How do I obtain a physical token (FOB) for MFA?

Summary

If you do not own a smartphone, or plan to be in a part of the world where you will not have Internet access and are therefore unable to use Microsoft Authenticator, a physical token may be utilized.

Body

Overview

If you do not own a smartphone, or plan to be in a part of the world where you will not have Internet access and are therefore unable to use Microsoft Authenticator, a physical token may be utilized. 

Purdue supports the use of standards‑based OATH‑TOTP hardware tokens with Microsoft Entra ID. Customers may purchase any OATH‑TOTP hardware token that supports SHA‑1 or SHA‑256 with a 30/60‑second refresh interval.

Recommended Models

While multiple OATH‑TOTP tokens are compatible, Purdue IT recommends the following models due to compatibility, cost, and operational consistency:

YubiKey 5 Series Models

USB-C YubiKey 5C NFC Two-Factor Security Key | Yubico

The YubiKey 5 Series Models meet all Entra ID requirements and are the preferred models for Purdue‑managed deployments, documentation, and support workflows. 

Purchasing Instructions

For employees, Yubikeys can be purchased through the Amazon vendor catalog on Ariba.  Please check with your Business Office on purchasing steps.

To purchase directly from the vendor:

Step 1: Go to the official Yubico store

Step 2: Select the correct model series

  • Choose YubiKey 5 Series Uploaded Image (Thumbnail)

Step 3: Select the Appropriate Model

USB-A: USB-A YubiKey 5 NFC Two Factor Security Key | Yubico

USB-C: USB-C YubiKey 5C NFC Two-Factor Security Key | Yubico

Make sure:

  • The product name starts with “YubiKey 5”
  • It is part of the YubiKey 5 Series
  • The USB connector matches your device
    • YubiKey 5 NFC keys use USB-A
    • Some computers (especially newer laptops) only have USB-C ports

If your device only has USB-C, consider:

  • Buying a USB-C compatible YubiKey (such as the Yubikey 5C NFC), OR
  • Using a USB-A to USB-C adapter
  • Your phone supports NFC (if you plan to tap your Yubikey on your phone instead of plug in)

Do NOT select:

  • “Security Key”
  • “Security Key NFC”
  • Any product that does not include “5 Series”

Step 4: Place your order

  • Add the YubiKey to your cart
  • Complete checkout using your preferred payment method

Other compliant OATH‑TOTP tokens may be used; however, Purdue IT may provide best‑effort support only for non‑recommended models.

Activating the YubiKey

You can activate your YubiKey by following the instructions in these articles:

Set up YubiKey as a Passkey (standard): Article - How do I set up a YubiKey a...

Set up YubiKey as an OTP device (required for Purdue VPN): Article - How To Set Up Authenticatio...

Hardware Tokens and the Purdue VPN

When you log into the Purdue VPN using a hardware token, you must enter a 6-digit code.

This is called a one-time passcode (OTP).

  • ✅ YubiKey 5 NFC → Generates this code ✅
  • ❌ YubiKey Security Key → Cannot generate this code ❌

If you use VPN, the YubiKey 5 Series are the compatible, recommended YubiKeys .

What’s Different About YubiKeys?

Unlike traditional OTP tokens, YubiKeys do not have a screen to show you the passcode.

Because of this:

  • You must use the Yubico Authenticator app to see your one‑time code
  • The YubiKey generates the code, but it is displayed on a computer or phone
  • This means you’ll need:
    • A computer with a USB or USB-C port, or
    • A phone that supports NFC or USB‑C

In simple terms: a YubiKey cannot show a code by itself. It always needs the app.

Things to Consider Before Choosing a YubiKey

  • The YubiKey must be set up specifically for time‑based passcodes (OATH‑TOTP) if using the token to connect to the Purdue VPN.
  • You are responsible for installing and using the Yubico Authenticator app
  • You are responsible for managing your Yubikey's PIN

 

Supported OATH‑TOTP Hardware Tokens

The YubiKey 5 Series Model is the recommended device, but Purdue supports the use of standards‑based OATH‑TOTP hardware tokens with Microsoft Entra ID.

General Compatibility Guidance

Customers may choose to purchase any OATH‑TOTP hardware token that meets all of the following requirements:

  • Uses OATH TOTP
  • Supports SHA‑1 or SHA‑256
  • Uses a 30‑second or 60‑second refresh interval
  • Provides a 6‑digit OTP
  • Allows the TOTP secret (seed) to be exported for registration in Microsoft Entra ID
  • Is compatible with Microsoft Entra ID OATH hardware tokens

Tokens that do not allow seed export or that rely on proprietary enrollment mechanisms cannot be onboarded.  If you have purchased a compatible token and need assistance with setup, please contact accounts@purdue.edu for assistance.  Support for alternative devices may be more limited in scope.

 

Still need help?  Click the 'Purdue IT Request' button to start a ticket.

Details

Details

Article ID: 524
Created
Mon 10/9/23 10:59 AM
Modified
Wed 5/13/26 8:45 AM

Related Articles

Related Articles (2)

How to set up Microsoft multi-factor authentication (MFA)
Guide to setting up Microsoft MFA to protect your Purdue email account.
VPN Access Changes: Microsoft Authenticator Transition - May 29th, 2026
This article outlines the upcoming changes to the VPN regarding the transition to Microsoft MFA for two-factor authentication at Purdue.

Related Services / Offerings

Related Services / Offerings (2)

Collaboration
Collaboration resources for Purdue's success.
Collaboration Request
Collaboration Request