Skip to main content

Cornell University

Hardware Tokens for Two-Step Login

How to set up and use hardware tokens with Two-Step Login

This article applies to: Two-Step Login

On This Page

About Hardware Tokens

A hardware token is a keyfob-like device where you press a button to generate a one-time passcode for use in the second step of logging in. Hardware tokens are an option for situations where using a landline, cell phone, or other mobile device with Two-Step Login is not feasible.

Even if you plan to use a hardware token all of the time, you should also enroll at least one other device as a backup.

A hardware token can be used by only one person at a time. When you enroll a token, any previous enrollment under a different NetID will be deleted. On the other hand, you can enroll multiple tokens for use under your NetID.

If you have any problems using a hardware token, read more about troubleshooting hardware tokens.

For information about using a hardware token to log in, see Duo Security's Guide to Two-Factor Authentication.

Purchase a Hardware Token

Hardware tokens for use with Two-Step Login are available for individual or departmental purchase through The Cornell Store. The tokens sold by The Cornell Store are supplied by Duo Security, the company whose technology underlies Two-Step Login. Only these tokens will work with Two-Step Login.

You can buy a token in person at The Cornell Store's Ho Plaza location, or order one through The Cornell Store's website.

Each college, unit, or department will decide if, and in what circumstances, department funds can be used to purchase hardware tokens. You should check into what the practice is in your area.

If your department supplies you with a hardware token, you should return the token if you leave the university or transfer to another area.

Enroll a Hardware Token

To enroll a hardware token:

  1. Open the Manage Your Two-Step Login site.
  2. Select the Enroll a Hardware Token tab near the top of the window.
  3. When prompted, enter your token's serial number exactly as it is printed. You'll find the serial number on the back of your token above the barcode.
  4. Click Submit.

Picture of the Manage Devices screen with the Enroll a Hardware Token tab circled

Unless this is the first device you are enrolling, you will need to complete the second step of logging in.

After successfully enrolling a token:

  • You will see it listed in the Other Options to Log In list in the Duo authentication prompt and in your Duo device management list.
  • On the Duo device management screen, the only change you can make is to delete the token from your account. You cannot give it a different name. 

Remove a Hardware Token

The steps to remove a hardware token from your account are the same steps as removing any device. See Remove a Device for more information.

Transfer a Hardware Token to Someone Else

If your token was purchased with departmental funds, you should check with your department before transferring your token to another person.

To transfer a token, you can simply give your token to someone else and they will be able to enroll it for use with their NetID. Once the other person has enrolled the token under their NetID, you will no longer be able to log in with it. A hardware token can only be used by one person at a time.

As a safety measure, you should delete a hardware token from your Two-Step Login account before transferring the token to someone else, or before returning it to your department. See Remove a Device for more information.

Replace a Hardware Token

When a token (or any device) is lost or stolen, you should delete the token from your Two-Step Login account. A broken device should also be removed.

If a hardware token is lost, damaged, or just stops working, you will need to buy a new one from The Cornell Store or ask your department to replace the token. A token's expected battery life is about two years.

If the token generates anything other than a passcode, it is considered defective. Duo will replace a token for up to six months after purchase.

Unfortunately, since The Cornell Store purchases tokens in bulk, by the time a person obtains one, the warranty may have expired. The only solution for a defective token is to buy a new one, or ask your department to replace the token.

Support Contact:

Cornell IT Service Desk

Normal Business Hours: Monday-Friday, 8am-6pm (Eastern Time)
Emergency Service Disruptions: After Hours Support


To share feedback about this page or request support, log in with your NetID

At Cornell we value your privacy. To view
our university's privacy practices, including
information use and third parties, visit University Privacy.