What is Two-Factor Authentication?

What is Two-Factor Authentication?

Two-factor authentication adds a second layer of security to your online accounts. Verifying

your identity using a _{second factor (like your phone or other mobile device) prevents anyone} but you from logging in, even if they know your password.

How It Works

Once you've enrolled in Duo you're ready to go: You'll login as usual with your username and password, and then use your device to verify that it's you. You can do this via SMS, voice call, one-time passcode, the Duo Mobile smartphone app, and so on.

No mobile phone? You can also use a landline or tablet. Duo lets you link multiple devices to

your account, so you can use your mobile phone and a landline, two different mobile devices, etc.

Why Do I Need This?

Passwords are increasingly easy to compromise. They can often be stolen, guessed, or hacked — you might not even know someone is accessing your account.

Two-factor authentication adds a second layer of security, keeping your account secure even

if your password is compromised. With Duo, you'll be alerted right away (on your phone) if someone is trying to log in as you.

This second factor of authentication is separate and independent from your username and password — _{Duo never sees your password.}

Where Do I Need to Use Duo 2-factor?

When you try to login to any of the University Single Sign-on (SSO) Shibboleth enabled systems (MyUM, CaneLink, Workday, UService, Blackboard, etc.) through a web browser, you will be required to provide 2nd-factor through Duo’s Authentication prompt. _{See the appendix for a}

complete list of SSO enabled UM services that require DUO 2nd_{-factor authentication.}

What Browsers Are Supported?

Chrome, Firefox, Safari, Internet Explorer 8 (or later), and Opera.

Using the 2-factor Authentication Prompt

The authentication prompt lets you choose how to verify your identity each time you log in.

Select which phone to use and then choose your authentication method.

If your administrator has enabled the Duo self-service portal you can also add, update, and remove authentication methods by clicking the _{Manage Devices} button.

Supported Devices

Click your device to learn more:

• iPhone & iPad

• Android Phones & Tablets • BlackBerry Phones & Tablets • Windows Phones & Tablets • Cell Phones & Landlines

Don't see your device listed above? While Duo don't officially support these platforms, you can try Duo’s legacy apps for Palm, Windows Mobile, and J2ME/Symbian phones.

Method Description

Duo Push Pushes a login request to your phone or tablet (if you have Duo Mobile installed and activated on your iPhone, Android, or BlackBerry device). Just review the request and tap _{Approve to log in.}

Phone call Authenticate via phone call back.

Passcode Log in using a passcode, either generated with Duo Mobile, sent via SMS, generated by your hardware token, or provided by an administrator.

How Do I Set It Up?

Enrollment Guide

Duo's self-enrollment process makes it easy to register your phone and

install the Duo Mobile application on your smartphone or tablet.

Duo prompts you to enroll when you log into a protected VPN, server, or web application.

Supported Browsers: Chrome, Firefox, Safari, Internet Explorer 8 or later, and Opera.

1. Welcome Screen

Click _{Start Setup to get started.}

2. Choose Your Authenticator

3. Type Your Phone Number

Select your country and type your phone number. Use the number of your smartphone, landline, or cell phone that you'll have with you when you're logging in. You can enter an extension if you chose "Landline" in the previous step.

Then double-check that you entered it correctly, check the box, and click _Continue.

4. Choose Platform

5. Install Duo Mobile

• It's fast & easy • Works in any country • Doesn't require cell service

Duo Mobile is an application that runs on your phone and helps you authenticate. Without it you'll still be able to log in using a phone call or text message, but Duo strongly

recommends that you use Duo Mobile to authenticate quickly and easily. Follow the platform-specific instructions on the screen to install Duo Mobile.

6. Activate Duo Mobile

Activating the application will link it to your account so you can use it for authentication. On iPhone, Android, Windows Phone, and BlackBerry 10, activate Duo Mobile by scanning the barcode with the app's built-in barcode scanner. Choose your platform for specific instructions:

The "Continue" button is clickable after you scan the barcode.

