Can you clarify which Duo integration you’re using? U2F authenticators may only be used to authenticate with Duo when the browser-based Duo Prompt is in play, such as SSL VPN logons, accessing cloud applications via the Duo Access Gateway, etc.

If you are using the Duo Windows Logon or Duo Unix applications you can utilize Yubikey tokens in OTP mode to submit a passcode, but not as U2F authenticators because, as you alluded to, these applications do not display the Duo prompt in a browser.

The requirements for U2F authentication are listed on our U2F user guide:

"In order to use a U2F device with Duo, make sure you have the following:

A supported browser (Chrome 41 or later)
An available USB port"

The login flow for yubikey tokens is poor so they aren’t under consideration - you have to cancel the login prompt to enable the button and click ‘enter code’ then insert the token, click on the right place in the dialog and press a button. For users that find smartphones complex to use I really doubt that’s going to work.

The documentation implies you need to use a browser to register, and that’s fine (well sort of… having to install a webserver and implementing the portal manually was annoying hence it taking a couple of weeks to get around to testing U2F). IMO if it needs a browser to log in it’s a bit pointless, since by the time you can get to a browser you’re already logged in.

Again, it would help to know which Duo integration you’re using. You haven’t stated explicitly but I assume it’s Windows Logon from your description of the Duo authentication prompt. Is that correct?

U2F authentication is only supported for Duo authentication in a browser session. You cannot use U2F authentication with Windows Logon. If you purchased Yubikey 4 or Yubikey NEO U2F authenticator tokens they could also be used as OTP tokens for Windows Logon. If the U2F tokens you purchased do not also have OTP capabilities then, unfortunately, you cannot use them with Windows Logon.

You mention needing “to cancel the login prompt to enable the button”. If you are referring to the Windows Logon prompt, you can disable autopush by unchecking the “Use auto push to authenticate if available” option in the installer, or after installation with a registry edit described here. This would eliminate the extra step of cancelling a push authentication before clicking the “Passcode” button.

I apologize if our online documentation did not clearly indicate to you that Duo’s U2F support is limited to the Chrome browser for BOTH enrollment and authentication, but this is indeed the case.

U2F authentication in thick applications is not widely supported yet. Even with online services that support U2F the official browser support is limited to Chrome (there is a third-party Mozilla plugin). The only thick client I’ve heard of with native U2F support is the Dashlane app. Are you aware of others? We’d love to hear about them! It doesn’t appear that AuthLite supports U2F either, as they list support for the Yubikey token types that include OTP, and specifically say that the Yubikey FIDO U2F-only token isn’t supported.

I hope this additional information helps you find a solution that meets your use case.

Nearly two years have passed and your documentation seems to be no clearer.

We also bought a bunch of U2F tokens thinking we could use them for Windows authentication to find they don’t work as expected. Yes the documentation mentions Chrome as a requirement but I also thought that was for registering the tokens not for using them.

I only found out the actual situation after a lot of searching and coming across this thread.

Really about time you made your documentation clearer!

I am sorry to hear that the U2F page stating that a browser is needed to use U2F in the user guide did not adequately indicate to you that using a U2F token with Duo is limited to browser applications.

While you can use a U2F security key for offline access to Windows Logon, it is not yet supported for online authentication. We can make that clearer on the Windows Logon documentation page.

Thank you for helping us understand and for your thoughtful suggestions.

Thanks for the reply.

Does your answer imply that Windows Login with U2F is something you are working on?

Can you confirm that Yubikey OTP will work with RDP Logon?

1. No, the comments in this thread do not imply anything about future development. I was trying to disambiguate for you the two RDP use cases and their support of U2F.

• Online login to Duo RDP (system can contact Duo to perform regular MFA) - No U2F support. Note that this section of the RDP doc did always list what factors can be used with online login as bulleted items (Duo Push, Call Me, and Passcode).

• Offline logon to a client system (system cannot contact Duo to perform regular MFA) where the user has configured Duo RDP offline access - Supports U2F

2. Yes, Duo for Windows Logon does support OTP passcodes generated by a YubiKey for online MFA. I myself have a YubiKey 4 Nano that I use in both U2F and OTP mode for signing into different Duo UIs.

In response to your comments of last week we have added the clarification “Note that Duo Authentication for Windows Logon does not support U2F security keys for online authentication.” to the Duo for Windows Logon user guide as well as a new section to the Duo for Windows Login admin setup guide that enumerates the supported factors as a bulleted list as it seems they were missed in the “Test Your Setup” section by at least two people.

I had already changed the U2F guide page to say

In order to use a U2F security key with Duo, make sure you have the following:

• A supported browser (Chrome 41 or Opera 40 or later). U2F support for authentication is limited to applications that show Duo’s inline browser prompt."