Hello Nexthinker, what can we do for you?
  1. Nexthink Help Center
  2. Security
  3. Handbooks

Which authentication method to choose in Duo?

Avatar
by Francois Miquel
Follow

Introduction

While aiming at reducing the usage of password, we are introducing passkeys at Nexthink.

Passkeys are a simple, secure and convenient way to authenticate. 

More detail here: https://www.passkeys.com/what-are-passkeys 

Up-to-date and a compatible browser

First, check the compatibility of your browser: https://guide.duo.com/universal-prompt#supported-browsers 

Then, make sure you browser is up-to-date.

Configuring passkeys

Multi platform / browser

Using 1Password

The article below will help you to add a 1Password passkey to Duo. The only disadvantage is the requirement to have the 1Password browser extension.

How to add 1Password as a factor (passkey) in Duo

Using a Yubikey

If you have been provided with a Yubikey, you can use it to configure a passkey. Make sure the Yubikey is PIN enabled for FIDO2 operations.

https://guide.duo.com/universal-enrollment#add-security-key 

Windows - Windows Hello for Business

As described in this article, you can use Windows Hello for Business to create a passkey and authenticate. This is the preferred way on Windows as this method is supported on any Windows authentication flow.

https://guide.duo.com/universal-enrollment#add-windows-hello

We also recommend configuring fingerprint unlock on Windows Hello for Business: 

https://support.microsoft.com/en-us/windows/configure-windows-hello-dae28983-8242-bb2a-d3d1-87c9d265a5f0 

 

macOS - Touch ID

If Touch ID is configured (see https://support.apple.com/guide/mac-help/use-touch-id-mchl16fbf90a/mac

You can configure Touch ID on your macOS to authenticate via a passkey.

If you have your personal iCloud configured on your professional computer, 

DO NOT enroll a passkey via Touch ID.

The passkey will be synced on your personal iCloud account and will be available on any device having access to your account. 

Also, any compromise of your account will make the passkey available to the attacker.

https://guide.duo.com/universal-enrollment#add-touch-id 

 

FAQ

Which passkey should I use?

The simpler solution is to have only one passkey, but you can combine all the options below for convenience.

No professional mobile phone

  • You have a Yubikey:
    Use the Yubikey as a passkey. 
  • You are using multiple Operating Systems:
    We recommend using 1Password.
  • You are only using a Windows:
    Since you do everything on your Windows, the best option is: Windows Hello for Business
  • You are only using a macOS:
    If you have a personal iCloud account, we recommend using 1Password.
    If you do not have a personal iCloud account, we recommend using Touch ID.

Using a mobile phone

  • You are using both a laptop and a professional mobile:
    We recommend to use 1Password on both devices.
  • You want to use a personal mobile:
    We do not support personal mobile, please refer to your Operating system option.