cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
2204
Views
0
Helpful
9
Replies

Microsoft RDP application and Yubikey 5

Dan110
Level 1
Level 1

Hi All,

I'm attempting to setup a Yubikey 5 as the authentication method for logging into an RDP session on an AWS site that is protected by the Microsoft RDP application.

I have users setup using Duo Mobile and it works fine, but one user doesn't have a smart phone and would like to use her Yubikey 5 instead.

I've followed the instructions on the help doc below. I used YubiKey Manager to add an OTP to the first slot and copied the Public ID, Private ID, and Secret key to the Duo Admin Panel as a YubiKey AES Hardware Token and assigned it to the appropriate user. So far so good. https://duo.com/docs/yubikey

But, there is a step that I'm missing to add Duo as an application in the Yubico Authenticator to actually generate the OTP for Duo. The Accounts page has nothing listed and when I go to add one I'm not sure what to fill for the Account name, Secret Key and what the config options should be.

Dan110_0-1715705000066.png

 

Any help would be appreciated.

Thanks,
Dan

1 Accepted Solution

Accepted Solutions

If the YubiKey OTP slot config was saved to the key, when she touches the YubiKey in any text entry field (including but not limited to the passcode field in a Duo prompt) it should output an YubiKey AES OTP string like this (me touching mine to generate this example passcode) cccccciduegteggfbdkbjdijrtfekkingeefjhcblnni.

Duo, not DUO.

View solution in original post

9 Replies 9

DuoKristina
Cisco Employee
Cisco Employee

You do NOT need to add Duo as an application to the Yubico Authenticator to use the YubiKey as an OTP-generating token for Duo.

Once you have configured a slot for AES OTP, added the information for the OTP token in the Duo Admin Panel, and assigned that new token in Duo to the user, all she should need to do is tap the YubiKey to generate the 40-char YubiKey OTP string.

Adding an account in Yubico Authenticator makes it like a soft token that someone can use to generate passcodes for other services. Like, instead of using an app on your phone to set up an OTP passcode authenticator app for a service like Instagram, you would use the Yubico Authenticator app instead, and the account info you'd add would be the OTP account security info from Instagram. Duo doesn't support using that type of authenticator with our cloud 2FA service.

Duo, not DUO.

Hi @DuoKristina,

When she taps the YibiKey she says nothing happens, which application would show the OTP string what tapping?

Thanks!

If the YubiKey OTP slot config was saved to the key, when she touches the YubiKey in any text entry field (including but not limited to the passcode field in a Duo prompt) it should output an YubiKey AES OTP string like this (me touching mine to generate this example passcode) cccccciduegteggfbdkbjdijrtfekkingeefjhcblnni.

Duo, not DUO.

Does this require the Yubikey Manager or any other software installed? Or just it just act like a keyboard once the OTP slot has been configured?

Bare with me, I don't have a Yubikey myself and I can only get in touch with this user on Tuesday, so I'd like to get as much info as possible before I connect with her next week.

Thanks,
Dan

DuoKristina
Cisco Employee
Cisco Employee

I uninstalled the YubiKey Manager app off my laptop to confirm that its presence is no longer required once the OTP slot(s) are configured.

Is it possible she is not touching the YubiKey long enough? From Yubico's documentation:

For the Touch-Triggered OTP functions, the YubiKey can hold up to two different configurations. These OTP configurations are stored in “OTP Slots”, and the user differentiates which slot to use by how long they touch the gold contact; a short touch (12.5 seconds) will output an OTP based on the configuration stored in slot 1, while a long touch (35 seconds) will output an OTP based on the configuration stored in slot 2.

ETA: I know people often miss clicking "Finish" in YubiKey Manager. Clicking "Generate" shows the new secret, etc., but doesn't actually write to the key; clicking "Finish" actually writes.

Duo, not DUO.

Thanks @DuoKristina,

I'll connect with the user asap and mark this as a solution once confirmed.

Regards,
Dan

Dan110
Level 1
Level 1

I forgot to mention, yes anything is possible that she may not have been pressing long enough or too long. She configured slot 1 and said the light stopped blinking. But she may not have had her cursor in a text field because I didn't realise it worked that way and thought it would popup with a code for her to enter.

Thanks,
Dan

Dan110
Level 1
Level 1

I reached the user at home and tested with OTP successfully. I really think the issue was the cursor wasn't in a text field and was my mistake.

Thanks @DuoKristina!!

DuoKristina
Cisco Employee
Cisco Employee

Glad it was secretly going to work all along.  

Duo, not DUO.
Quick Links