Is it possible to allow hardware tokens to be an option in the self-service device mgmt portal? We are 75% webauthn, however have some outliers that still require our Yubikeys with OTP. Having to manually upload these from the Admin side becomes ‘high touch’. We’ve seen several organizations online post in their documentation about having/configuring a self-service portal that allows end-users to upload their own hardware token information. Any guidance on how to do this?
Hi @Conrad, welcome to the Duo Community! Thanks for sharing your question here.
I understand you would like to allow your end-users to add their own OTP hardware tokens from the self-service Device Management Portal. As far as I am aware, this is not possible. Admins need to manually import third-party OTP token information into Duo.
That being said, as you have seen organizations that mention this in their documentation, perhaps there is a way. I’ll be interested to see if anyone who has accomplished this before can weigh in.
Would you mind sharing a link to an example of the documentation you’ve seen? I’m curious and would like to take a look.
Thanks @Amy. The primary frustration that we’re having is because:
Security tokens (self-service)
DUO Push (self-service)
hardware token (manual)
So when trying to standardize with say Yubikeys but cover all scenarios, it becomes quite cumbersome as it’s no longer self-serviceable. As far as an example of another org that has referenced this, there’s actually quite a few EDU sites that pop up during Google searches, but one example is from Princeton where they have their guide publicly posted here if you reference steps 8/9: Using Yubikeys at Princeton | Department of Computer Science Computing Guide
I know some organizations have created custom user portals that front actions in Duo’s Admin API.
An extremely high-level example flow:
- Auth the user entering the portal and use Duo Web SDK for 2FA into the portal.
- POSTs to
/admin/v1/tokensto create a new token based on token serial/secret input from the user.
- POSTs to
/admin/v1/usersto associate the new token with the user.
Importing a hardware token into Duo requires entry of the token seed info. Compromise of the token seed info means potential spoof of the token by bad actors, and if each individual user has access to their own token’s seed info it’s hard to track. If you were to go this route I think it might be safer to only permit tokens with reprogrammable secrets (like Yubikeys).
Also worth noting that we’re working on the next iteration of our user device management portal. You’re not the first to express interest in self-service OTP token management. I suggest contacting your Duo account exec or customer care manager (if you have one), or Duo support (if you don’t have a dedicated care team) to add your support to the feature request for token management by users.