Duo two-factor authentication

Duo two-factor authentication (2FA) provides an additional layer of security when you log in to many University services.

First factor: entering your password - proof that you know the right credentials.
Second factor: is a device you have with you - usually the Duo Mobile app running on your phone which then receives a confirmation prompt or code - proof that you possess something.

This ensures that even if someone has your password, they still won't have enough information to access your account.

Key features

We recommend using the free Duo Mobile app (available on the Apple App Store and Google Play), as it's the simplest way to use Duo.
The Duo Mobile app can still be used if your phone has no signal.
Duo will work in most countries outside of the UK.
Other authentication options are available if your phone doesn’t support the Duo Mobile app.

Access instructions

Use the Duo SelfService Console to:

Add and manage your Duo devices yourself.
Restore access to your account when you change your phone.

After you’ve added at least one device, you can use Duo to log in to University services.

Open the Duo SelfService Console

Log in with your York username and password. Duo two-factor authentication is required.
There are some limitations to using this service in sanctioned countries.

Related tools

Available to staff and students

You can use this service on University-managed and personal devices. These devices must have a supported version of Android or iOS.

App and web-based

This service works in your web browser. The Duo Mobile app is compatible with iOS/iPadOS and Android devices.

Funded by the University

There isn't a cost to you for standard use.

Additional information

Other authentication options

Authentication without the mobile app

You can use Duo without needing to install the Duo Mobile app, our preference is you contact us for a Security Key.

Security keys

If you're unable to use your personal mobile device for Duo, we can provide a Duo token. This is a small, physical hardware device that generates one-time passcodes for two-factor authentication challenge.

In some scenarios, we may provide a YubiKey token instead if you need to use multiple different two-factor challenges.

Hardware tokens and security keys

Text message passcodes

Register your mobile phone number and you can receive passcodes via text message instead.

The University will never charge for using the text message passcodes option but your mobile provider's standard charges will apply - for example, if you are roaming and receiving text messages you may attract a charge.

If you have an Android phone and are unable to download the Duo Mobile app on the Google Play Store, you will need to use text message passcodes instead.

Duo versus Google

At York, we use two types of two-factor authentication: Duo and Google. Duo authentication protects several key University services, however, it isn't used to log into your University Google account – this is so that your Google access doesn't depend on campus infrastructure. This means you'll be able to access Google services, such as Gmail, even if campus services are completely down. To protect your Google account, set up Google two-factor authentication.

Privacy

To use the Duo Mobile app you do not need to provide a phone number.
To use the text message passcode option you do not have to install the Duo Mobile app onto your phone.
When using the text message passcode option no information is transmitted from your phone to Duo.
When using the Duo Mobile app, no information other than your phone number (if provided), phone model, phone operating system version and Duo Mobile software version is transmitted by the app.

See Duo Mobile privacy information for further details.

Access instructions

Use the Duo SelfService Console to:

Add and manage your Duo devices yourself.
Restore access to your account when you change your phone.

After you’ve added at least one device, you can use Duo to log in to University services.

Open the Duo SelfService Console

Log in with your York username and password. Duo two-factor authentication is required.
There are some limitations to using this service in sanctioned countries.

Related tools

Guides and help

How-to guides and set up

Frequently asked questions

Accessibility

View accessibility reports from Duo (duo.com)

If you have accessibility requirements which make using the Duo Mobile app difficult, please see the other authentication options that are available, or contact IT Services to discuss your options.

Contact for support

If you're experiencing technical issues and need advice, please contact IT Services.

Service commitments

Your responsibilities and policies

We expect you to:

Register for the Duo 2FA service.
Carry or have access to your registered second factor device (eg your mobile or key token) at all times when you may need to log in to a protected system.
Maintain the security of the service by not allowing anyone else to authenticate using their second factor device.
Contact IT Services promptly if your second factor device is lost or stolen.

The following policies apply to all IT services provided by the University.

Service performance

Availability

This is a live service, available 24/7.
Check the status of this service and any planned maintenance.

Support

This service is managed by IT Services, in collaboration with a third party (Duo).
We are responsible for monitoring, identifying and fixing faults. We will liaise with Duo where necessary.
Support is available during our opening hours.

Standards

Our service performance and standards have been produced in consultation with our customers. We regularly monitor the delivery, performance and availability of facilities and services.

Feedback and complaints

We appreciate feedback as it helps us review and continually improve our service.

Page last reviewed: 9 September 2024