MFA Duo - WebAuthn Security Key Update

This document outlines the steps to follow for the Duo U2F security update.

Users with a U2F token will be prompted with these steps to upgrade their device when Duo activates WebAuthn for tokens:

  1. Log in as usual using Duo. Steps for doing so can be found in MFA-Duo - Logging in with Multi-factor Authentication.
    • Duo Login with USB or fob
  2. You'll be prompted to update your security key. Click continue to update.
    • Let's update your security key prompt
  3. A pop-up window will appear to update the key. This process looks slightly different between Mac and Windows computers. 
    • macOS: 
      1. First, insert your security key and tap it.
        • macOS touch USB key prompt
      2. Press Allow to finish the security update. Note regarding accessibility: If you are navigating via keyboard, press the 'enter' key complete this step. Or press the 'esc' key to exit the process.
        • Allow security key prompt
    • Windows:
      1.  Click OK to start the setup. Note regarding accessibility: If you are navigating via keyboard, press the 'enter' key complete this step. Or press the 'esc' key to exit the process.
        • Setup security key OK prompt
      2. Click OK to continue the update. Note regarding accessibility: If you are navigating via keyboard, press the 'enter' key complete this step. Or press the 'esc' key to exit the process.
        • Continue setup okay prompt
      3. Touch your security key to finish the update.
        • Windows touch security key USB
  4. The update should now be finished and returned back to your main screen listing your Duo devices. Click Continue to Login to finish signing in with Duo. Note regarding accessibility: There is a known bug regarding a delete device message appearing on screen readers when viewing this Duo devices screen. Please see the Screen Reader Delete Device Bug section for more information. 
    • Duo Device summary and continue to login button

For more information on Duo WebAuthn, please see this Duo support page: https://help.duo.com/s/article/6463?language=en_US

Screen Reader Delete Device Bug

The screen reader seems to read the popup language for the delete device message when the Manage MFA Settings & Devices view in Duo Web App screen first loads, even though the user isn’t attempting to delete anything. This reads "Are you sure you want to remove this device? This action cannot be undone." when the page first loads. This is particularly alarming as part of the new device registration process or when the user updates their U2F security key to WebAuthn. However, this bug is safe to ignore and there is not a prompt to remove a device, despite what the screen reader says. To safely read the cancel option, hit tab to read the name of the button before cancelling the pop-up. This only screen reads when multiple devices exist. 

Duo device settings page

Alarming message seems to be reading delete popup text:

accidental warning titled Are you sure you want to remove this device?