Security Keys

Overview

A security key is a physical device that you can use to sign in to your accounts instead of a username and password. You can use a security key with your computer, phone, or other devices. Security keys function using USB-provided power without needing an internal battery. 

Employees and affiliates 

We recommend moving to the Duo Mobile app - it’s the easiest way to do the CalNet 2-Step. If you do not have a smartphone (to use the Duo Mobile App), you may request a free YubiKey NFC Security Key to comply with security enhancements. To request a key, email calnet2-stephelp@berkeley.edu

If you lose your campus-provided security key or prefer to purchase your own, any key labeled as “FIDO2 compatible” should work with CalNet 2-Step. When placing your order, make sure you get one that will fit in your computer port, either a USB-A or USB-C. 

Keys we recommend:

Students

We recommend moving to the Duo Mobile app - it’s the easiest way to do the CalNet 2-Step. If you do not have a smartphone (to use the Duo Mobile App), you may request a free HOTP Simple Hardware Token to use as an MFA (CalNet 2-Step) device. If you wish to purchase your own security key, we recommend upgrading to one of the FIDO2-compatible keys recommended above.


Enrolling Your Security Key

You must already have enrolled at least one device — smartphonetablet or basic cell phone —in order to register a security key.

  • Log in to mycalnet.berkeley.edu using your CalNet ID and passphrase, and, if prompted, complete a 2-Step verification
  • Click on Manage 2-Step Verification
  • Click on Duo Device Manager
  • Log in again using your CalNet ID and passphrase
  • Complete a 2-Step verification
  • Once authenticated, you will be directed to the Duo Device Management Portal. Your existing devices will be listed.
  • To register your key, select Add a Device
  • Select Security key from the Select an option screen:

Image shows screenshot of devices you can add to your 2-Step account

  • Select Continue 
  • When prompted, insert your key into your computer and touch it. Ignore the screen that pops up prompting you to scan a QR code. Touching the security key is what will add the key to your Duo account.
  • When complete, click the Complete button.

Enrollment Completed!

Congratulations! You have successfully enrolled your security key. 


Advanced Use Case -- YubiKey AES and OAUTH

Advanced users may wish to enroll a YubiKey using AES or as an OAUTH device.  These are not required to use CalNet 2-Step Verification, but advanced users may wish to leverage features of YubiKeys for specific departmental Duo integrations. Find out more at Advanced YubiKey Setup.