Accessibility statement

Duo two-factor authentication

Related pages

Two-factor authentication (2FA) provides an additional layer of security when you log on to IT systems from any device (eg laptop, desktop, phone, tablet). It's commonly used for online services like banking.

  • First factor: entering your password - proof that you know the right credentials
  • Second factor: normally using a mobile app (but see further information below) - proof that you possess something

This ensures that even if someone has your password, they still won't have enough information to access your account.

Overview

Eligibility

All staff and students can register for Duo two-factor authentication.

Students can only use the Duo Mobile app or SMS to authenticate.

Staff may request a hard token where appropriate.

How to register

You can register your mobile phone or tablet with the Duo SelfService Console yourself:

As part of the registration process you will be prompted to install the free Duo Mobile app. This is the simplest way to use Duo:

If you're a member of staff who doesn't want to use your mobile device for Duo 2FA, or if you have accessibility requirements which make using the mobile app difficult, please contact the Library & IT Help Desk to discuss other options.

Using the Duo Mobile app

  1. Log in to the system that you wish to use with your username and password
  2. Tap to accept the confirmation that is sent to your mobile phone or tablet

The following video demonstrates using the Duo Mobile app to log in:

https://www.youtube.com/watch?v=JN0Hj0pKZ7U

See the Help & troubleshooting tab for further guidance on using the Duo Mobile app.

Other methods

Where the Duo Mobile app isn't appropriate, there are other options available:

  • SMS (available to staff and students)
  • Hard token (staff only)

See the Other authentication options tab for more information on using these methods or contact the Library & IT Help Desk to discuss them further.

Other authentication options

SMS

This option is available to staff and students.

You can use a mobile device without having to install an app. To receive codes by SMS text message:

  1. Log in to the Duo SelfService Console
  2. Follow the onscreen prompt to add a new device
  3. When asked for the type of device select Mobile phone 
  4. Enter your phone number, and then when asked for the type of mobile phone select Other

Once registered you will be sent passcodes via SMS that can be typed into the system login screen during authentication.

You'll be sent a list of passcodes via SMS so you can receive these when in a signal area but still use them when in a bad signal area (or in aeroplane mode). Each code can only be used once. You should try and use each in order.

When authenticating to a secured web service, click in the passcode box on the Duo authentication screen and you'll see a hint about which code to use next. When you've used them all, or if you aren't sure which is next, select Text me new codes to get a new list.

This short video shows how to authenticate with SMS.

Hard token

This option is only available to staff.

If you are unable to use your work or personal mobile device to authenticate to protected systems, you can request a hard token. This small keyring displays a number on the LCD display (see instructions below) which is typed into the passcode box during login. To request a hard token, please email itsupport@york.ac.uk and a token will be available for you to collect within one working day.

To authenticate using a hardware token:

  • click the Enter a Passcode button
  • press the button on your hard token to generate a new passcode
  • type the passcode into the box and click Log In.

Tokens can get out of sync if the button is pressed too many times in a row and the generated passcodes aren't used for login. Contact the Library & IT Help Desk if you suspect that has happened.

This short video shows hard tokens being used.

Help & troubleshooting FAQ

Library & IT Help Desk

Please check the FAQs below if you have any questions about using the Duo 2FA service. If you need further help, get in touch with the Library & IT Help Desk.

Where can I find further guidance on using the Duo Mobile app?

Are other mobile operating systems supported?

No, only iOS (iPhone and iPad), watchOS (for Apple Watch) and Android.

What are the minimum OS versions supported for the mobile app?

The Duo app only works on modern versions of Android and Apple; please check their website for the latest information on supported systems. If you have an older version, please contact the Library & IT Help Desk to discuss using one of the other authentication methods.

Is there any charge for downloading and using the app?

The Duo service and app are free and will always remain so.

Is there any charge for using the SMS option?

The University will never charge for using the SMS option but your mobile provider's standard charges will apply - for example, if you are roaming and receiving SMS messages attracts a charge.

What if I am unable to use the authentication methods available to me?

Please contact the Library & IT Help Desk and we will find a method that suits you. You will not be locked out of systems because you are unable to use the primary Duo methods.

What should I do if I change my mobile phone?

If you still have your original phone, you can use the Duo SelfService Console and add an additional device. If you have already changed your mobile then please contact the Library & IT Help Desk.

What should I do if I lose my mobile phone?

Please contact the Library & IT Help Desk as soon as possible.

How can I test my phone or hardware token?

Log onto the Duo SelfService Console.

You will need to authenticate with both your university username and password as well as authenticate with Duo. This is also the place to edit your Duo settings such as adding a second device.

There is a Pulse Secure client available from the windows App store. Can I use that?

No, the Pulse Secure app with a logo that has a grey background is a legacy client that isn’t capable of connecting to the University’s VPN. Only the client that you download from the University’s website will work. If you are unsure which Windows client you are using we suggest uninstalling all versions from your Windows machine and installing the version you can download from our website.

