Carnegie Mellon University

FAQ

This FAQ will address your questions about using two-factor authentication (2fa) with DUO for Web Login.

Will 2fa affect all the applications I use?

No. 2fa will only affect WebLogin (login.cmu.edu) protected sites and services.

How long does 2fa last?

You can allow 2fa to last for 30 days by selecting the "Remember this device for 30 days" option on the Two-Factor Authentication screen, which appears after you have logged in using your Andrew userID and password.

Choosing the "Remember this device for 30 days" option means that after authenticating via 2fa once, you will be able to access all University sites that are secured using Shibboleth (Web Login) without having to authenticate again through 2fa for 30 days provided you use the same browser on the same device.

Note: This feature does not work for Citrix, Cisco VPN or special internal apps.

Can I opt out of 2fa?

All faculty, staff, and student employees must be enrolled in 2fa. One cannot opt-out of the service. Students (that are not student employees) are able to opt-out.

Can I use DUO without incurring any data or costs?

Yes. After selecting the Duo app on your smartphone, tap the Duo key icon in the upper right-hand corner of the screen to generate a passcode. Generating passcodes does not send any kind of message or use data and you can generate passcodes even when you are not connected to a network. Using DUO to generate passcodes will not incur any data or text message costs.

I will be traveling and won’t have reliable cellular network access. Can I still use 2fa if I don’t have network access on my phone?

Yes. From your device, tap the key on the upper right-hand side of the screen in DUO on iOS or Android OR the tap the Generate Passcode button on your Microsoft OS device to generate a numeric passcode that you can use even if your phone does not have any network connection.

Are alumni eligible to use 2fa?

No. Alumni that are not currently faculty, staff, or students are not eligible to use 2fa.

What if I have other questions or issues?

For additional information, contact the Help Center.

How do I sign up for and set up 2fa?

The 2fa Self-Service Registration tool makes it easy to register your device and install the mobile application on your smart phone or tablet. Visit https://2fa.cmu.edu and follow the instructions.

I don't have my card ID number - what do I do?

Contact the Help Center for support.

I already have DUO for another application (e.g. Secure VPN or Citrix). How do I get enrolled in Duo for WebLogin?

Send a request to it-help@cmu.edu to update to your 2fa registration with the Computing Services Help Center. Once you are registered, you can use the 2fa Self-Service Registration page available at http://2fa.cmu.edu/ to manage your device(s).

What operating systems and devices work with Duo Mobile?

Visit https://guide.duo.com and scroll to Supported Devices.

Note: We currently do not support landlines, non-smart phones, or SMS.

Can I use multiple devices with 2fa?

Yes, you are strongly encouraged to register multiple devices. Register your smart phone, your tablet, and more using the 2fa Self-Service Registration tool.

What is a hardware token, how much does it cost, and where can I get one?

A hardware token is a physical device that generates a numeric passcode. You can use the passcode to log in from the 2fa prompt.

Computing Services is providing your first token free of charge. You can request a hardware token by visiting the Help Center. You will need to provide a valid photo ID.

What is a U2F (e.g. Yubikey)?

Universal 2nd Factor (U2F) is a universal standard for creating physical authentication tokens that can work with any service. U2F devices are currently small USB devices that you insert in your computer’s USB port. When inserted, the Chrome Browser on your computer can communicate with the USB key using secure encryption and provides the correct response that allows you to log in to a service.

The University does not provide U2F keys, but personal keys can be registered at http://2fa.cmu.edu/.

What if I lost/lose my phone?

Contact the Help Center immediately if you lose your phone or suspect that it's been stolen. A Help Center consultant will disable your device for 2fa and help you log in using another device or hardware token. While it's important that you contact the Help Center if you lose your phone, remember that your password will still protect your account.

I replaced my cell phone. How do I activate 2fa on my new phone?

Use the Two-Factor Authentication Self-Service Registration tool to activate 2fa on your new phone.

I don’t have an App enabled smart phone or tablet, what do I do?

You will need to get a hardware token from the Help Center. Visit the Help Center during business hours to pick one up.

How do I add a new device or hardware token?

  • To add another device, visit 2fa.cmu.edu and click Register a new device
  • To add a hardware token, visit the Help Center.

Troubleshoot

Common issues and troubleshooting instructions are listed below.

Contact the Help Center if you continue to experience issues with Duo or two-factor authentication (2fa).

Computing Services Help Center Support for DUO/2fa is available 24/7.
Note: After hours support is for emergencies ONLY.

Because you have the option "Always send me a push" selected for your device, the box is greyed out.

To use the Remember Me for 30 Days feature, do one of the following:

  • Click Cancel from the blue bar at the bottom of the Duo page. This cancels the current Push and enables the Remember Me for 30 Days option. Continue to Send a Push and accept.
  • Alternatively, visit 2fa.cmu.edu and complete the following:
    1. Click Manage a registered device.
    2. Change the When I log in option from Always send me a push to Ask me to choose an authentication method.

Disabled Push Notifications

To re-enable push notifications on your iPhone if you have disabled them, tap Settings > Notification Center. From the Notification Center you can re-enable push notifications for the application.

Push Notifications Not Sending

If Push notifications are not sending to your phone, use the mobile application to generate a passcode. Launch the application, and then click the key icon next to Carnegie Mellon University. This provides a passcode that can be entered into the web page.

If you recently updated your phone and DUO is not working, try to reactivate your DUO app on your phone.

Your hardware token may stop working if it is out of sync.

From the 2fa Self-Serve tool, click Resync Your Hardware Token and follow the instructions.

If this doesn’t work, contact the Help Center. They will be able to assess the issue and take action to get you back up and running.

If you have forgotten or lost your smart phone/token, you’re locked out of DUO, or your hardware token stopped working, contact the Help Center.