Cheap 2FA Hardware Tokens for DUO

I have tested some cheap Multi-Factor Authentication hardware tokens with DUO security. Duo is easy to setup with Microsoft RdWeb remote desktop gateway.

These are the tokens i tested $15 ca each, made out of metal so their nice and sturdy to attach to your keychain.
https://www.amazon.ca/gp/product/B07T7SPMJB/ref=ox_sc_act_title_1?smid=A2IPV56ZW8WL51&psc=1

The software to initialize the tokens is here
https://www.hypersecu.com/downloads
HyperFIDO Pro HOTP Seed Generator (Ver. 1.0) 
(the 2nd download is for Titanium tokens)
I ran the software through VirusTotal and it didn’t set off alarms.

decompress and run the software as administrator

Before you plug the hardware token in, type the serial #, written on the side of the token, into the “Key Serial Number” box
Plug the hardware token in to a USB port (Duh), it should get detected in the top window pane
if you click “Check Key” the program will verify the token is writeable
Now click “Generate Seed”
With the Token plugged in, click the “Program” button
You will need to Push the Button on the token or programming will fail.

Copy the Key Serial # and the Seed and paste them somewhere safe… like a LastPass encrypted note. You did setup LastPass, right?

Sign into your DUO cloud admin panel and goto 2FA Devices, Hardware Tokens.
click Import Hardware Tokens

In the “CSV token data” box enter your token serial#, a comma, and the generated key. You can do this for a dozen tokens at once. Hit the “Import Hardware Tokens” button

We can now click on the Token serial number and link the token to a user

Verify that your Global Policy (or sub policy if you have one) has Hardware tokens enabled

Now to test

When we logon to the RdWeb server we are asked first to pick a device if the user has multiple auth methods. We will pick Token from the drop-down.

We need to click “Enter a Passcode”
Click in the text box so the cursor is in the right place (ex. 867539)

The token is like a keyboard with 1 key, so the cursor needs to be in the text box, ready to receive the text.

Push the button on the token and it should fill the text box with 6 digits

and finally click “Log In” to proceed to RdWeb.

Info on how to set these up with M$ Exchange Online but I haven’t tested this yet. https://www.hypersecu.com/fido2-microsoft

A list of services that work with Fido u2f https://www.dongleauth.info/#software

Update: been using this for a few months now. Works well with Microsoft Azure/WhateverTheyCallItThisMonth. If you are plugging+unplugging the device every day it does ask for a PIN # 1/day.

sduncan