Using Token2 TOTP hardware tokens and Security Keys with DUO


 en français


Using Token2 TOTP hardware tokens and Security Keys with DUODuo (recently acquired by Cisco) is a provider of unified access security and multi-factor authentication delivered through the cloud. Its services can be used with HOTP and TOTP hardware tokens, and since there is no automatic resync mechanism available, Duo recommends to use HOTP, although it supports TOTP as a protocol, without time drift adjustment. 

TOTP token drift and resynchronization are not supported by Duo. As a result, classic TOTP tokens may not work for authentication with Duo Security, or may fail to work for authentication after a variable period of time. Therefore, programmable tokens with unrestricted time sync are recommended.

While HOTP hardware tokens are recommended bt Duo, they are still subject to become out of sync and may need to be manually resynced.

Tokens can get "out of sync" if the button is pressed too many times in a row and the generated passcodes aren't used for login. Contact your administrator if your token stops working.
To avoid the issues above, you can benefit from our programmable tokens with unrestricted time sync. When using this type of tokens, the re-sync operations can be performed by users without the need of involving the service administrators. The hardware clock sync can be done using the TOKEN2 NFC Burner applications, available for Android and Windows platforms, via NFC protocol. 

Refer to this article for instructions on how to import TOTP hardware tokens to your DUO account. You can also convert your existing seeds in base32 format (i.e. the Azure MFA compatible CSV files) to Duo compatible format (with seeds in hex) using this PowerShell script

A brief guide on importing Token2 TOTP hardware tokens is given below.


Importing TOTP Hardware Tokens to DUO

Role required: Owner, Administrator, User Manager, or Help Desk.

Duo works with one-time password (OTP) hardware tokens, but as full support for TOTP token drift and TOTP resync is not available, devices with unrestricted time sync are recommended. Admins need to manually import third-party OTP token information into Duo. When importing tokens, keep in mind that tokens should be unique between Duo customer accounts.


To import Token2 TOTP tokens into Duo:

  • Retrieve the factory-set seed information in HEX format. The procedure is described here. Alternatively, you can generate your own TOTP secrets.
  • Log in to the Duo Admin Panel and click 2FA Devices in the left sidebar, then click Hardware Tokens in the submenu.
  • Click the Import Hardware Tokens button.

Select the type of token (TOTP) to import from the drop-down menu, and then paste in the token information in CSV format. This information is provided by the hardware token manufacturer or vendor. The token serial number cannot exceed 128 characters. The token secret key should be in hexadecimal format. Do not include any spaces. Click Import Hardware Tokens when finished entering the token information.


Using Token2 TOTP hardware tokens and Security Keys with DUO


Once completed, the tokens are immediately imported and listed in the "Hardware Tokens" table.


Using Token2 TOTP hardware tokens and Security Keys with DUO


Assigning a Hardware Token to an End User

Role required: Owner, Administrator, User Manager, or Help Desk.


To assign an OTP token to an end user:

Click Users in the left sidebar. Select a user by clicking their username. Scroll down to the "Hardware Tokens" table on the user's properties page and then click the Add Hardware Token button.
Using Token2 TOTP hardware tokens and Security Keys with DUO

Click the drop-down menu to see a list of available tokens. You can also search for a token by typing in the serial number. Click a token to select it, and then click Attach.

Using Token2 TOTP hardware tokens and Security Keys with DUO

The user's properties page now lists the newly added token.

Using Token2 TOTP hardware tokens and Security Keys with DUO

OTP Tokens can also be associated with users from the token's properties page. A hardware token may be assigned to multiple end users, and a given Duo user can be associated with up to 100 tokens.




HOTP Devices

Using Token2 TOTP hardware tokens and Security Keys with DUOIn addition to programmable TOTP tokens, Token2 FIDO2 Keys with HOTP support can also be used. If HOTP method is enabled on the device, the OTP digits will be sent automatically via HID USB interface when the button on the key is pressed/touched.




FAQ

Q: Are hardware tokens needed to be synced?


A:
Yes, synchronization of hardware tokens is essential for both HOTP (HMAC-based One-Time Password) and TOTP (Time-Based One-Time Password) methods. Hardware tokens generate one-time passcodes, and synchronization ensures that the generated passcodes align correctly with the authentication server.

For HOTP tokens, the need for resynchronization can be somewhat unpredictable. This is because HOTP tokens generate passcodes based on a counter, and the frequency of resyncing depends on how many times the token's button has been pressed. It's important to keep an eye on the usage and consider resyncing when necessary.

For TOTP tokens, synchronization is influenced by time drift. As these tokens generate passcodes based on the current time, any deviation in the device's timekeeping can lead to passcode discrepancies. However, the need for TOTP token resynchronization is generally less frequent compared to HOTP tokens. Typically, TOTP tokens might require resyncing after a span of 2 to 3 years due to the gradual time drift.


Q: How can I resync TOTP hardware tokens?


A:
If you followed our recommendation and chose tokens with unrestricted time sync, you will use the config tool of the token (NFC Burner app, USB Config tool or similar depending on the token type). The screenshot below shows how this can be done using our NFC Burner app for Android (this app is designed to be used with our second generation single profile TOTP programmable tokens).

Using Token2 TOTP hardware tokens and Security Keys with DUO

Choose "Profile configuration" from the menu, then make sure the "auto sync" checkbox is selected and click on "Apply Configuration".

Procedures for other platforms or tokens are slightly different, but in general, similar to above. For example, the same operation using the token2_config.py script (the Python version of the NFC Burner app) can be achieved by issuing the command below:

python3 token2_config.py --time 0   *
(* using 0 value for this argument will set the system clock to the current device time)