Using Token2 TOTP hardware tokens and Security Keys with DUO
Duo (recently acquired by Cisco) is a provider of unified access security and multi-factor authentication delivered through the cloud. Its services can be used with HOTP and TOTP hardware tokens, and since there is no automatic resync mechanism available, Duo recommends to use HOTP, although it supports TOTP as a protocol, without time drift adjustment.
TOTP token drift and resynchronization are not supported. As a result, imported TOTP tokens may not work for authentication with Duo Security, or may fail to work for authentication after a variable period of time.
While HOTP hardware tokens are recommended bt Duo, they are still subject to become out of sync and may need to be manually resynced.
Tokens can get "out of sync" if the button is pressed too many times in a row and the generated passcodes aren't used for login. Contact your administrator if your token stops working.To avoid the issues above, you can benefit from our programmable tokens with unrestricted time sync. When using this type of tokens, the re-sync operations can be performed by users without the need of involving the service administrators. The hardware clock sync can be done using the TOKEN2 NFC Burner applications, available for Android and Windows platforms, via NFC protocol.
Refer to this article for instructions on how to import TOTP hardware tokens to your DUO account. You can also convert your existing seeds in base32 format (i.e. the Azure MFA compatible CSV files) to Duo compatible format (with seeds in hex) using this PowerShell script.
In addition to programmable TOTP tokens, Token2 FIDO2 Keys with HOTP support can also be used. If HOTP method is enabled on the device, the OTP digits will be sent automatically via HID USB interface when the button on the key is pressed/touched.
Subscribe to our mailing list
Want to keep up-to-date with the latest Token2 news, projects and events? Join our mailing list!