Unable to get Yubikey 4 to work with Duo


#1

We just purchased a batch of Yubikey 4s and I am unable to get mine to work with Duo. I’m following https://duo.com/docs/yubikey. It works on the Yubico website if I upload the config to Yubico. I’ve regenerated a half-dozen times or more with no luck.

I even tried configuring as 6-digit HOTP and it didn’t work. In 6-digit HOTP mode I noticed it emits lots more than 6 digits (I believe it is sending the public and/or private identifier before the 6-digit code). I had it put three codes into my text editor, stripped all but the last 6 digits from them and successfully resynced the token, so it looks like it works for anything but logging in. (I tried the 6 digit trick for logging in, too - no luck).

I can’t tell if the Yubikey OTP mode generates too many characters - I don’t know what Duo is expecting.

Any ideas?

Thanks!

…Ralph


#2

Hi Ralph, this sounds like the Yubikeys may not have been added correctly in the Duo Admin Panel. If you are still not able to get them working after removing them and following the /docs page again, please contact our Support Team.


#3

Remember you have to rewrite to the YubiKey after you regenerate it. That tripped me up a couple times.

I used this YouTube video and was successful in getting mine setup:

tim


#4

It turns out that the issue was that I was using the Duo Admin Panel to test. When I created an RDP Duo application, it worked just fine. I can see now that there are very few choices for 2FA for admins.

Thanks!

…Ralph


#5

Ah, gotcha. Thanks for letting us know about the solution! And we’re looking to expand admin login functionality in the future, but no ETA was can share at this time.


#6

Once you have a working Yubikey imported into the admin console, an administrator can go in to the ‘Administrators’ tab in the admin console and associate a Yubikey with an user. Afterwards that user can log in to the admin console with ‘enter a code’ by pressing the YubiKey.