Multi-factor authentication user guide
Duke users can register a phone or tablet with Duo Security to use as a second step when logging into a Duke website or system. Visit the
multi-factor authentication home page to view what devices you currently have registered. Duke's IT Security Office recommends that you register more than one device.
Frequently asked questions:
Multi-factor authentication, also referred to as advanced or two-factor authentication, provides an additional layer of security when logging in or performing transactions online.
When logging in, a user is required to enter a password and also authenticate using a second factor, typically a phone or hardware token.
The IT Security Office strongly recommends multi-factor authentication for access to critical systems or systems storing sensitive data per the
ITSO Security Standards.
You can authenticate using a pass code instead of using Duo Push or a phone call. There are many ways to obtain pass codes.
- Pass codes via SMS: You can receive one one-time use pass codes via text message. This code will expire after five minutes.
- Pass codes via Duo Mobile app: If you have the Duo Mobile app installed, you can receive a single pass code by tapping the "key" icon next to "Duke University" in the mobile app. This pass code must be used immediately. This is a good option if you do not have a good wireless or WiFi signal on your phone.
- Temporary pass codes (generated online): If you do not have your device(s) with you, you can obtain a batch of temporary pass codes. To get them, log in to the multi-factor home page using just your password (skipping advanced verification) and then verify yourself using challenge-response. Each of these pass codes can be used once, but all will expire after 72 hours. Visit the multi-factor authentication home page to get temporary pass codes.
- YubiKey (for advanced users): YubiKey® is a hardware token you can use to perform multi-factor authentication for sites or systems instead of using your phone's capabilities. To obtain a YubiKey®, visit the Duke Software Licensing site and search for "YubiKey". Once you have a YubiKey®, click here to learn how to register it. Once you have it registered, simply touch the gold disk on it while it is plugged into your USB port to have it generate a pass code.
If you do not have your device(s) with you, you can obtain a batch of temporary pass codes. To get them, log in to the multi-factor home page using just your password (skipping advanced verification) and then verify yourself using challenge-response. Each of these pass codes can be used once, but all will expire after 72 hours. Visit the
multi-factor authentication home page to get temporary pass codes.
Important: If you lost your device, you should immediately contact the
OIT Service Desk to ensure that somebody else does not authenticate as you with your device.
The Duo Mobile app has an "Instant Restore" feature that can be used if you have a new device. This is an option if you have your Duo Mobile data backed up to iCloud (for iOS devices) or Google Drive (for Android devices). In order to restore using this method:
- For iOS devices, you must have your old device backed up to iCloud with iCloud Keychain enabled. Encrypted iTunes or Finder backups will also work.
- For Android devices, you must have Duo Restore enabled in the settings of the Duo Mobile app on your old device. Your old device will also be needed to restore to a new device.
If you meet the conditions above to restore using this method, you may follow the instructions on the Duo site for
iOS devices or
Android devices.
If you are unable to restore using this method, then follow the instructions below instead:
Step 1: Log in to the
registration page.
Step 2: Select your device in the "Manage Devices" section.
Step 3: Verify the info and check "Generate a new QR code to activate your Duo Mobile app" box, then click "Continue".
Step 4: Follow the instructions to activate Duo Mobile on your new device.
Step 1: Obtain a list of
temporary pass codes. You will have to answer two challenge-response questions to obtain the pass codes.
Step 2: Log in to the
registration page. Enter one of the temporary pass codes in the pass code field.
Step 3: Select your device in the "Manage Devices" section.
Step 4: Update the info and check "Generate a new QR code to activate your Duo Mobile app" box, then click "Continue".
Step 5: Follow the instructions to activate Duo Mobile on your new device.
If your phone number has not changed, no action is needed. Otherwise, perform the following steps:
Step 1: Obtain a list of
temporary pass codes. You will have to answer two challenge-response questions to obtain the pass codes.
Step 2: Log in to the
registration page. Enter one of the temporary pass codes in the pass code field.
