Enrolling or Adding a Second Factor Device to Duo 2-Factor Authentication
Introduction
2-factor enrollment (setup and configuration) is required to log into many Virginia Tech Web-based systems. To use these Web sites and services that use the Login service, you are required to authenticate with a second factor.
If wireless Internet is not connected, push notifications may incur carrier data charges.
A D-100 which is a physical token smaller than a deck of playing cards that will display a 6-digit passcode. It does not require any Internet or data connection.
Individual: $27+ Departmental purchase available
A YubiKey which is a physical hardware token you insert into a USB slot on your computer.
Individual: $40+ Departmental purchase available
Text messages on any cellular phone or smartphone
Any fee for SMS text message
A landline, smartphone, or cellular phone that can receive voice calls at your office, home, or other location.
Any fee for voice calls
Using a smartphone as your second factor will present multiple authentication options each time you authenticate, including receiving a voice call or a text message, or generating a passcode from the Duo app which does not require Internet or cellular service.
Requirements for Enrolling for the First Time
You will need to have access to one of the following types of devices:
Enrolling a Smartphone, Tablet, or Mobile Device by Installing the Duo Mobile App
Using a smartphone as your second factor will present multiple authentication options each time you authenticate, including receiving a voice call or a text message, or generating a passcode from the Duo app which does not require Internet or cellular service.
If you have not yet registered for 2-factor, click the Enroll button.
If prompted to Choose an authentication device, authenticate with a second-factor that is different from the second-factor you want to add.
Near the bottom of the page, in the 2-Factor Account section, click Manage tokens.
Under Enrolled Tokens, click Enroll Token.
Click Enroll Hardware Token.
Click Duo D-100.
In the Serial Number text box, type the serial number that can be found on the back of your D-100.
If the serial number on the back of the token starts with DSEC, type all of the characters. Example: DESC00000000
If the serial number on the back of the token starts with a number (such as 00-0000000-0), type all of the characters without the dashes. Example: 0000000000
Click Lookup.
In the text box, type the six-digit numeric code displayed on your D-100 displayed by pressing the button on the D-100.
If you did not obtain a pre-registered YubiKey from your department or Hokie Centric, skip to step 15 "Registering and Enrolling YubiKey Using the Personalization Tool" of this section.
If you have not yet registered for 2-factor, click the Enroll button.
If prompted to Choose an authentication device, authenticate with a second-factor that is different from the second-factor you want to add.
Near the bottom of the page, in the 2-Factor Account section, click Manage tokens.
Under Enrolled Tokens, click Enroll Token.
Click Enroll YubiKey OTP Token.
In the browser window, in the Serial Number text box, type the serial number of the YubiKey. (The number is usually printed in small letters on the YubiKey. It may also be found on the packaging in which the YubiKey came.)
Click Lookup.
If prompted about the token already exist, click Enroll.
If you see the Private ID text box, skip to step 15 "Registering and Enrolling YubiKey Using the Personalization Tool" of this section.
Insert the YubiKey into a USB port of your computer.
Click to place your cursor in the Use the token to generate a Passcode text box.
While the YubiKey is in the USB port of your computer, press the center of your YubiKey for 1 to 3 seconds to generate a string of letters.
If the page does not automatically start loading, click Submit.
You will see a message saying you’ve successfully enrolled your YubiKey.
Registering and enrolling YubiKey using the Personalization Tool:
If you were already using your YubiKey for other services, this procedure will cause it to stop working for those other services.
Under the YubiKey Personalization Tool (preferred) heading, click Mac Download (.pkg file).
When the download is complete, in Finder, double-click the file that you just downloaded.
Follow the directions in the installer to finish installing it.
Insert your YubiKey into the USB port.
Verify it is plugged in correctly by looking for either:
A solid or blinking green light in the middle of the gold circle
The upper-right corner of the YubiKey Personalization Tool window should display “YubiKey is inserted”
In Mac OS, if you see a prompt to set up a new keyboard, close the window, and continue with these instructions.
Start YubiKey Personalization Tool.
Under Personalize your YubiKey in:, click Yubico OTPMode.
Click Quick.
Click Configuration Slot 1.
Clear the Hide values checkbox.
Click Write Configuration.
Keep this window open in order to register your token with Duo 2-factor authentication.
If you see a window about overwriting the configuration in Slot 1, click Yes. (This is normal as some YubiKeys come preconfigured with YubiCloud credentials.)
If prompted to save the log file, we recommend you click Cancel. (It would contain your private key and can compromise the security of your token.)
Register your token with Duo 2-factor authentication.
If you have not yet registered for 2-factor, click the Enroll button.
If prompted to Choose an authentication device, authenticate with a second-factor that is different from the second-factor you want to add.
Near the bottom of the page, in the 2-Factor Account section, click Manage tokens.
Under Enrolled Tokens, click Enroll Token.
Click Enroll YubiKey OTP Token.
In the YubiKey Personalization Tool that you left open, in the right pane, under the image of your token, under the Serial Number heading, to the right of Dec:, click the clipboard.
In the browser window, in the Serial Number text box, paste the copied serial number.
Click Lookup.
If prompted about the token already exists, click Enroll.
If you see the Use token to generate a passcode text box, follow the instructions at the top of this section instead of continuing.
In the YubiKey personalization Tool, find the token Private ID and Secret Key.
In the YubiKey Personalization Tool, in the Private Identity (6 bytes Hex) text box, highlight all of the text.
Copy the highlighted text.
In the browser window, in the Private ID text box, paste the copied text.
In the YubiKey Personalization Tool, in the Secret Key (16 bytes Hex) text box, highlight all of the text.
Copy the highlighted text.
In the browser window, in the Secret Key text box, paste the copied text.
Click Verify Token.
Press the center of your YubiKey for 1 to 3 seconds to generate a passcode in the Passcode text box.
Click Submit.
You will see a message saying you’ve successfully enrolled your YubiKey.
WinAuth is a no cost, third-party, software for your computer that can generate one-time-use passcodes so that no additional device interaction is necessary for authenticating.
You must first enroll a different type of device such as a mobile phone, landline telephone, tablet, or token before enrolling with WinAuth . For instructions, see the other sections on this page.