Duo 2FA: Hardware Tokens for Two-factor Authentication

Overview

There are two types of hardware tokens/security keys: 

  1. A legacy hardware token is a small device that can be attached to your keychain that will generate a time-based code used during the two-factor authentication process.  Visit the Token Request form to request a legacy hardware token, view eligibility requirements, and related costs.  
  2. A FIDO security key is a small hardware device used for secure sign-in and multi-factor authentication. It typically plugs into a USB port or connects over NFC. Instead of relying on a text message, a phone app, or a bypass code, a FIDO key provides physical proof of possession during sign-in. 
Note: On August 4, 2026, the University of Tennessee will no longer distribute legacy hardware tokens. Please consider purchasing a FIDO security key.

Campus-Specific Support:

  • UTK, UTSA, IPS, UTIA, and UTSI - OIT HelpDesk (865) 974-9900
  • UTC - UTC HelpDesk (423) 425-4000
  • UTHSC - UTHSC HelpDesk (901) 448-2222
  • UTM - UTM HelpDesk (731) 881-7900

Using your Legacy Hardware Token

  1. Access the desired UT system like you normally would using your NetID and password.
  2. After successful authentication with your NetID password, Select Enter a Passcode on the next screen.
  3. Press and release the red button on your hardware token and enter your code.
    *If the machine or device you are connecting from is trusted, like your computer or laptop (not a public use machine), you can select the Remember me for 7 days option to remember the device.
  4. Click Login to continue.

Purchasing a FIDO Security Key

FIDO keys are commonly used as a more secure and more consistent authentication method for people who:

  • do not have a compatible smartphone
  • want a dedicated sign-in device
  • need a backup authentication method

What does “FIDO” mean?

FIDO stands for Fast Identity Online. In practice, a FIDO key is a hardware security key that supports standards such as FIDO2 and WebAuthn for secure login.

When purchasing a key, look for these terms in the product description:

  • FIDO2
  • WebAuthn
  • Security Key

Purchasing guidance

The OIT Security team currently recommends Feitian and Yubico keys, but other standards-based FIDO2/WebAuthn security keys are also expected to work in many cases. Because not every model is tested in every scenario, users should understand:

  • FIDO2 keys may be purchased from VolTech, Feitian, Yubico, or many other online retailers.
  • Feitian and Yubico are the recommended brands when possible
  • Other brands may work if they support FIDO2/WebAuthn
  • Support may be more limited for keys outside the preferred models

Recommended key types by use case

Use case Recommended type Why
USB-C laptops, tablets, or newer phones USB-C FIDO2 key Best fit for modern devices with USB-C ports
USB-A desktops or older laptops USB-A FIDO2 key Best fit for older computers and common desktop setups
iPhone / iPad (iOS) NFC-capable FIDO2 key Usually the most flexible option for iOS users, especially if a direct USB connection is not convenient

Platform-specific recommendations

For USB-C users

For users with newer laptops, tablets, or phones that use USB-C, purchase a USB-C FIDO2 security key.

  • Direct connection
  • No adapter required
  • Best for newer Windows, macOS, and USB-C mobile device workflows

Recommended purchase choice for USB-C:

Other options:

  • Other FIDO2/WebAuthn-compatible USB-C security keys may also work

For USB-A users

For users with older laptops, docking stations, or desktop computers that use USB-A, purchase a USB-A FIDO2 security key.

  • Fits older and more common desktop hardware
  • Avoids the need for USB-C adapters
  • Useful for shared office and legacy workstation environments

Recommended purchase choice for USB-A:

Other options:

  • Other FIDO2/WebAuthn-compatible USB-A security keys may also work

For iOS users

For users who primarily sign in on an iPhone or iPad, the safest recommendation is an NFC-capable FIDO2 security key.

  • NFC is often the easiest option for iOS sign-in
  • It avoids needing the correct physical connector for the phone
  • It gives more flexibility across devices

If the user has a newer iPad or iPhone with USB-C, a USB-C FIDO2 key may also be a good option, but NFC remains the most broadly practical iOS recommendation.

Recommended purchase choice for iOS:

Other options:

  • Other FIDO2/WebAuthn-compatible NFC security keys may also work

Things to look for before buying

Before purchasing a security key, confirm the following:

  • The key supports FIDO2
  • The key supports WebAuthn
  • The connector matches the device you will use most often:
    • NFC for iOS convenience
    • USB-C for modern devices
    • USB-A for older computers
  • If you use more than one device type, consider the option that best matches your primary device, or purchase a model that supports multiple connection methods

Important notes

  • A FIDO key is a physical device and should be stored securely
  • Users may want to purchase two keys if they want a backup
  • Not every low-cost “security key” sold online is fully compatible; the product listing should clearly state FIDO2/WebAuthn support
  • If a user wants the most supportable option, they should choose a Feitian model that matches their device type

Quick recommendation summary

If you are unsure what to buy:

  • Use an iPhone or iPad? Buy an NFC-capable FIDO2 key
  • Use a newer USB-C laptop? Buy a USB-C FIDO2 key
  • Use an older desktop or laptop with USB-A? Buy a USB-A FIDO2 key