Carnegie Mellon University

How to Use 2fa Authentication

Two-factor Authentication (2fa) provides an extra layer of security to protect your identity and university data. At CMU, we use the DUO app. When you enroll in 2fa and attempt to log in with CMU Web Login, you'll receive a prompt from DUO on your smartphone, tablet or hardware token to approve the login. This takes security beyond your username and password by verifying with CMU's servers that you are who you say you are.


Register to Use 2fa with a Mobile Device

If you have never used 2fa, you will need to register. Follow the steps below to register with a mobile device. 

Before you begin registration, make sure you have the following on hand:

  • Your mobile device (smartphone or tablet) and a computer
  • Your Andrew userID and password.
  • Your CMU ID card number OR your personal email address on file with the university if a card has not been issued.

On your smartphone or tablet:

  1. Download and install the DUO Mobile app.

    iOS
    Android

On your computer or other device:

  1. Visit the Two-Factor Authentication Self-Service (2fa) Tool.
  2. Log in with your Andrew userID and password.
  3. Click Register to Use 2fa.
  4. Select Mobile Device and click Continue. You must have the device with you to complete the enrollment process.
  5. Follow the prompts to proceed.
  6. Click I have DUO Mobile installed. A QR code will display on your screen.

On your smartphone or tablet:

  1. Open DUO Mobile.
  2. Tap the plus (+).
  3. Hold your tablet or smartphone up to your computer to scan the QR code that displayed in step 3.
  4. Carnegie Mellon University will appear in the DUO app with the text DUO-PROTECTED.

On your computer:

  1. A green checkmark will appear on your QR code.
  2. Click Continue. You will receive a message that your enrollment was successful!

Use Your Registered Device with 2fa

Once you've registered a device for 2fa, you'll be prompted to approve your log in whenever you attempt to access CMU systems or services. You'll want to keep your registered device with you to use with 2fa.

Push to Your Device

  1. When prompted with DUO on your computer, click Send Me a Push.
  2. The DUO Mobile app will open on your mobile device.
  3. Tap Approve when prompted.

WATCH THE 2fa Push Notification VIDEO

Enter a Passcode

  1. On your computer, click Enter a Passcode.
  2. Open the DUO Mobile app on your device and tap DUO-PROTECTED Carnegie Mellon University to generate a passcode.
  3. Enter the passcode into the DUO prompt on your computer.
  4. Click Remember me for 30 days to avoid being prompted for one month.
  5. Click Log In.

WATCH THE 2fa PASSCODE VIDEO

Hard Token

  1. Press the button on the token to generate a one-time passcode.

  2. Enter the passcode that displays on the token into the DUO prompt on your computer.

  3. Click Log In.

Watch the 2fa Hardware Token Video

Yubikey

  1. Tap your U2F token (Yubikey) to send approval. 
Watch the U2F token video

Add a New Device

Follow these steps to add a new smartphone or device to your 2fa registration.

When should I update?

You will need to update your registration if you:

    • Purchase a new phone with the same phone number
    • Factory reset your registered device

WATCH THE UPDATE YOUR 2FA DEVICE VIDEO

Add a New Device to Your Registration (update)

  1. Visit the Two-Factor Authentication Self-Service (2fa) Tool.
  2. Log in with your Andrew userID and password.
  3. Click Add a new device to 2fa.
  4. Follow the prompts to complete the update.


    Note: If you got a new phone with a different number or a new tablet, follow the steps above to register to use 2fa.

Manage Your Devices

Follow the steps below to set device preferences, remove a device or change a device name.

  1. Visit the Two-Factor Authentication Self-Service (2fa) Tool.
  2. Log in with your Andrew userID and password.
  3. Click Manage Devices.
  4. Authenticate with DUO using your preferred method.
  5. Perform the following actions as desired:
    • To set your default device, click the Default Device drop-down, select your preference, and click Save.
    • To remove a device, click Device Options, then click the trash can to the right of the device to be removed.
    • To change a device name, click Device Options, then click Change Device Name. Enter a new name for your device and click Save.

Frequently Asked Questions

Review the topics below for answers to common questions related to 2fa.

Yes. There are other alternatives.

  • Campus affiliates (students, faculty, and staff) can purchase a Yubikey, a device that can connect to DUO, and provide you with a secure passcode for 2fa.
  • Faculty and staff can request a Hard Token from the Help Center.

Effective December 15, 2021, all students, faculty, staff, alumni, and sponsored accounts must be enrolled in 2fa. You will not be able to opt-out of this service.

Yes. You can generate a numeric passcode even if your device does not have any network connection.

Yes. You are strongly encouraged to register multiple devices.

Add a new device to your registration (update) using the 2fa Self-Service Tool.

Faculty and staff can request a Hard Token from the Help Center. Once you receive your hard token:

  1. Visit the Two-Factor Authentication Self-Service (2fa) Tool.
  2. Log in with your Andrew userID and password.
  3. Click Register DUO Hardware Token.
  4. Enter the serial number from the back of the token.
  5. Click Submit.
  6. Follow the prompts to continue with the registration and click Submit.

Campus affiliates (students, faculty, and staff) can purchase a Yubikey, a device that can connect to DUO, and provide you with a secure passcode for 2fa. Once you have your Yubikey in hand:

  1. Visit the Two-Factor Authentication Self-Service (2fa) Tool.
  2. Log in with your Andrew userID and password.
  3. Click Register a Device.
  4. Select Yubikey and click Continue. You must have the device with you to complete the enrollment process.
  5. Follow the prompts to proceed.

A hardware token may become "out of sync" if the button is pressed too many times and the generated passcodes aren't used. Go to the Two-Factor Authentication Self-Service (2fa) Tool, click RESYNC Hardware Token and follow the onscreen instructions.

When you receive a DUO prompt:

  1. Click the Remember me for 30 days checkbox.
  2. Click Enter a Passcode.
  3. On your mobile device, open the DUO app and tap the DUO-PROTECTED Carnegie Mellon University bar to generate a passcode.
  4. On your computer, enter the passcode and click Log In.
  1. Visit the Two-Factor Authentication Self-Service (2fa) Tool.
  2. Log in with your Andrew userID and password.
  3. Enter your personal email address on file with the university and click Submit.
  4. You will receive an email with a passcode to unlock your account. The code expires in 60 minutes from the time it was sent.
  5. Enter the passcode.
  6. Click Submit
  7. Click Main Menu to continue and follow the onscreen instructions. 

Contact the Help Center immediately if you lose your phone or suspect that it's been stolen. A Help Center consultant will disable your device for 2fa and help you log in using another device.

You may have disabled push notifications for DUO.
  1. Visit Two-Factor Authentication Self-Service (2fa) tool.
  2. Click Manage Devices.
  3. Verify Ask me to choose an authentication method is selected.
  4. If this still does not resolve the issue, check your mobile device settings below.
  1. Tap Settings > Notifications > DUO Mobile.
  2. Verify the Allow Notifications option is enabled.
  1. Tap Settings > Apps & notifications > DUO Mobile.
  2. Verify the Notifications are set to on.

CMU uses the DUO Security  app to support services using Single Sign-On (SSO) with CMU Web Login. Some examples of services that use CMU Web Login with 2fa include Box, LinkedIn Learning, Workday, SIO/S3, Sparcs, Google for Education apps, Canvas, and Zoom.

Note: CMU also uses DUO Security for 2fa with some services that don't require Web Login (including VPN, Citrix, and Campus Cloud).