That’s great news, thanks for cross posting.

I’d still like to know about U2F over NFC … it doesn’t work and I’m not sure where lies the limitation.

Quick update: Much more information on Firefox support for Security Keys and TouchID auth on macOS, including links to the new documentation, is available in the latest release notes post here: Duo Release Notes for March 15, 2019

Any additional guidance on getting U2F to work with Duo in Firefox? I have the latest version of Firefox 65.0.2, enabled security.webauth.u2f in about:config, and have authenticated using U2F through Chrome one additional time as outlined in the Duo release notes. I also have a policy created and applied to the Duo Device Management Portal application with WebAuthn (Security Keys, Touch ID) as an allowed Authentication Method. I’m testing this by logging in to the DMP in Firefox but I still get the message about “Requires Chrome to use Security Keys” when trying to use my Security Key (U2F) to log in to the DMP.

Hi Buster,
Apologies for a bunch of links headed your way, but I think I know what issue you’re having here. Keys only enrolled as U2F are not supported for Firefox, so you’ll need to make sure the key is enrolled as a WebAuthn device and make sure you’re selecting it in the prompt.

You’ll need to do the following:

1. Update your Security Key in Chrome as shown here: https://guide.duo.com/security-keys#existing-u2f-users
2. If it is not your default device, in Firefox you will need to select your key in the device dropdown as shown in the second secreenshot here:https://guide.duo.com/security-keys#security-key-auth

It sounds like you’ve probably already done the first bit, but it’s good to check. You can set your default device in the Self-Service Portal (“My Settings & Devices”) as documented here: https://guide.duo.com/manage-devices.

Dooley, thank you for the reply and the links. I don’t know how to switch these Yubikeys from U2F to WebAuthn in the Duo Admin portal. They have U2F IDs but not WebAuthn IDs listed under the WebAuthn &U2F section in the Admin portal. I also don’t get prompted to “Update” these when using them as U2F for an application (as noted by your first link) as I’m guessing this is the process that is supposed to enable them as WebAuthn? I’ve also removed them from the Duo configuration and added some back through the self-service and DMP.

On a side note, should Touch ID be listed in the DMP as well when I have it enabled in the Device Management Portal policy?

Just tracked down some answers for you:

I don’t know how to switch these Yubikeys from U2F to WebAuthn in the Duo Admin portal.

As of now, you cannot. We currently don’t support WebAuthn enrollment in the Admin Panel. This is something we’re hoping to deliver, but there is no ETA on this feature at the moment.

I also don’t get prompted to “Update” these when using them as U2F for an application (as noted by your first link)

Please verify that Security Keys (WebAuthn) is enabled in your group and/or application Authentication Methods policies. Once enabled, the next time you use your security key in Chrome, you should be prompted for an upgrade.

should Touch ID be listed in the DMP as well when I have it enabled in the Device Management Portal policy

Once enrolled and allowed via policy (please check your group and application Authentication Methods policies here as well), macOS TouchID should be listed as an option in Chrome. TouchID is not supported on other browsers. Here is the TouchID documentation https://guide.duo.com/touch-id.

For what it’s worth, I was not seeing this active for users on our system yet (Deployment DUO50), but I did have the Methods associated with WebAuthn (both TouchID & Security Keys) selected as options in our various policies (turned on by default from what I could see). HOWEVER, it was not on by default in our global policy, so when I flipped those one I started to see them available for users who all fall into the more granular policies.

I was successfully able to update my U2F/Yubikey entry and then subsequently use it to auth in a Firefox browser (wahoo!).

I’m not sure if I ever realized before that options in the Global Policy have to be enabled in order for them to be “on” in the more specific policies, unless this is a unique behavior to this new feature set.

All that being said, I did a quick test with trying Enroll my Touch ID on my MacBook Pro and it’s giving me an error about “Your identity couldn’t be verified: This device doesn’t support the type of security key requested by this website”. I have yet to do any investigation/troubleshooting with this, but for the record I’m using Chrome 73.0.3683.75 with MacOS 10.14.3 on my 2017 MacBook Pro.

Just to be completely clear. I did see the authentication methods listed in our policies as options (both at the global and the group/application level). However, what I found is that enabling methods for WebAuthn at the group/application level did not seem to do anything until I also enabled them in the global policy. I can’t really experiment with this much since this is a production environment, but that’s definitely the behavior I saw. From what I can tell, the policy order (per: Policy & Control | Duo Security) for enabling WebAuthn did not take precedence when it was enabled in our group policies and only became enabled when I allowed it in our Global Policy. My assumption was that the global policy was always the lowest priority in the policy order, but that was not my experience for this setting. I don’t have a problem enabling it at the global level, but if that’s not the proper behavior I figured it was worth noting.

Thanks much. I’m definitely following the TouchID enrollment process and will likely be contacting the Support Team, but haven’t spent much time troubleshooting yet myself.

Sorry I wasn’t clear in my original post. I have a specific application policy applied to our Device Management Portal that allows WebAuthn and TouchID. Our Global policy has these options unchecked. I wasn’t seeing U2F or Touch ID allowed in the Device Management Portal, even after trying with Chrome, reboots, clearing cookies, remove/add security key in chrome, etc.

I came back a few hours later, logged in to the Device Management Portal (application that has a specific policy allowing WebAuthn and security keys) and noticed that I was able to use my U2F and Touch ID is listed. Seems like it took a couple of hours for this feature to apply to our tenant/account.

Good work on getting the WebAuthn support out there! Looking forward to testing with Touch ID in the next few days and Windows Hello later this year.

Hi David,
Sorry to hear you’re having a frustrating experience with this. By any chance do you have multiple keys registered? We discussed this internally and are not aware an issue like this unless you’re attempting an authentication using the wrong Security Key at the Duo Prompt.