Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1145
Views
2
Helpful
3
Replies

Self-service hardware token registration

Conrad1
Level 1
Level 1

‎04-14-2022 12:35 PM

Is it possible to allow hardware tokens to be an option in the self-service device mgmt portal? We are 75% webauthn, however have some outliers that still require our Yubikeys with OTP. Having to manually upload these from the Admin side becomes ‘high touch’. We’ve seen several organizations online post in their documentation about having/configuring a self-service portal that allows end-users to upload their own hardware token information. Any guidance on how to do this?

Labels:
0 Helpful
3 Replies 3

Amy2
Level 5
Level 5

‎04-15-2022 07:29 AM

Hi @Conrad, welcome to the Duo Community! Thanks for sharing your question here.

I understand you would like to allow your end-users to add their own OTP hardware tokens from the self-service Device Management Portal. As far as I am aware, this is not possible. Admins need to manually import third-party OTP token information into Duo.

That being said, as you have seen organizations that mention this in their documentation, perhaps there is a way. I’ll be interested to see if anyone who has accomplished this before can weigh in.

Would you mind sharing a link to an example of the documentation you’ve seen? I’m curious and would like to take a look.

0 Helpful

DuoKristina
Cisco Employee
Cisco Employee
In response to Amy2

‎04-15-2022 09:54 AM

I know some organizations have created custom user portals that front actions in Duo’s Admin API.

An extremely high-level example flow:

  1. Auth the user entering the portal and use Duo Web SDK for 2FA into the portal.
  2. POSTs to /admin/v1/tokens to create a new token based on token serial/secret input from the user.
  3. POSTs to /admin/v1/users to associate the new token with the user.

Importing a hardware token into Duo requires entry of the token seed info. Compromise of the token seed info means potential spoof of the token by bad actors, and if each individual user has access to their own token’s seed info it’s hard to track. If you were to go this route I think it might be safer to only permit tokens with reprogrammable secrets (like Yubikeys).

Also worth noting that we’re working on the next iteration of our user device management portal. You’re not the first to express interest in self-service OTP token management. I suggest contacting your Duo account exec or customer care manager (if you have one), or Duo support (if you don’t have a dedicated care team) to add your support to the feature request for token management by users.

Duo, not DUO.

Conrad1
Level 1
Level 1

‎04-15-2022 09:06 AM

Thanks @Amy. The primary frustration that we’re having is because:

Security tokens (self-service)
DUO Push (self-service)
mobile (self-service)
hardware token (manual)

So when trying to standardize with say Yubikeys but cover all scenarios, it becomes quite cumbersome as it’s no longer self-serviceable. As far as an example of another org that has referenced this, there’s actually quite a few EDU sites that pop up during Google searches, but one example is from Princeton where they have their guide publicly posted here if you reference steps 8/9: Using Yubikeys at Princeton | Department of Computer Science Computing Guide

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Quick Links
     
                  Duo Release Notes   Duo Discussion Forums      
 
 
Customers Also Viewed These Support Documents