MFA Duo - WebAuthn Security Key Update
This document outlines the steps to follow for the Duo U2F security update.
Users with a U2F token will be prompted with these steps to upgrade their device when Duo activates WebAuthn for tokens:
- Log in as usual using Duo. Steps for doing so can be found in MFA-Duo - Logging in with Multi-factor Authentication.
- You'll be prompted to update your security key. Click continue to update.
- macOS:
- First, insert your security key and tap it.
- Press Allow to finish the security update. Note regarding accessibility: If you are navigating via keyboard, press the 'enter' key complete this step. Or press the 'esc' key to exit the process.
- First, insert your security key and tap it.
- Windows:
- Click OK to start the setup. Note regarding accessibility: If you are navigating via keyboard, press the 'enter' key complete this step. Or press the 'esc' key to exit the process.
- Click OK to continue the update. Note regarding accessibility: If you are navigating via keyboard, press the 'enter' key complete this step. Or press the 'esc' key to exit the process.
- Touch your security key to finish the update.
- Click OK to start the setup. Note regarding accessibility: If you are navigating via keyboard, press the 'enter' key complete this step. Or press the 'esc' key to exit the process.
For more information on Duo WebAuthn, please see this Duo support page: https://help.duo.com/s/article/6463?language=en_US
Screen Reader Delete Device Bug
The screen reader seems to read the popup language for the delete device message when the Manage MFA Settings & Devices view in Duo Web App screen first loads, even though the user isn’t attempting to delete anything. This reads "Are you sure you want to remove this device? This action cannot be undone." when the page first loads. This is particularly alarming as part of the new device registration process or when the user updates their U2F security key to WebAuthn. However, this bug is safe to ignore and there is not a prompt to remove a device, despite what the screen reader says. To safely read the cancel option, hit tab to read the name of the button before cancelling the pop-up. This only screen reads when multiple devices exist.
Alarming message seems to be reading delete popup text: