What are MFA / 2FA Security Keys?

Overview

Security keys, also called hardware tokens, are small, portable devices that can be used for Multi-Factor Authentication (MFA). If you don't have a device compatible with the Duo Mobile app, or do not want to use a personal device for MFA, you can use a security key purchased from the Webstore instead. Security keys also do not depend on connectivity to the internet.

Important Note: Security keys currently DO NOT work with the UIC Virtual Private Network (VPN). Technology Solutions is actively working to enable compatibility.

Table of Contents

Obtaining a Security Key

Security keys can be purchased but students, faculty, and staff via the University of Illinois WebStore, or via other vendors such as CDW or Amazon. While any staff or faculty member can purchase a security key, you may want to check with your manager or department lead on the process for providing security keys to its employees. Unit purchases are considered property of the University and use must comply with all appropriate policies.

Once registered, security keys can only be used with University resources.

Important info regarding security keys:

Individuals can also bring their own WebAuthn/FIDO2 compatible security keys for authentication through the Duo Universal Prompt, with the following caveats, but we strongly recommend individuals set up a backup authentication method.

Security Key Options

There are currently four security key options recommended for use at University of Illinois.

Important: These security keys currently do not work with the UIC Virtual Private Network (VPN).

Model Yubikey 5 NFC (USB-C) Yubikey 5 NFC (USB-A) Yubikey Nano (USB-C) Yubikey Nano (USB-A)
Image Yubikey Series 5 NFC USB-C model Yubikey Series 5 NFC USB-A model Yubikey Series 5 Nano USB-C model Yubikey Series 5 Nano USB-A model
Requirements Any computing device with a USB-C port Any computing device with a USB-A port Any computing device with a USB-C port Any computing device with a USB-A port
Recommended For Portable use on multiple devices
Kept on keyring		 Portable use on multiple devices
Kept on keyring		 Consistent use on a single device
Left connected to device		 Consistent use on a single device
Left connected to device
Purchase Via

Webstore (Faculty/ Staff/ Students)

CDWG (Faculty / Staff)

Amazon (Faculty / Staff / Students)

Webstore (Faculty/ Staff/ Students)

CDWG (Faculty / Staff)

Amazon (Faculty / Staff / Students)

Webstore (Faculty/ Staff/ Students) - COMING SOON

CDWG (Faculty / Staff)

Amazon (Faculty / Staff / Students)

Webstore (Faculty/ Staff/ Students) - COMING SOON

CDWG (Faculty / Staff)​​​​​​​

Amazon (Faculty / Staff / Students)​​​​​​​

Registering a Security Key

Registration must be completed via a Duo Universal Prompt, using your university login credentials.
  1. Navigate to outlook.uic.edu using an Incognito or Private Browsing window so that you will be prompted by Duo (otherwise you may be automatically signed in).
  2. Enter your university email address and password.
  3. When you see the Duo Universal Prompt, select Other options

    duo login prompt with other options selection highlighted
     
  4. Then select Manage devices.

    Duo Universal Prompt Manage Devices option
  5. After authenticating, you will be in the device management portal.
  6. Select Add a device, then select Security key.

    duo add device interface

    duo add security key interface
     
  7. Select Continue.
  8. Follow the prompts from your browser and operating system to add your security key.
  9. Plug in and touch your security key. If prompted, enter the PIN.
  10. Your device is ready for use, with the icon showing the security key.
    Device added, showing new security key

Using a Security Key

When prompted during authentication, plug in and touch your security key to authenticate.

Duo Universal Prompt security key

 

Additional Information

Forgotten Security Keys

If you forgot your security key and cannot log into a system requiring 2FA, obtain a temporary passcode.

Lost Security Key

If you lose your security key, you should immediately sign into the NetID Center using an alternate method or by generating a bypass code. Once in the NetID Center, click on "Manage my 2FA". Here, select the lost security key and click the red trash can icon to remove it. This way the key cannot be used by someone else to access your account. If you find the security key, you can follow the above steps again to register it to your account once more.

Reassigning a Security Key to Another Employee

Security keys can be reassigned for use by another employee. The new owner of the security key can register it to themselves by following the instructions listed above.

Security Key Issues

  1. If your Yubikey is not authenticating, make sure that CAPS LOCK is turned off and try again.
  2. If you continue to experience issues:
  • Please note: If purchased via the Webstore, faulty security keys will be replaced up to 6 months from the time of purchase. Contact the Webstore at webstore.illinois.edu/shop/contact.aspx and reference your purchase receipt number when requesting a replacement.

See Also

Manage MFA Print Article

Related Articles (7)

How can I enroll in MFA / 2FA?
Individuals can enroll in Duo MFA via the NetID Center. Otherwise, the first time you log into MFA-protected University website or service, you will be asked to enroll your account and set up a device.
How can I learn more about MFA / 2FA?
The University of Illinois uses a 2-Factor authentication (2FA) service provided by Duo Security, an industry leader in cyber security services. This will help secure your account and the University's sensitive data. The University of Illinois is committed to securing its institutional data and the personal information of everyone at the University.
How can I troubleshoot MFA / 2FA problems?
This article can help with common issues users may encounter when trying to use multi-factor authentication (MFA).
How can I use MFA / 2FA without network access or while traveling internationally?
The default 2FA options can incur data charges for accessing the Duo Mobile application while you are outside of the USA. However, there are options to avoid this.
How do I generate and use MFA / 2FA temporary passcodes?
If you have lost, forgot, or can not access your 2FA device, you can request a temporary passcode. This passcode is good for 3 days and 100 uses. You can request 24 passcodes per calendar year. These can be requested if you are going to a testing center and will not have access to your 2FA device.
How do I manage my MFA / 2FA devices?
Step by Step guide on How to Manage your 2FA (2-factor authentication) Devices.
How do I use MFA / 2FA?
This article summarizes the different types of devices you can use to authenticate with our MFA (Multi-Factor Authentication) provider.

Related Services / Offerings (1)

Multi-Factor Authentication
Multi-Factor Authentication is a method of confirming your identity by utilizing something you know (password) AND something you have (a second factor).