How to get Nitrokey 3 OTP working for Duo?

Recently I got a few Nitrokey 3’s and was planning to use it at work which uses Duo for its 2 factor. To remotely login into windows servers it only supports hardware otp. Duo has a page on how to manually import hardware otp devices which requires the serial number and secret key. But when i create a otp password on my device through the nitrokey app 2 and import it in duo it does not recognize the otp codes or the nitrokey. I got the serial number by doing “nitropy nk3 list” and by the app. If anyone could help that would be great since I could not find anything about duo support for nitrokeys.

Thanks to Robin Krahl and Jan Suhr on the matrix chat for helping with this issue. Ill post how to do it here for anyone in the future that want to use nitro keys with Duo.

Duo natively supports u2f/fido2 for any hardware keys that support it, including nitrokeys. Just add the nitrokey through the organization’s add device process. Afterward anytime you are prompted for a Duo authentication you can choose the passkey (nitrokey) to authenticate.

However some logins such as Windows Server remote login only allows otp through hardware key when online. U2F/fido2 is supported but only for offline authentication. To get OTP working for duo, someone with admin credentials for the organization’s duo admin page must create a new hardware token. They will select if the token is HOTP/TOTP, 6 digit or 8 digit. Then input the nitrokey serial number which can be found in the app and nitropy, then the secret key formatted as hex. Like so without quotations “serial#,secret”. After creating the token assign the user to that token. The link above covers this process if you want a visual guide of it.

After creating the token on the Duo side you need to add it on the Nitrokey. Currently Nitrokeys only accept the secret key as base32 so when you make your own hex secret for Duo you should use a tool to convert it to base32. Make sure you set the key to the same hotp/totp 6/8 configuration on the Duo side. After you created it you can grab the codes through the app/nitropy to login with. I do not know of any autofill process for this so I currently use the app on the desktop to grab the codes from or manually add the secret to your 2fa app on your phone.