Docs

Guides

Blog

Tools

Using Token2 FIDO2 Security Keys with Cisco DUO

Cisco Duo Logo Cisco Duo (often referred to simply as Duo Security) is a multi-factor authentication (MFA) and zero trust security solution owned by Cisco. It helps secure access to applications and systems by requiring users to verify their identity using two or more factors before being granted access.

Typical Duo Use Cases

  • VPN access (e.g., requiring a push notification approval on your phone)
  • Login to cloud apps (Google Workspace, Microsoft 365, Salesforce, etc.)
  • Remote desktop or server login
  • Securing internal applications

Duo Services support TOTP, HOTP, and WebAuthn methods for two-factor authentication (2FA). TOTP is supported through our programmable TOTP tokens with unrestricted time synchronization. A provisioning guide is available to assist with setup.

In addition to programmable TOTP tokens, Token2 FIDO2 security keys with HOTP functionality can be used for the HOTP method. When the button on the key is pressed or touched, the OTP digits are automatically entered via the HID USB interface.

Recently, Duo has added support for the WebAuthn authentication method, enabling secure, phishing-resistant login approvals. In this guide, we will walk through the steps required to configure Token2 security keys as a WebAuthn method for two-step verification.

Requirements

  • Access to the Duo Admin Dashboard.
  • Admin access to enable security keys (not required if security keys are already enabled).
  • A modern browser supporting security keys.
  • A Token2 security key.

Enrolling a Security Key

You can register your security key during the initial self-enrollment process. If you've already enrolled in Duo using a different device (such as your mobile phone), you can add your security key later through the device management portal.

  1. To complete initial enrollment with a security key, access the Duo Admin Portal and navigate to Users > User Settings. In the Device Enrollment section, click on Send Email.
    Duo Admin Portal - Send Email
  2. Access the Duo enrollment page using the link sent to you by your administrator, then click Get Started.
    Duo Enrollment - Get Started
  3. Select Security Key from the list of available devices, then click Continue.
    Duo Enrollment - Select Security Key
  4. The Security Key enrollment wizard will appear. Click OK to begin.
    Duo Enrollment - Security Key Wizard
  5. Duo will begin detecting the security key. Insert the key and click OK.
    Duo Enrollment - Insert Security Key
  6. Depending on your security key model, you may need to tap, insert, or press a button on the device to continue.
    Duo Enrollment - Activate Security Key
  7. Click OK to complete the enrollment wizard.
    Duo Enrollment - Complete Wizard
  8. You can now use this security key with Duo for authentication.
    Duo Enrollment - Success

Authenticating with a Security Key

The next time you log in using Duo, the Security Key method will appear first.
Duo Login - Security Key Method

Press a button on your device to proceed, and you will successfully log in.
Duo Login - Success

updated: 21/09/2025 15:13

Cisco Duo Guides