MFA Duo - WebAuthn Security Key Update
This document outlines the steps to follow for the Duo U2F security update.
Users with a U2F token will be prompted with these steps to upgrade their device when Duo activates WebAuthn for tokens:
A pop-up window will appear to update the key. This process looks slightly different between Mac and Windows computers.
- Log in as usual using Duo. Steps for doing so can be found in MFA-Duo - Logging in with Multi-factor Authentication.
- You'll be prompted to update your security key. Click continue to update.
The update should now be finished and returned back to your main screen listing your Duo devices. Click Continue to Login to finish signing in with Duo. Note regarding accessibility: There is a known bug regarding a delete device message appearing on screen readers when viewing this Duo devices screen. Please see the Screen Reader Delete Device Bug section for more information.
- First, insert your security key and tap it.
- Press Allow to finish the security update. Note regarding accessibility: If you are navigating via keyboard, press the 'enter' key complete this step. Or press the 'esc' key to exit the process.
- Click OK to start the setup. Note regarding accessibility: If you are navigating via keyboard, press the 'enter' key complete this step. Or press the 'esc' key to exit the process.
- Click OK to continue the update. Note regarding accessibility: If you are navigating via keyboard, press the 'enter' key complete this step. Or press the 'esc' key to exit the process.
- Touch your security key to finish the update.
For more information on Duo WebAuthn, please see this Duo support page: https://help.duo.com/s/article/6463?language=en_US
Screen Reader Delete Device Bug
The screen reader seems to read the popup language for the delete device message when the Manage MFA Settings & Devices view in Duo Web App screen first loads, even though the user isn’t attempting to delete anything. This reads "Are you sure you want to remove this device? This action cannot be undone." when the page first loads. This is particularly alarming as part of the new device registration process or when the user updates their U2F security key to WebAuthn. However, this bug is safe to ignore and there is not a prompt to remove a device, despite what the screen reader says. To safely read the cancel option, hit tab to read the name of the button before cancelling the pop-up. This only screen reads when multiple devices exist.
Alarming message seems to be reading delete popup text: