YubiKey

These models are recommended because they are capable of working in either passcode generator or security key modes. Other YubiKey models may only support one mode, limiting their versatility.
For most cases, the security key mode will be sufficient and will offer a simpler setup. For certain situations, the passcode generator mode may be required.

The security key mode is a self-service option that does not require Help Desk support to set up.
It only supports Duo for browser-based applications. It does not support Duo for command-line and Windows login.

Navigate to the Duo Device Management Portal and sign in using your Caltech account.
Select Add a device then select Security key and Continue

Follow the prompts on the screen to set up the YubiKey security key. If you are prompted to save a security using a mobile device, select the option Use a different phone, tablet, or security key.
When prompted to Insert and touch your security key, make sure the YubiKey device is inserted into your computer, then tap the button on the key. This step may look slightly different, depending on the web browser used.

Log in to a Duo-protected service using your username and password
Duo will prompt you to Use your security key, or Insert your security key and touch it. If you do not see the this prompt, Duo may have defaulted to a different authentication method. Click Other options and then Security key to manually select this option. If you do not see Security key in the list of options, you have not set up this method yet. Refer to the instructions above.

Insert the YubiKey into a USB port in your computer if it is not connected already. When prompted to Use your security key, tap the button on the key.

YubiKey Passcode Mode

The Passcode Mode Requires a YubiKey device that supports OTP protocols (often described as multi-protocol devices), such as the YubiKey 5 Series devices.
Must be initially set up by IMSS Help Desk. Generally requires bringing the YubiKey device into the Help Desk in-person.
Supports Duo for browser-based applications as well as Duo for command-line and Windows login integrations.

The supported YubiKey model must be brought in to the Help Desk for initial setup.

Log in to a Duo-protected service using your username and password
Duo will prompt you to Enter your passcode. If you do not see the this prompt, Duo may have defaulted to a different authentication method. Click Other options and then YubiKey passcode to manually select this option. If you do not see YubiKey passcode in the list of options, you have not set up this method yet. Please contact the Help Desk for assistance, or use the instructions above to set up your YubiKey in Security Key mode.

Insert the YubiKey into a USB port in your computer if it is not connected already. Make sure the Duo Enter your passcode prompt is selected (click on the inside of the Passcode input box so that you see the blinking cursor), then tap the button on the YubiKey device to trigger it to enter the passcode.