Can't scan the barcode? Click the link and then follow the instructions.

(Barcode is an example only.

Enrollment Complete!

Click _{Enroll another device to add another device (backup phone, etc.), or click Done to} continue to the authentication prompt.

If enabled by your administrator, you can manage your devices in the future via the authentication prompt. Otherwise, contact your administrator if you ever need to change your phone number, re-activate Duo Mobile, or add a second phone.

How Do I Set It Up?

Duo Mobile on iPhone

The Duo Mobile application makes it easy to authenticate — just tap

“Approve” on the login request sent to your iPhone. You can also quickly

generate login passcodes, even without an Internet connection or cell

service.

Supported Platforms: The current version of Duo Mobile supports iOS 6.0 and greater.

Older releases of iOS can install Duo Mobile v3.1.0 from the App Store. To see which version of Duo Mobile is installed on your device, go to the

iOS _{Settings menu, then scroll down and tap Duo Mobile. The "System Info" section} shows the app version.

Duo Push

Duo Push is the easiest and quickest way of authenticating. You'll get a login request sent to your phone — just press _{Approve to authenticate.}

If you get a login request that you weren't expecting, press _{Deny to reject the request. You’ll} be given the ability to report it as fraudulent, or you can tap _{It was a mistake to deny the} request without reporting it.

Passcodes

Just tap the key button to generate a passcode. This works anywhere, even in places where you don't have an Internet connection or can't get cell service.

Adding Accounts to Duo Mobile

During the setup process you'll see a barcode to scan (it looks like this).

Tap "Add Account" (or the plus button in the upper right). Scan the barcode to add the account to Duo Mobile.

Removing Accounts

Delete an account by tapping the _{Edit button in the upper left. Then tap the delete icon, tap} "Delete", and confirm the deletion.

Pull to Refresh

Check for authentication requests by pulling the account list down. Duo Mobile automatically checks for authentication requests, but if you think you have missed a request, then tap the list of accounts and pull down to refresh.

Apple Watch

See our Apple Watch guide.

Apple Watch and Duo Mobile

Duo now supports login request approval and passcode generation from an

Apple Watch.

Apple Watch support requires Duo Mobile 3.8 or later. To see which version of Duo Mobile is installed on your device, go to the iOS Settings menu, then scroll down and tap Duo Mobile. The "System Info" section shows the app version.

Duo Push

When you receive a push notification, you'll also see the notification on your paired Apple Watch if your phone is locked. Apple Watch’s Taptic Engine is a linear actuator inside the

(Barcode is an example only.

device that produces haptic feedback, meaning it literally taps you on the wrist whenever you receive an alert or notification. That means you’ll also feel a tap whenever a login request is sent via Duo Mobile, letting you quickly log in or deny the request.

You can approve the login or deny the login request without ever touching your phone.

You'll only see the Duo request on your watch when your phone is locked. Notifications won't go to your Apple Watch when your phone is unlocked.

Passcodes

You can also generate passcodes from the Duo Apple Watch app. Simply launch the app from the watch and tap an account to generate a passcode for that account.

Duo Mobile on Android

The Duo Mobile application makes it easy to authenticate — just tap

“Approve” on the login request sent to your Android device. You can also

quickly generate login passcodes, even without an Internet connection or

cell service.

Supported Platforms: The current version of Duo Mobile supports Android 2.3.3 and

greater.

To see which version of Duo Mobile is installed on your device, go to the

Android _{Settings menu, tap Apps, then scroll down and tap Duo Mobile. The "App Info"} screen shows the version.

Duo Push

Duo Push is the easiest and quickest way of authenticating. You'll get a login request sent to your phone — just press _{Approve to authenticate.}

If you are running Android 4.1 or later, you can approve the request right from the notification.

If you get a login request that you weren't expecting, press _{Deny to reject the request. You’ll} be given the ability to report it as fraudulent, or you can tap _{It was a mistake to deny the} request without reporting it.

