Last modified 4 months ago Last modified on 02/04/21 17:28:20

Use YubiKey for 2FA with UA Duo for SSO, VPN and potentially other services using 2FA

  1. Obtain a YubiKey supporting OTP in form factor that works for you:

  1. Download and install the YubiKey Manager application on your computer:

  1. Configure your YubiKey for OTP in one of its two (virtual) slots* using detailed illustrated instructions in the Duo guide:

NOTE WELL: You will use the YubiKey Manager to generate cryptographic keys and store them on your YubiKey;
BE PATIENT: each of the three items will take a minute or so to generate and store;
DO NOT REPEAT steps by clicking multiple times - each click will restart and overwrite the previous result!

  1. Send a comma-separated string with
    (1) the digital serial no, (2) the 6 byte private id, and (3) the 16 bit secret key
    in that order (like this example:)
    4475749, e7fe845755d4, 8184650122dbe50057f968927f224b6a

to IAM or Security, noting your UA Username, which is the Duo account to which the token will be attached.

NOTE: send the text in a string, like the string above, not a picture of text!
NOTE: the 7 digit serial number is printed on the YubiKey

  1. IAM or Security will upload the CSV string to import your token, and assign it to your ID (UA Username) at Duo

*Which of the YubiKey's two (virtual) slots is used is determined by the duration of your touch. The first slot is used to generate the output when the YubiKey button is touched between 0.3 to 1.5 seconds and released and the second slot is used if the button is touched between 2 to 5 seconds.

Two factor authentication for privileged VPN access to UA network

As of March 2017 two VPNs require Duo two-factor authentication: and

You must request access to use VPN's through the UA Service Desk / incident ticket

VPN authentication

VPNs use Duo's "Append Mode" to provide a second factor in addition to UA Password in the Password field. You enter your password, followed by a comma, then an indicator of your second factor. You can provide the second factor using DuoMobile Push, telephone call-back, one-time passcodes (OTPs), or YubiKey token.

DuoMobile for second factor

password,push             e.g., enTrenching?4flogged,push

pushes a login request to your smart phone with DuoMobile app enrolled for UA; review the request and tap "Approve" on the phone to complete login.

One-time Passcodes for second factor

password,OTPasscode      e.g., Licenser&6wiretapper,012345

where OTPasscode is a one-time passcode generated with DuoMobile, or generated by your hardware token (see use of YubiKey? section below for automated entry of OTPasscode).

You can also request that passcodes be sent to you via SMS to your enrolled mobile phone by appending "sms" to your password; please note that SMS is considered less secure than other methods using OTPasswords, and may be disallowed in the future.

password,sms      e.g., Licenser&6wiretapper,sms

Telephone call-back for second factor

password,phone#          e.g., BestialiZed^7picovolts,phone

will trigger a telephone call to the number that has been enrolled and attached to your Duo account; you will be asked to touch a key on the telephone key pad to complete authentication. If you have multiple phone numbers enrolled and attached to your Duo account, you can specify which to use by typing "phone1" or "phone2".

You can enroll telephone numbers in your Duo account if you are enrolled for use of Duo for SSO (see for Duo enrollment instructions).

YubiKey for VPN 2nd factor

If registered with Dou as described above, you can use the YubiKey to send the second factor passcode:

In the password field type your password followed by comma then touch your key*; that is,


then touch your key, which enters a one-time passcode.