Overview
A security key is a physical device that you can use for 2-factor authentication. You can use a security key with your computer, phone, or other devices. Security keys function using USB-provided power without needing an internal battery. Already enrolled your security key? See how to use it, below.
Campus Departments
Campus departments and managers may purchase YubiKeys for their employees via YubiCo or Amazon. We recommend purchasing the YubiCo NFC Security Key. Be sure to purchase USB-A or USB-C as needed for your employee devices.
Employees and affiliates
We recommend installing the Duo Mobile app on your work and personal smartphones. The Duo Mobile app is secure and does not access information on your smartphone.
If you do not have a smartphone to use the Duo Mobile App, you may request a free YubiKey NFC Security Key for use with your campus-owned computer. To request a key, email calnet2-stephelp@berkeley.edu
If you lose your campus-provided security key or prefer to purchase your own, any key labeled as “FIDO2 compatible” should work with CalNet 2-Step. When placing your order, make sure you get one that will fit in your computer port, either a USB-A or USB-C.
Keys we recommend:
Students
We recommend moving to the Duo Mobile app - it’s the easiest way to do the CalNet 2-Step. If you do not have a smartphone (to use the Duo Mobile App), you may request a free HOTP Simple Hardware Token to use as an MFA (CalNet 2-Step) device. If you wish to purchase your own security key, you can find FIDO2-compatible keys recommended above.
Enrolling Your Security Key
- Log in to mycalnet.berkeley.edu using your CalNet ID and passphrase, and, if prompted, complete a 2-Step verification
- Click on Manage 2-Step Verification
- Click on Duo Device Manager
- Log in again using your CalNet ID and passphrase
- Complete a 2-Step verification
- Once authenticated, you will be directed to the Duo Device Management Portal. Your existing devices will be listed.
- To register your key, select Add a Device
- Select Security key from the Select an option screen:
- Select Continue
- When prompted, insert your key into your computer and touch it. Ignore the screen that pops up prompting you to scan a QR code. Touching the security key is what will add the key to your Duo account.
- When complete, click the Complete button.
Enrollment Completed!
Congratulations! You have successfully enrolled your security key.
Using your Security Key to 2-Step
- Log in to your CalNet account with your usual credentials
- You will then be prompted to complete a 2-Step using your security key.
- If you are not prompted to use your security key, click Other options and then select security key.
- A pop-up will appear saying "Use your security key with duosecurity.com. Insert your security key and touch it."
- Insert your security key into your device's USB port and tap the touch button
- Congratulations! You are now logged in.
- If you are using your security key with a mobile device, you may be prompted to enter a PIN
- Security keys have a default PIN of 123456
Advanced Use Case -- YubiKey AES and OAUTH
Advanced users may wish to enroll a YubiKey using AES or as an OAUTH device. These are not required to use CalNet 2-Step Verification, but advanced users may wish to leverage features of YubiKeys for specific departmental Duo integrations. Find out more at Advanced YubiKey Setup.