How do I use Duo when abroad or in an area where I can’t get any data or phone signal?

You can use both the hardware token and the Duo Mobile app without requiring either data (wifi/4G) or mobile phone signal.

The hardware token doesn’t ever use any kind of signal to work. It calculates the temporary code when you press the button and you type the code into the login page of the system you are accessing.

The Duo Mobile app, once enrolled and in use, has the ability to generate temporary codes without wifi/4G/SMS signals. The mobile device can be in aeroplane mode and still generate the code which you type into the system you are accessing during login. This will only work once the app is set up and working so you will need to enrol and test before leaving.

Is the University considering the use of other devices to use as the second factor?

Yes, we are constantly trying to improve the service in many ways and expanding the options beyond duo mobile app, SMS and hardware token.

The service is potentially used by every member of staff and student at York and so it is crucial that we only introduce features and options that are compatible for everyone. We appreciate any feedback on this topic via the IT helpdesk.

Can I register and use more than one device?

Yes, you can enrol multiple devices against your Duo user. For example, you could register both a mobile phone and a tablet to give you the flexibility and security that you’ll always be connected.

You can enrol new mobile devices by going to the Duo SelfService Console. Once you have authenticated, the screen has the option to add a new device. If you have multiple devices registered you’ll be asked to select which one you want to send push notifications and SMS messages to.

Why can’t I find the Duo Mobile app on the app store?

Only those apps that are compatible with your device are shown. For example if you are running an Android device with OS version 6.1 or below then the app won’t show because it isn’t compatible with this out-of-date OS version.

If you find your mobile phone can’t run the app for any reason, you can use the SMS option. If that isn’t an option please contact the IT Helpdesk for advice.

How do I register my laptop with Duo; the only options are tablet or mobile phone?

The device that you use to authenticate with the Duo system is not necessarily the device you are using to access the system. So you might be on a desktop PC logging onto a protected website. You would authenticate using your mobile phone. It might be that coincidentally you log onto a system using the mobile device you have registered for Duo. However, you only need to register one mobile device but can log onto systems on any computer.

The only devices that you use for authentication are:

  • Compatible Android and Apple mobile devices (phones and tablets)
  • Any mobile phone that can receive SMS

We are looking into other devices for authentication but this doesn’t include laptops at this time.

How do I register the App without giving my phone number, or when my device doesn’t connect to the mobile phone network?

You can register any compatible Android or Apple mobile device that has the Duo Mobile app installed. This includes devices that don’t have a phone number. You can register mobile phones in this way too if you would prefer not to provide a phone number.

Once logged into the Duo SelfService Console click “add a new device” and select the “tablet” option.

How do I use the codes from SMS or bypass codes?

You can get temporary codes from SMS messages, bypass codes provided by the IT helpdesk, the Duo Mobile app and the hardware token. All these codes are entered into the box labelled “passcode”.

For systems with a simple text box, such as the virtual desktop service, you enter the code directly.

I’ve lost my SMS with Duo codes; how do I get a new one?

When you access a system such as the VPN with the Duo console you can click on “Enter a Passcode” and a blue bar opens at the bottom with the option to “Text me new codes”. Within 30 seconds you should receive one new SMS.

Can I set Duo to automatically send a push notification when I log into protected systems?

Yes. When you log into the Duo SelfService Console you can select a default device and select the option in the pull down “When I log in” so that it automatically sends the device a Duo Push. You will still be able to use other options, this just removes the need to click “Send me a push” when you are logging onto a web resource that has the duo console (such as the VPN). There isn’t an automatic push capability when logging onto protected systems that have a simple interface such as the virtual desktop system. Here you type the word push in order to use that feature.

Our commitments

Service status Live and supported service.
Hours of service 24/7
Service support For help and support with this service, contact the Library & IT Help Desk.
Hours of support Help from the Library & IT Help Desk is available 9am to 5pm, Monday to Friday.
Target availability

General IT Services targets:

Our performance

Our service standards have been produced in consultation with our customers, and monitor the quality, timeliness and access to facilities and services:

Complaints procedure

If you wish to give us general feedback on this service, please see our Feedback page for ways to get in touch.

If you wish to make a complaint, please see our complaints procedure.

Your responsibilities

We expect you:

  • to register for the Duo 2FA service
  • carry or have access to your registered second factor device (eg your mobile or key token) at all times when you may need to log onto a protected system
  • maintain the security of the service by not allowing anyone else to authenticate using their second factor device
  • contact the Library & IT Help Desk promptly if you lose your second factor device.

Privacy

Please note:

  • to use the Duo Mobile app you do not need to provide a phone number
  • to use the SMS option you do not have to install the Duo Mobile app onto your phone
  • when using the SMS option no information is transmitted from your phone to Duo
  • when using the Duo Mobile app option no information other than your phone number (if provided), phone model, phone operating system version and Duo Mobile software version is transmitted by the app.

See the Duo Mobile Privacy Information for further details.