Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
325
Views
0
Helpful
9
Replies

Microsoft RDP application and Yubikey 5

Go to solution
Dan110
Level 1
Level 1

‎05-14-2024 09:45 AM

Hi All,

I'm attempting to setup a Yubikey 5 as the authentication method for logging into an RDP session on an AWS site that is protected by the Microsoft RDP application.

I have users setup using Duo Mobile and it works fine, but one user doesn't have a smart phone and would like to use her Yubikey 5 instead.

I've followed the instructions on the help doc below. I used YubiKey Manager to add an OTP to the first slot and copied the Public ID, Private ID, and Secret key to the Duo Admin Panel as a YubiKey AES Hardware Token and assigned it to the appropriate user. So far so good. https://duo.com/docs/yubikey

But, there is a step that I'm missing to add Duo as an application in the Yubico Authenticator to actually generate the OTP for Duo. The Accounts page has nothing listed and when I go to add one I'm not sure what to fill for the Account name, Secret Key and what the config options should be.

Dan110_0-1715705000066.png

 

Any help would be appreciated.

Thanks,
Dan

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
DuoKristina
Cisco Employee
Cisco Employee
In response to Dan110

‎05-16-2024 08:30 AM

If the YubiKey OTP slot config was saved to the key, when she touches the YubiKey in any text entry field (including but not limited to the passcode field in a Duo prompt) it should output an YubiKey AES OTP string like this (me touching mine to generate this example passcode) cccccciduegteggfbdkbjdijrtfekkingeefjhcblnni.

Duo, not DUO.

View solution in original post

0 Helpful
9 Replies 9

Go to solution
DuoKristina
Cisco Employee
Cisco Employee

‎05-15-2024 03:05 PM

You do NOT need to add Duo as an application to the Yubico Authenticator to use the YubiKey as an OTP-generating token for Duo.

Once you have configured a slot for AES OTP, added the information for the OTP token in the Duo Admin Panel, and assigned that new token in Duo to the user, all she should need to do is tap the YubiKey to generate the 40-char YubiKey OTP string.

Adding an account in Yubico Authenticator makes it like a soft token that someone can use to generate passcodes for other services. Like, instead of using an app on your phone to set up an OTP passcode authenticator app for a service like Instagram, you would use the Yubico Authenticator app instead, and the account info you'd add would be the OTP account security info from Instagram. Duo doesn't support using that type of authenticator with our cloud 2FA service.

Duo, not DUO.
0 Helpful

Go to solution
Dan110
Level 1
Level 1
In response to DuoKristina

‎05-16-2024 08:07 AM

Hi @DuoKristina,

When she taps the YibiKey she says nothing happens, which application would show the OTP string what tapping?

Thanks!

0 Helpful

Go to solution
DuoKristina
Cisco Employee
Cisco Employee
In response to Dan110

‎05-16-2024 08:30 AM

If the YubiKey OTP slot config was saved to the key, when she touches the YubiKey in any text entry field (including but not limited to the passcode field in a Duo prompt) it should output an YubiKey AES OTP string like this (me touching mine to generate this example passcode) cccccciduegteggfbdkbjdijrtfekkingeefjhcblnni.

Duo, not DUO.
0 Helpful

Go to solution
Dan110
Level 1
Level 1
In response to DuoKristina

‎05-16-2024 08:33 AM

Does this require the Yubikey Manager or any other software installed? Or just it just act like a keyboard once the OTP slot has been configured?

Bare with me, I don't have a Yubikey myself and I can only get in touch with this user on Tuesday, so I'd like to get as much info as possible before I connect with her next week.

Thanks,
Dan

0 Helpful

Go to solution
DuoKristina
Cisco Employee
Cisco Employee

‎05-16-2024 08:49 AM - edited ‎05-16-2024 08:54 AM

I uninstalled the YubiKey Manager app off my laptop to confirm that its presence is no longer required once the OTP slot(s) are configured.

Is it possible she is not touching the YubiKey long enough? From Yubico's documentation:

For the Touch-Triggered OTP functions, the YubiKey can hold up to two different configurations. These OTP configurations are stored in “OTP Slots”, and the user differentiates which slot to use by how long they touch the gold contact; a short touch (12.5 seconds) will output an OTP based on the configuration stored in slot 1, while a long touch (35 seconds) will output an OTP based on the configuration stored in slot 2.

ETA: I know people often miss clicking "Finish" in YubiKey Manager. Clicking "Generate" shows the new secret, etc., but doesn't actually write to the key; clicking "Finish" actually writes.

Duo, not DUO.
0 Helpful

Go to solution
Dan110
Level 1
Level 1
In response to DuoKristina

‎05-16-2024 08:54 AM

Thanks @DuoKristina,

I'll connect with the user asap and mark this as a solution once confirmed.

Regards,
Dan

0 Helpful

Go to solution
Dan110
Level 1
Level 1

‎05-16-2024 08:56 AM

I forgot to mention, yes anything is possible that she may not have been pressing long enough or too long. She configured slot 1 and said the light stopped blinking. But she may not have had her cursor in a text field because I didn't realise it worked that way and thought it would popup with a code for her to enter.

Thanks,
Dan

0 Helpful

Go to solution
Dan110
Level 1
Level 1

‎05-16-2024 09:36 AM

I reached the user at home and tested with OTP successfully. I really think the issue was the cursor wasn't in a text field and was my mistake.

Thanks @DuoKristina!!

0 Helpful

Go to solution
DuoKristina
Cisco Employee
Cisco Employee

‎05-16-2024 10:01 AM

Glad it was secretly going to work all along.  

Duo, not DUO.
0 Helpful
Quick Links
     
                  Duo Release Notes   Duo Discussion Forums      
 
 
Customers Also Viewed These Support Documents