Carnegie Mellon University

How to Use Authentication

Authentication is a process that validates your identity. At CMU, we use the following forms of authentication:

Single Sign-On (SSO) with CMU Web Login

Whenever you attempt to access protected CMU resources, such as a restricted website or service, and are prompted to log in with CMU Web Login, you're logging in through Single Sign-On.

USE CMU WEB LOGIN

Two-Factor Authentication (2fa)

Two-factor Authentication (2fa) provides an extra layer of security to protect your identity and university data. At CMU, we use the DUO app. When you enroll in 2fa and attempt to log in with CMU Web Login, you'll receive a prompt from DUO on your smartphone, tablet or hardware token to approve the login. This takes security beyond your username and password by verifying with CMU's servers that you are who you say you are.

USE TWO-FACTOR AUTHENTICATION (2fa)

Two-Factor Authentication (2fa) with DUO

Step 1: Prepare to Register

In order to register for DUO, you'll need the following:

  1. The device you want to register:
  2. Your Andrew userID and password.
  3. Your CMU ID card number OR your personal email address on file with the university if a card has not been issued.

Note: Once the registration process has begun, it must be completed.

Step 2: Register for 2fa

  1. Visit the Two-Factor Authentication Self-Service (2fa) Tool.
  2. Log in with your Andrew userID and password.
  3. Enter one of the following
    • CMU ID card number (students, faculty and staff)
    • Personal email address on file with the university
  4. Click Submit.
  5. Follow the prompts to complete the registration process for your device.

Step 3: Set Up DUO

Download and install the DUO mobile app on your device.

iOS
Android

How to Use 2fa

Push to Your Device

  1. When prompted with DUO on your computer, click Send Me a Push.
  2. The DUO Mobile app will open on your mobile device.
  3. Tap Approve when prompted.

    WATCH THE DEVICE PUSH VIDEO

Enter a Passcode

  1. On your computer, click Enter a Passcode.
  2. Open the DUO Mobile app on your device and tap DUO-PROTECTED Carnegie Mellon University to generate a passcode.
  3. Enter the passcode.
  4. Click Remember me for 30 days to avoid being prompted for one month.
  5. Click Log In.

    WATCH THE PASSCODE VIDEO

DUO Hardware Token Passcode

  1. Press the button to generate a one-time code.

  2. Enter the passcode at the Web Login/DUO prompt on your computer.

  3. Click Log In.

    Watch the Hardware Token Video

U2F Token

  1. Tap your U2F token (Yubikey) to generate and submit a passcode.
Watch the U2F token video

Manage Your 2fa-Registered Devices

Register a New Device

To add a new device that has not been registered for authentication:
  1. Visit the Two-Factor Authentication Self-Service (2fa) Tool.
  2. Log in with your Andrew userID and password.
  3. Click Register New Device. Important: If you upgraded to a new phone (new model/same number), click Reactivate Device instead.
  4. Follow the prompts to complete the registration.

Update Your Registration

If you update your phone but keep the same number follow the instructions below to update your registration:

  1. Visit the Two-Factor Authentication Self-Service (2fa) Tool.
  2. Log in with your Andrew userID and password.
  3. Click Reactivate Device.
  4. Follow the prompts to complete the update.

Set, Remove, or Change Devices

  1. Visit the Two-Factor Authentication Self-Service (2fa) Tool.
  2. Log in with your Andrew userID and password.
  3. Click Manage Registered Device.
  4. Authenticate with DUO using your preferred method.
  5. Perform the following actions as desired:
    • To set your default device, click the Default Device drop-down, select your preference, and click Save.
    • To remove a device, click Device Options, then click the trash can to the right of the device to be removed.
    • To change a device name, click Device Options, then click Change Device Name. Enter a new name for your device and click Save.

Frequently Asked Questions

Follow the steps below to register a new device, update your registration when you have a new phone with the same number.

To register to use 2fa, you must have your CMU card number or the personal email address that you used to register for your Andrew userID with.

CMU uses the DUO Security to app to support services using Single Sign-On (SSO) with CMU Web Login. Some examples that use CMU Web Login with 2fa include Box, LinkedIn Learning, Workday, SIO/S3, Sparcs, Google for Education apps, Canvas, and Taleo.

Note: CMU also uses DUO Security for 2fa with some services that don't require Web Login (including VPN, Citrix, and Campus Cloud). 

Effective February 28, 2021, all students, faculty and staff must be enrolled in 2fa. You will not be able to opt-out of this service.

Yes. You can generate a numeric passcode even if your device does not have any network connection.

Yes, you are strongly encouraged to register multiple devices.

Contact the Help Center immediately if you lose your phone or suspect that it's been stolen. A Help Center consultant will disable your device for 2fa and help you log in using another device.

Update your registration using the 2fa Self-Service Tool.

When you receive a DUO prompt:

  1. Click the Remember me for 30 days checkbox.
  2. Click Enter a Passcode.
  3. On your mobile device, open the DUO app and tap the DUO-PROTECTED Carnegie Mellon University bar to generate a passcode.
  4. On your computer, enter the passcode and click Log In.

You may have disabled push notifications for DUO.

  1. Visit Two-Factor Authentication Self-Service (2fa) tool.
  2. Click MANAGE Registered Device.
  3. Verify Ask me to choose an authentication method is selected.
  4. If this still does not resolve the issue, check your mobile device settings below.

On iOS:

  1. Tap Settings > Notifications > DUO Mobile.
  2. Verify the Allow Notifications option is enabled.

On Android:

  1. Tap Settings > Apps & notifications > DUO Mobile.
  2. Verify the Notifications are set to on.
  1. Visit the Two-Factor Authentication Self-Service (2fa) Tool.
  2. Log in with your Andrew userID and password.
  3. Enter your personal email address on file with the university and click Submit.
  4. You will receive an email with a passcode to unlock your account. The code expires in 60 minutes from the time it was sent.
  5. Enter the passcode.
  6. Click Submit
  7. Click Main Menu to continue and follow the onscreen instructions.