Carnegie Mellon University

FAQ

This FAQ will address your questions about using two-factor authentication (2fa) with DUO.

What is 2fa?

Two-factor Authentication (2fa) -- also known as two-step verification or multifactor authentication -- is an extra layer of security to protect identity and university data. 2fa uses supported devices (including smart phones and tablets) or hardware tokens to complete secondary authentication and enhance security beyond just a username and password. By requiring two ways to validate your identity, 2fa can help to protect your online accounts and potentially lower the number of cases of identity theft on the Internet.

Will 2fa affect all the applications I use?

CMU uses DUO Security to support 2fa for services using Single Sign-On through Web Login (including Box, lynda.com, Workday, SIO/S3, Sparcs, GSuite, Canvas, Taleo). CMU also uses DUO Security for 2fa with some services that don't require Web Login (including VPN, Citrix, and Campus Cloud). 

Note: 2fa is currently not available for General & Library VPN, computer labs, or mail client software (e.g., Apple Mail or Microsoft Outlook). 

How long does 2fa last?

You can allow 2fa to last for 30 days by selecting the Remember me for 30 days option in the Two-Factor Authentication Self-Service (2fa) tool. Selecting this option means that after authenticating via 2fa once, you will be able to access all university sites that are secured using Web Login without having to authenticate again through 2fa for 30 days provided you use the same browser on the same device and don't clear your cookies.

Visit the troubleshooting section if you do not have the Remember me for 30 days option. 

Note: This feature only works for protected web-based applications.

Can I opt out of 2fa?

All faculty, staff, and student employees must be enrolled in 2fa and cannot opt-out of the service. Students (that are not student employees) are able to opt-out.

How do I generate a DUO passcode on my device?

  • iOS or Android devices: From the DUO mobile app, tap the key icon in the upper right-hand corner of the screen.
  • Microsoft OS devices: From the DUO mobile app, tap the Generate Passcode button.

Can I use DUO without incurring any data or costs?

Yes. Using the DUO mobile app to generate passcodes does not send messages or use data, and therefore does not incur any associated costs. You can also generate passcodes even when you are not connected to a network.

I will be traveling and won’t have reliable cellular network access. Can I still use 2fa if I don’t have network access on my phone?

Yes. You can generate a numeric passcode even if your device does not have any network connection.

Are alumni eligible to use 2fa?

No. Alumni that are not currently faculty, staff, or students are not eligible to use 2fa.

What if I have other questions or issues?

For additional information, contact the Help Center.

How do I sign up for and set up 2fa?

Follow the onscreen instructions in the Two-Factor Authentication Self-Service (2fa) tool to register for 2fa and manage your devices. For mobile phones and tablets, you will also need to download the DUO mobile app on your device using the appropriate link: iPhone/iPad | Android | Windows Phone 

I don't have my card ID number or email address on file - what do I do?

To register to use 2fa, you must have your CMU card number OR a personal email address on file with the university. Contact the Help Center for support.

What operating systems and devices work with DUO Mobile?

Visit https://guide.duo.com and scroll to Supported Devices.

Note: We currently do not support landlines, non-smart phones, or SMS.

Can I use multiple devices with 2fa?

Yes, you are strongly encouraged to register multiple devices. Use the Two-Factor Authentication Self-Service (2fa) tool to register a mobile phone, tablet, and/or U2F token (Yubikey). Staff and faculty can also request a DUO hardware token by visiting the Help Center

What is a hardware token and where can I get one?

CMU currently supports two hardware tokens for use with 2fa:

  • DUO hardware token: A physical device that generates a numeric passcode that you can use to log in to 2fa. Staff and faculty can request a DUO hardware token by visiting the Help Center. The token will be registered for you. You will need to provide a valid photo ID. Replacement fees may apply.
  • U2F token (Yubikey): A security device that uses the Universal 2nd Factor (U2F) open authentication standard. U2F tokens (including Yubikeys) are currently small USB devices that you insert in your computer’s USB port. When inserted, the Chrome Browser on your computer can communicate with the USB key using secure encryption and provides the correct response that allows you to log in to a service. The university does not provide U2F tokens, but personal tokens can be purchased independently and registered using the Two-Factor Authentication Self-Service (2fa) tool.

What if I lost/lose my phone?

Contact the Help Center immediately if you lose your phone or suspect that it's been stolen. A Help Center consultant will disable your device for 2fa and help you log in using another device or hardware token. While it's important that you contact the Help Center if you lose your phone, remember that your password will still protect your account.

I replaced/updated my cell phone. How do I activate 2fa?

Go to the Two-Factor Authentication Self-Service (2fa) tool, click REACTIVATE Device and follow the onscreen instructions. 

I don’t have an App enabled smart phone or tablet, what do I do?

The university does not provide U2F tokens, but personal tokens can be purchased independently and registered using the Two-Factor Authentication Self-Service (2fa) tool.
Staff and faculty can request a DUO hardware token by visiting the Help Center

How do I add a new device or hardware token?

Troubleshoot

Common issues and troubleshooting instructions are listed below. Contact the Help Center if you continue to experience issues with DUO or two-factor authentication (2fa).

Computing Services Help Center Support for DUO/2fa is available 24/7.
Note: After hours support is for emergencies ONLY.

The Remember me for 30 days option may not be available if you chose an automatic authentication method when setting up a device. To use the Remember Me for 30 Days feature, do one of the following:

  • Click Cancel from the blue bar at the bottom of the DUO mobile app page. This cancels the current Push and enables the Remember Me for 30 Days option. Continue to Send a Push and accept.
  • Go to the Two-Factor Authentication Self-Service (2fa) tool and complete the following:
    1. Click MANAGE Registered Device.
    2. Change the When I log in option from Always send me a push to Ask me to choose an authentication method.

Disabled Push Notifications

To re-enable push notifications on your mobile phone if you have disabled them, tap Settings > Notification Center. From the Notification Center you can re-enable push notifications for the application.

I replaced/updated my cell phone. How do I activate 2fa?

Go to the Two-Factor Authentication Self-Service (2fa) tool, click REACTIVATE Device and follow the onscreen instructions. 

Your hardware token may stop working if it is out of sync. Go to the Two-Factor Authentication Self-Service (2fa) tool, click Resync Your Hardware Token and follow the onscreen instructions. 

If you have forgotten or lost your smart phone/token, you’re locked out of DUO, or your hardware token stopped working, contact the Help Center.
  1. Go to the Two-Factor Authentication Self-Service (2fa) tool.
  2. Enter your Andrew userID and password.
  3. Enter your personal email address on file with the university and click Submit.
    You will receive an email with a unique authentication code that will unlock your account.
    Note: The code expires in 60 minutes from the time it was sent.   
  4. Enter the unique authentication code and click Submit
  5. Click Main Menu to continue and follow the onscreen instructions.