TOTP token drift and resynchronization are not supported. As a result, imported TOTP tokens may not work for authentication with Duo Security, or may fail to work for authentication after a variable period of time.
While HOTP hardware tokens are recommended bt Duo, they are still subject to become out of sync and may need to be manually resynced.
Tokens can get "out of sync" if the button is pressed too many times in a row and the generated passcodes aren't used for login. Contact your administrator if your token stops working.To avoid the issues above, you can benefit from our programmable tokens with unrestricted time sync. When using this type of tokens, the re-sync operations can be performed by users without the need of involving the service administrators. The hardware clock sync can be done using the TOKEN2 NFC Burner applications, available for Android and Windows platforms, via NFC protocol.
Refer to this article for instructions on how to import TOTP hardware tokens to your DUO account. You can also convert your existing seeds in base32 format (i.e. the Azure MFA compatible CSV files) to Duo compatible format (with seeds in hex) using this PowerShell script.
In addition to programmable TOTP tokens, Token2 FIDO2 Keys with HOTP support can also be used. If HOTP method is enabled on the device, the OTP digits will be sent automatically via HID USB interface when the button on the key is pressed/touched.