Passcodes

Just tap the key icon to get a one-time passcode for login. This works anywhere, even in places where you don't have an Internet connection or can't get cell service.

Adding Accounts to Duo Mobile

During the setup process you'll see a barcode to scan (it looks like this). Tap "Add Account" (or the plus button in the upper right). Scan the barcode to add the account to Duo Mobile.

If you ever need to re-add your account to Duo Mobile, contact your administrator.

Third-Party Accounts

Duo Mobile supports third-party TOTP accounts, like Google and Dropbox. _{Learn more »}

Removing Accounts

Delete an account by long-pressing on an account. Then tap "Remove account" and confirm the deletion.

(Barcode is an example only.

Pull to Refresh

Check for authentication requests by pulling the account list down. Duo Mobile automatically checks for authentication requests, but if you think you have missed a request, then tap the list of accounts and pull down to refresh.

Duo Mobile on BlackBerry

The Duo Mobile application makes it easy to authenticate — just tap

“Approve” on the notification sent to your BlackBerry. You can also quickly

generate login passcodes, even without an Internet connection or cell

service.

Supported Platforms: The current version of Duo Mobile supports BlackBerry 10 and

BBOS 4.5.0 and greater.

Activating Duo Mobile

Duo Mobile has to be activated to link it to your account. During the setup process you'll get a text message with a link in it. Just tap the link to activate the application.

Some BlackBerry models may require you to restart your phone before the activation link will work. If the link appears as plain text and can't be tapped, reboot your phone and try again.

If you get a new phone and need to re-activate Duo Mobile, contact your administrator and have him or her send you a new activation link.

Note Duo Mobile for BlackBerry can currently only be activated for one account at a time.

Duo Push

Duo Push is the easiest and quickest way of authenticating. You'll get a login request sent to your phone — just press _{Approve to authenticate.}

If you get a login request that you weren't expecting, press _{Deny to reject the request. You’ll} be given the ability to report it as fraudulent, or you can tap _{It was a mistake to deny the} request without reporting it.

Passcodes

Just tap _{Generate Passcode to get a one-time passcode for login. This works anywhere,} even in places where you don't have an Internet connection or can't get cell service.

Duo Mobile on Palm

The Duo Mobile application makes it easy to quickly generate login

passcodes, even without an Internet connection or cell service.

Compatible Platforms: While we don't officially support Palm devices, you can use this app to

log in to Duo. Duo Mobile runs on WebOS 1.4.5 and greater.

Passcodes

Just tap _{Generate Passcode to get a one-time passcode for login. This works anywhere,} even in places where you don't have an Internet connection or can't get cell service.

Activating Duo Mobile

Duo Mobile has to be activated to link it to your account. During the setup process you'll get a text message with a link in it. Just tap the link to activate the application.

If you get a new phone and need to re-activate Duo Mobile, contact your administrator and have him or her send you a new activation link.

Note Duo Mobile for Palm can currently only be activated for one account at a time.

Duo Mobile on Windows Phone

The Duo Mobile application makes it easy to authenticate — just tap

“Approve” on the login request sent to your phone. You can also quickly

generate login passcodes, even without an Internet connection or cell

service.

Supported Platforms: The current version of Duo Mobile supports Windows Phone 7.5 and

greater.

Duo Push

Duo Push is the easiest and quickest way of authenticating. You'll get a login request sent to your phone — just press _{Approve to authenticate.}

If you get a login request that you weren't expecting, press _{Deny to reject the request. You’ll} be given the ability to report it as fraudulent, or you can tap _{It was a mistake to deny the} request without reporting it.

Passcodes

Just tap _{Generate Passcode to get a one-time passcode for login. This works anywhere, even} in places where you don't have an Internet connection or can't get cell service.

Activating Duo Mobile

Duo Mobile has to be activated to link it to your account. During the setup process you'll see a barcode to scan. Open Duo Mobile, tap "scan barcode," and then use the phone's camera to scan the barcode. This will add your account to Duo Mobile.

