Before a user may use a duo supported device to authenticate they must enroll the device either through the Duo IFrame presented to the user in Identity Claim, Kiosk, or login pages, or they must enroll the device through the Fischer's Self-Service portal under the My Profile ► Manage Security sub tab.
Enrolling the First Device During Identity Claim
First time users may activate their duo devices during the Identity claim process, if they qualify for the mandatory secondary authentication rule.
*Note: If a user has already claimed their account and now qualifies for Duo as a mandatory second factor, they may still enroll at login time once they have entered their first factor. In this scenario, the user will not be able to sign into the Self-Service portal or third party applications that rely on Fischer's identity provider ( IdP ) for authentication until they have enrolled at least one device.
After starting the enrollment process, the user must select the type of device they wish to activate. The IFrame supports the enrollment of the following devices based on the configurations on the Duo Admin Server: Mobile Phone, Tablet, Landline, Security Key ( U2F ).
In addition to the options supported by the IFrame, the user may also click on the Activate Hardware Token button to use a physical Hardware One Time Pin ( HOTP ) token instead. Please see Enrolling a Hardware Token section for more details.
Enroll Mobile Phone
When enrolling a mobile phone device the user should enter the phone number of the device.
*Note: If a device with the same phone number exists in the Duo Server, then the IFrame may change it's behavior accordingly. For example, if the phone number entered matches an existing landline device, then the process will continue to the validate a landline phone phase instead. If the phone was added as a landline in error, then the device must be removed from the Duo Server by an administrator before it can be added as a mobile phone device.
Duo will prompt the user to enter the make of the device
If the user selected any of the options from the previous phase that was not Other, then they will be prompted to install the Duo Mobile app on their smart phone. The Duo Mobile app is available in both the Google Play Store, and the Apple Store.
Once the user has installed the Duo Mobile application on their phones, they must scan the QR code presented in the final phase of enrollment to link their device with their Duo Security account.
Enroll Tablet Device
Similar to mobile phone enrollment, users will be prompted to enter the operating system of their tablet.
If the user selected any of the options from the previous phase, then they will be prompted to install the Duo Mobile app on their smart phone. The Duo Mobile app is available in both the Google Play Store, and the Apple Store.
Once the user has installed the Duo Mobile application on their phones they must scan the QR code presented in the final phase of enrollment to link their device with their Duo Security account.
Enroll Landline
Users that do not have a smart phone or tablet may enroll a simple landline device. This will give them the option to authenticate by having Duo call the device, and push any key to authenticate. During the enrollment phase the only input field required is the phone number.
*Note: It is possible to the enroll a smart phone as a landline device. If the smart phone is enrolled as a landline device it will not be able to authenticate with the passcode or push notification options.
Once the user has entered their phone numbers, Duo will issue a call to validate that the user is in possession of the phone.
Enrolling Additional Devices
End Users may manage their linked devices as well a add additional devices for Duo authentication under the My Profile ► Manage Security sub tab. As shown below, the sub tab will list all phone devices ( Mobile Phone, Tablet, and Landline ) as well a all security devices ( Hardware Tokens, U2F tokens ) linked to the user.
End users will have the option of removing Duo devices as well as enrolling new devices or hardware tokens. If the user wishes to add a new device they will be presented with the following popup:
Please refer to the following sections for the prompts that users will receive:
- Mobile Phone: Enroll Mobile Phone
- Tablet: Enroll Tablet Device
- Landline: Enroll Landline
- Hardware Token: Enrolling a Hardware Token
Enrolling a Hardware Token
When a user has elected to add a hardware token they are prompted to select one of the following hardware token types:
- 6 Digit Token: Generic Hardware token that produces a six digit pin on screen
- 8 Digit Token: Generic Hardware token that produces an eight digit pin on screen
- Yubikey AES Token: Yubikey branded token that supports one time pin ( OTP )
- Duo D100 Tokens: Duo branded HOTP tokens
User is prompted for the serial number of the hardware token. The serial number can generally be found on the back of the hardware token.
*Note: If the hardware token with the entered serial number and type combination has already been registered in the Duo Server, then the token will automatically assigned to the user at the end of this step. Duo D100 tokens will also end at this step as they can only be registered to the server at the time of purchase.
For six and eight digit HOTP tokens that have yet to be registered to the Duo Server the end user can register the token by entering the secret key stored in the device. The counter field is used to synchronize non time based HOTP tokens that have already been used in the past. It is okay to not know the exact counter number as the token can later be synchronized in the Manage Security tab by either the end user or a help desk user with the appropriate permissions.
*Note: In some cases the secret key may not be provided with the hardware token at the time of purchase. It is up to the seller to provide that information, and the user may have to ask the manufacturer for the key.
For YubiKey AES Tokens the next step will prompt for the YubiKey's stored private id and AES key. These can be generated by utilizing the YubiKey Personalization Tool as shown below.
*Note: YubiKeys have two separate configuration slots to allow the same token to have two additional authentication factors other than it's default U2F factor. When authenticating the first configuration slot is used when the user holds the finger over the key for about 0.3 seconds to two seconds. If the user holds their finger over the token longer then two seconds then the seconds configuration slot is used for authenticating.
User should enter the private id and secret key that was generated by the YubiKey Personalization Tool into the fields below. Each value should be added with the spaces between the hex values removed.
Enrolling a U2F Token
When enrolling a security key for U2F authentication the DUO IFrame will prompt the user to allow a popup to be displayed.
Clicking on continue button the popup will present the user with instructions to insert their U2F token into a USB slot and simply tap the key to complete enrollment.
*Note: Currently U2F tokens can only be enrolled with the use of the Duo IFrame.
