, I feel less secure in my use of Yubikeys If I wanted to retrieve the key info, would I use the YubiKey Personalization Tool? I started looking up the docs for that, but it’s not so simple. Starting to think that it might be easiest and best from a security standpoint to just let them reprogram me. I have another key used as backup, so after reprogramming the first one, I can just deregister/reregister it with my services (using the 2nd key or phone app to login), and it should be fine, no?
They mentioned programming the second slot on the key as an option, but that gives me a gut feeling that it’ll cause trouble for authentication down the line.

I must admit I’m still a bit mystified as to why key info needs to be entered “manually” into Duo, when, e.g., Fastmail.com could register me over the web (for OTP, back when I was using that). I know my university will not go to the trouble to producing a web GUI for doing that, but I imagined just walking down to the ITS building, plugging my key into the appropriate USB port where Duo s/w is running, and pushing the button. Can you give me a brief idea of why that’s not possible here?

DuoKristina · ‎01-16-2019

You are right, but perhaps you saved your key info after programming? I stored my info in a secure location in case I needed it again and didn’t want to reprogram. I assumed you had done the same (don’t know why). If nobody has the key info from the initial programming then yes it would have to be reprogrammed to something known to import it into Duo.

To your second question, it’s not possible because it’s just not possible at this time (as in, the product doesn’t currently support it). We always welcome feature requests from customers, so if your ITS team seems interested they could have the Duo admin for your school submit a feature request for easier YubiKey enrollment.

Duo, not DUO.

dji1 · ‎01-16-2019

OK, well that finalizes it. Thanks again. I bought my keys individually, directly from Yubico, already programmed

As for the feature request…I know my school won’t find it necessary, but it seems like such an obvious thing to me, I’m frankly flabbergasted that it doesn’t already exist. My (clearly unfounded) certainty of the existence of this software feature resulted in several frustrated and needless email back and forths with ITS because I held the unspoken assumption that this must be possible, and they apparently couldn’t conceive of anything other than what the s/w was already doing!