If you get an activation code in a text message from your administrator, tap and hold the text message to copy it to your clipboard. Then go to Duo Mobile, tap "Tap here", and then tap the paste button. Then tap "activate" to finish activation.

If you get a new phone and need to re-activate Duo Mobile, contact your administrator and have him or her send you a new activation link.

Note: Duo Mobile for Windows Phone 7 can currently only be activated for one account at a time.

Duo Mobile on Windows Mobile

The Duo Mobile application makes it easy to quickly generate login

passcodes, even without an Internet connection or cell service.

Compatible Platforms: While we don't officially support Windows Mobile 6.x, you can use

this app to log in to Duo. The current version of Duo Mobile Runs on Windows Mobile 6.5.3 and greater.

Choose _{Generate to get a one-time passcode for login. This works anywhere, even in} places where you don't have an Internet connection or can't get cell service.

Activating Duo Mobile

Duo Mobile has to be activated to link it to your account. During the setup process you'll get an activation code — enter the activation code to activate the app. Don't worry, you'll only have to do this once.

If you get a new phone and need to re-activate Duo Mobile, contact your administrator and have him or her send you a new activation link.

Duo on J2ME and Symbian Phones

Duo's application for J2ME and Symbian phones is called "Duo Token" and

makes it easy to quickly generate login passcodes, even without an

Internet connection or cell service.

While we don't officially support J2ME or Symbian devices, you can use this app to log in to Duo.

Passcodes

Choose _{Generate from the menu to get a one-time passcode for login. This works anywhere,} even in places where you don't have an Internet connection or can't get cell service.

Activating Duo Mobile

Duo Mobile has to be activated to link it to your account. During the setup process you'll get an activation code — enter the activation code to activate the app. You will only have to do this once.

If you get a new phone and need to re-activate Duo Mobile, contact your administrator and have him or her send you a new activation link.

Using Duo With Any Cell Phone or

Landline

Duo works with all cell phones and landlines by supporting authentication

via phone call and SMS passcodes.

Phone Call

Choose "Phone call" from the authentication prompt (or type "phone" in the "second password" field) and Duo will call your phone. Just answer the call and listen to the instructions to

authenticate.

SMS Passcodes

Duo can text you passcodes via SMS. If you need a new batch of passcodes choose "Send SMS passcodes" (or type "sms" in the "second password" field).

You can have new passcodes sent to you at any time. A new batch of passcodes will invalidate all old passcodes, so it's probably best to delete the old message when a new one comes in.

Device management allows you to easily edit and add new devices.

Authentication

If enabled by your administrator, the authentication prompt will display a "Manage Devices" button. To manage your devices, select a device to use, choose an authentication method, and complete second factor authentication. You can't get in to the device management portal if you do not have access to any enrolled devices; you'll need to contact your Duo administrator for help.

Device Management Portal

After authenticating you'll see the device management portal. This is where you can edit your existing devices or add a new one.

Enroll Another Device

Clicking _{Enroll another device will walk you through a few steps to get Duo Mobile installed} and activate your new device.

Activate Duo Mobile

Clicking _{Activate Duo Mobile in the actions dropdown helps you get an existing device setup to} complete secondary authentication.

After answering some questions about your device, you will receive a new QR code to scan which will complete the activation process.

Change Device Name

Clicking _{Change Device Name will open up an interface to change the display name of} your phone.

After successfully modifying your phone's name, not only will you see this from now on when managing devices, but it will also be how your phone is identified in the authentication dropdown.

(Barcode is an example only.

Remove Device

The device manager also lets you remove your devices. If you are unable to delete a device, contact your administrator to have it removed.

Note: You may not remove your last device. If you wish to remove it, first add another, then

delete the original.

Hardware tokens are also listed in the device manager and can be removed as well.