Step 3: Select your device in the "Manage Devices" section.
Step 4: Update your phone number and click "Continue" to complete your update.
Step 1: Obtain a list of
temporary pass codes. You will have to answer two challenge-response questions to obtain the pass codes.
Step 2: Log in to the
registration page. Enter one of the temporary pass codes in the pass code field.
Step 3: Select your device in the "Manage Devices" section.
Step 4: Verify the info and check "Generate a new QR code to activate your Duo Mobile app" box, then click "Continue".
Step 5: Follow the instructions to activate Duo Mobile on your new device.
- Duo Push: If the Duo Mobile app is installed on your smartphone, you can receive a push notification and can either approve or deny the authentication attempt. If you deny it, you can indicate that it was fraudulent if you did not initiate the attempt.
- Phone call: You receive a phone call from Duo. The call will give instructions on approving or denying the authentication attempt.
- Pass codes via SMS: You can receive one one-time use pass codes via text message. This code will expire after five minutes.
- Pass codes via Duo Mobile app: If you have the Duo Mobile app installed, you can receive a single pass code by tapping the key next to "Duke University" in the mobile app. This pass code must be used immediately. This is a good option if you do not have a good wireless or WiFi signal on your phone.
- Temporary pass codes (generated online): If you do not have your device(s) with you, you can obtain a batch of temporary pass codes. To get them, log in to the multi-factor home page using just your password (skipping advanced verification) and then verify yourself using challenge-response. Each of these pass codes can be used once, but all will expire after 72 hours. Visit the multi-factor authentication home page to get temporary pass codes.
- Phone call: You receive a phone call from Duo. The call will give instructions on approving or denying the authentication attempt.
- Pass codes via SMS: You can receive one one-time use pass codes via text message. This code will expire after five minutes.
- Temporary pass codes (generated online): If you do not have your device(s) with you, you can obtain a batch of temporary pass codes. To get them, log in to the multi-factor home page using just your password (skipping advanced verification) and then verify yourself using challenge-response. Each of these pass codes can be used once, but all will expire after 72 hours. Visit the multi-factor authentication home page to get temporary pass codes.
- Phone call: You receive a phone call from Duo. The call will give instructions on approving or denying the authentication attempt.
- Temporary pass codes (generated online): If you do not have your device(s) with you, you can obtain a batch of temporary pass codes. To get them, log in to the multi-factor home page using just your password (skipping advanced verification) and then verify yourself using challenge-response. Each of these pass codes can be used once, but all will expire after 72 hours. Visit the multi-factor authentication home page to get temporary pass codes.
- Duo Push: If the Duo Mobile app is installed on your tablet, you can receive a push notification and can either approve or deny the authentication attempt. If you deny it, you can indicate that it was fraudulent if you did not initiate the attempt.
- Pass codes via Duo Mobile app: If you have the Duo Mobile app installed, you can receive a single pass code by tapping the key next to "Duke University" in the mobile app. This pass code must be used immediately.
- Temporary pass codes (generated online): If you do not have your device(s) with you, you can obtain a batch of temporary pass codes. To get them, log in to the multi-factor home page using just your password (skipping advanced verification) and then verify yourself using challenge-response. Each of these pass codes can be used once, but all will expire after 72 hours. Visit the multi-factor authentication home page to get temporary pass codes.
YubiKey® is a hardware token you can use to perform multi-factor authentication for sites or systems instead of using your phone's capabilities. To obtain a YubiKey®, visit the
Duke Software Licensing site and search for "YubiKey". Once you have a YubiKey®,
click here to learn how to register it. Once you have it registered, simply touch the gold disk on it while it is plugged into your USB port to have it generate a pass code.
Selecting the "Remember device for 72 hours" option will allow you to skip multi-factor authentication when you need to log in for the next 72 hours, as long as you are logging in from the same computer and browser. You will still be prompted to enter your NetID and password.
You have several choices for using multi-factor authentication while traveling. If possible, test these before your trip.
