U2F Not working? How to enable


#1

We can’t use mobile authentication for some users because they don’t have or want smartphones, so we bought a bunch of U2F tokens on the understanding Duo was compatible with them.

However we don’t seem to be able to get it to work. I’ve followed the steps on https://guide.duo.com/u2f - I’ve added a dongle to a test account, logged out and just got the normal mobile prompt. Reinserting the U2F dongle did nothing. Is there a driver we need or something? The documentation just implies it works automatically.


#2

What browser are you using to view the prompt? U2F is currently only supported for authentications at the Duo Prompt when using Chrome.

Our guide.duo content is end-user facing, I’d recommend you reference our admin-facing U2F docs here: https://duo.com/docs/administration-settings#u2f-tokens.


#3

It’s being used for login, so no browser is involved. If it’s browser only this needs to be made clear in the documentation.

It’s looking more and more like duo won’t be suitable for us, as it’s focused on browser based software not login authentication… It’s a pity as AuthLite which is the only competition is so hard to configure we gave up on it, so duo was a shoe in if it worked.


#4

Can you clarify which Duo integration you’re using? U2F authenticators may only be used to authenticate with Duo when the browser-based Duo Prompt is in play, such as SSL VPN logons, accessing cloud applications via the Duo Access Gateway, etc.

If you are using the Duo Windows Logon or Duo Unix applications you can utilize Yubikey tokens in OTP mode to submit a passcode, but not as U2F authenticators because, as you alluded to, these applications do not display the Duo prompt in a browser.

The requirements for U2F authentication are listed on our U2F user guide:

"In order to use a U2F device with Duo, make sure you have the following:

A supported browser (Chrome 41 or later)
An available USB port"


#5

The login flow for yubikey tokens is poor so they aren’t under consideration - you have to cancel the login prompt to enable the button and click ‘enter code’ then insert the token, click on the right place in the dialog and press a button. For users that find smartphones complex to use I really doubt that’s going to work.

The documentation implies you need to use a browser to register, and that’s fine (well sort of… having to install a webserver and implementing the portal manually was annoying hence it taking a couple of weeks to get around to testing U2F). IMO if it needs a browser to log in it’s a bit pointless, since by the time you can get to a browser you’re already logged in.


#6

Again, it would help to know which Duo integration you’re using. You haven’t stated explicitly but I assume it’s Windows Logon from your description of the Duo authentication prompt. Is that correct?

U2F authentication is only supported for Duo authentication in a browser session. You cannot use U2F authentication with Windows Logon. If you purchased Yubikey 4 or Yubikey NEO U2F authenticator tokens they could also be used as OTP tokens for Windows Logon. If the U2F tokens you purchased do not also have OTP capabilities then, unfortunately, you cannot use them with Windows Logon.

You mention needing “to cancel the login prompt to enable the button”. If you are referring to the Windows Logon prompt, you can disable autopush by unchecking the “Use auto push to authenticate if available” option in the installer, or after installation with a registry edit described here. This would eliminate the extra step of cancelling a push authentication before clicking the “Passcode” button.

I apologize if our online documentation did not clearly indicate to you that Duo’s U2F support is limited to the Chrome browser for BOTH enrollment and authentication, but this is indeed the case.

U2F authentication in thick applications is not widely supported yet. Even with online services that support U2F the official browser support is limited to Chrome (there is a third-party Mozilla plugin). The only thick client I’ve heard of with native U2F support is the Dashlane app. Are you aware of others? We’d love to hear about them! It doesn’t appear that AuthLite supports U2F either, as they list support for the Yubikey token types that include OTP, and specifically say that the Yubikey FIDO U2F-only token isn’t supported.

I hope this additional information helps you find a solution that meets your use case.