Set default device

If you authenticate with more than one device, you can specify which you would like to be the default. In the list of actions, simply click _{Set as Default and that device will be moved to the top} of the list making it your default device for authentication.

Common Issues

Contact your DUO/helpdesk administrator if you have an issue that isn't listed here.

• I need to reactivate Duo Mobile.

• I have stopped receiving push notifications on Duo Mobile. • I lost my phone.

• I am running iOS 4.3 (or lower) and I am not able to install Duo Mobile 3.1.0 from the App

Store on my iPhone.

I need to reactivate Duo Mobile

If you get a new phone you'll need to re-activate Duo Mobile. You may enroll your new device yourself using Duo's device management portal if self-service is enabled. Otherwise, ask your administrator to send you a new activation link.

Choose your platform on the left for specific activation instructions.

I have stopped receiving push notifications on Duo Mobile.

You may have trouble receiving push requests if there are network issues between your phone and our service. Many phones have trouble determining whether to use the WiFi or cellular data channel when checking for push requests, and simply turning the phone to airplane mode and back to normal operating mode again often resolves these sort of issues, if there is a reliable internet connection available. Similarly, the issue may be resolved by turning off the WiFi connection on your device and using the cellular data connection.

Check the time and date on your phone and make sure they are correct. If the date and time on your phone are manually set, try changing your device's configuration to sync date and time automatically with the network.

If neither of these suggestions work, then the simplest resolution is to contact your administrator to request re-activation of Duo Mobile. If your administrator has enabled Duo's device

management portal, you can log in with a passcode generated by the Duo Mobile app and send a new activation link to your phone. See the Manage Devices guide for instructions.

Choose your platform on the left for specific activation instructions.

I lost my phone.

Contact your administrator immediately if you lose your phone or suspect that it's been stolen. He or she will disable it for authentication and help you log in using another phone or hardware token.

While it's important that you contact your administrator if you lose your phone, remember that your password will still protect your account.

I am running iOS 4.3 (or lower) and I am not able to install

Duo Mobile 3.1.0 from the App Store on my iPhone.

The minimum supported operating system version for Duo Mobile 3.1.0 and above is iOS 6.0. Users installing Duo Mobile for the first time with devices running pre-iOS 6.0 need to download Duo Mobile from the App Store using the iTunes application on a Mac or PC computer. You must be signed in with the same iTunes account you plan to use with your phone.

When the download is complete, open the App Store on your pre-iOS 6.0 device, and install Duo Mobile. You will be prompted with an alert informing you will receive the latest compatible version of Duo Mobile (v3.0.2).

Contact your administrator if further assistance is required.

Other issues

Please contact your system administrator if you have an issue that isn't listed here.

Appendix:

Shibboleth SSO enabled Services

AlcoholEdu ALEKS

ALEKS with invalid class code BlackBaud

Blackboard Web Box

Cambridge Journals Online

CampusLabs (Student Voice LLC ) Canelink

CITI

CMS (Cascade)

Collaboration Wiki Spaces at Internet2 Collegenet

CoursEval

Courseware Stanford Daptiv

DMP Tool (Univ of California - Office of the President) ECRT Prod EduCause Gartner GoAbroad Google Apps GradesFirst Handshake HathiTrust HBO 2 GO/CampusNow Hodes IQ Hyland (Shib) ILABS IMLeagues

InCommon Federation Manager Internet2

Kaltura Kivuto Kronos Kuali

Laureate/SalesForce (in progress) Laureate Blackboard

LeepFrog

Library Subject Plus Lynda.com

Maxient

MSIT Federation Service (Microsoft) myUM

OBIEE

OIM (caneid self-help) Orbis Org Sync Panopto Parking Proquest LLC Qualtrics

REDCap REDCap UDavis SalesForce.com CRM Service Now Shibboleth Wiki Skillport SSERCA Sympa Tapingo

Thomson Reuters IP and Science Tidemark Ulearn / Cornerstone UNIDays UnitedWay Uride Workday