If you're already abroad and don't have any of your multi-factor authentication devices with you, click the "Forgot your device?" link on the Duke log-in page to obtain temporary pass codes. These expire after 72 hours, so be sure to use one of these pass codes to register a multi-factor device you can use abroad.
- If you have a smartphone/tablet (with or without Internet/cellular service): The Duo Mobile app can provide a six-digit pass code even if your phone/tablet doesn't have cellular, network or wi-fi service. Launch the Duo app and press the "key" icon when you need a pass code. (Register a smartphone/tablet - includes app download instructions).
- If you only have a basic cell phone: Register your phone (US or international number) at Duke's multi-factor preferences tool to get pass codes via SMS in almost every country around the world. Depending on your plan, you might incur roaming or SMS charges. (Register a basic cellphone)
- No cell phone or tablet? You have other choices:
- Before your trip, visit the Duke Software Licensing site and search for "YubiKey' to buy and register a hardware token. The YubiKey works on any computer with a USB port.
- Use the Obtain Temporary Pass Codes option using your secret challenge/response answers. Remember, these are only good for 72 hours.
AWI/Citrix
The log-in window for AWI/Citrix now requires a "Security Key" in addition to your NetID and password. Beneath the Log On button, you'll see the options for supplying the security key, including Duo and YubiKey, and calls and text messages to your phone.
Virtual private network access
The log-in window for the virtual private network (VPN) also requires a "Security Key" in addition to your NetID and password. The first time you log into the VPN after multifactor authentication is required, all you will see is the standard log-in window with an extra field for "Security Key." After that, the log-in window will display the options for supplying the security key-including Duo and YubiKey, and calls and text messages to your phone-above the "Username" field.
The VPN log-in window on Windows machines:
The VPN log-in window on Mac machines:
Mac users, check to make sure you are using Cisco AnyConnect VPN client version 3.1.0587 or higher; contact the Duke Medicine Service Desk for help in determining what version of the client is on your machine, and for upgrading your client if necessary.
NetID login page
You will be prompted to log in with your NetID, password and new second factor.
The pass code text box will accept any type of code, including a temporary code or one received via SMS, generated via the Duo Mobile app or generated by a YubiKey®.
For advanced users
SSH
When authenticating to a system using SSH, if you are required to use Duo, then you will see a Duo prompt after entering your password. The Duo prompt will allow you to choose how you want to perform the verification. You can also enter any of the pass code options as well.
When using SCP to transfer a file, since it is not possible to receive a Duo prompt, your options for verification are limited to Duo Push and a Phone Call. If you have multiple devices registered, the notification would get sent to the first device that you have registered. If that device is a smart phone or tablet, then Duo Push would be used. Otherwise, you would receive a phone call.
Windows RDP
When authenticating to a Windows system, you will see an option to specify a Duo pass code. Once again, this can accept any type of pass code including a YubiKey®. However, you can also enter the following words:
- "push" to receive a Duo Push notification (or "push2" or "push3" to use the second or third device in your list). This assumes you have a smart phone or tablet with the Duo Mobile app installed.
- "phone" to perform verification via a phone call (or "phone2" or "phone3" to use the second or third phone in your list).
- "sms" to receive a single SMS pass code and once you receive it, you can use it to authenticate.
VPN
When using VPN, you will see a field where you can specify a second password. This field can accept any type of pass code including a YubiKey®. However, you can also enter the following words:
- "push" to receive a Duo Push notification (or "push2" or "push3" to use the second or third device in your list). This assumes you have a smart phone or tablet with the Duo Mobile app installed.
- "phone" to perform verification via a phone call (or "phone2" or "phone3" to use the second or third phone in your list).
- "sms" to receive a single SMS pass code and once you receive it, you can use it to authenticate.
Support
If you need further assistance, contact your local IT support group/person.
You can also contact your appropriate Service Desk:
University Users: OIT Service Desk - 919 684 2200
Duke Medicine Users: DHTS Service Desk - 919 684 2243