YubiKey 5 NFC and Mobile Devices - how to authenticate?

Hello - I’m working on implementing the YubiKey 5 NFC for an organization and I’m wondering how users would authenticate on mobile devices such as their phones and tablets? My scenario will focus on Microsoft Azure Active Directory - so a Duo Prompt would appear after implementation for users that have Outlook on their phones.

I found an old thread here, but nothing else:

Documentation states nothing about mobile devices:
https://guide.duo.com/security-keys

Hi @JuniorSA,
Based on what I can find so far, Yubikey 5 NFC will not work on a mobile device with Duo. For tablets and phones, we recommend using Duo Mobile to authenticate instead. Have you already looked into that, and is there a reason you don’t want to use it if so?

Hey Amy - thanks for the reply.
A client I’m working with would prefer using the YubiKey as they don’t want to force the installation of the Duo Mobile app on their employee’s phones.

I personally prefer the Duo Mobile app and Duo Push for authentication… but sometimes it isn’t my call :frowning:

Thank you!

Ah, that makes sense. It is a common thing we hear from users, so I understand. Thank you for sharing that additional info.

The only other option I can think of would be to use a hardware token, or potentially phone call or SMS, but those may not be the best for your given situation as they have their own drawbacks. Sorry I can’t be of more help here!

I was able to authenticate by enabling NFC on my Android phone, and putting the Yubikey 5 NFC to the back of the phone. The phone then prompted me to open a Yubico site that gave me access to copy my passcode into the challenge field for the Office authentication.

1 Like

Did you have to do any additional configuration in the Duo Admin Console or to the Yubikey??

I followed the instructions listed here to “program” the Yubikey and add it to our console and attach it to the user account.

However, after re-reading your post, we are using a hybrid environment with ADFS, which may make the difference regarding the authentication ability.

1 Like

Yep I did try this with no success with Azure being the protected application. Plus, with over 50 keys being sent to remote clients this seems quite cumbersome!

Thanks for the input!