Windows RDP Yubico key

We are using Duo for Windows RDP on a server.
I want to change one user to use a Yubico.

I see in the Duo documentation that Yubico U2F is limited to Offline mode only.
Before I buy a Yubico key, is it possible to force offline mode for the user so he can use his Yubico for authentication?

Thank you.

I never had this setup on a server, but had it for logging into my laptop. I used a Yubikey for the second authentication. You can definitely set this up. You just have to add it as a device on the users account.

You can use a Yubikey in OTP mode for online authentication, but you cannot use U2F for online authentication.

You can use a Yubikey as U2F for offline authentication, but you cannot use OTP for offline authentication.

You can accomplish both with one device if you get something like the Yubikey 5C nano, import it to Duo as a hardware token and assign it to a user (for OTP online auth), and then the end-user can also enroll it as a U2F for local Windows logon offline access or for use with the Duo authentication prompt for web applications.

We are using Duo for Windows RDP on a server.
I want to change one user to use a Yubico.

Note that U2f for offline over RDP connections isn’t supported. Offline access over RDP must use Duo Mobile to authenticate. It’s the second limitation bullet here.

1 Like