Duo two-factor authentication
Duo two-factor authentication (2FA) provides an additional layer of security when you log in to many University services.
- First factor: entering your password - proof that you know the right credentials.
- Second factor: is a device you have with you - usually the Duo Mobile app running on your phone which then receives a confirmation prompt or code - proof that you possess something.
This ensures that even if someone has your password, they still won't have enough information to access your account.
Key features
- We recommend using the free Duo Mobile app (available on the Apple App Store and Google Play), as it's the simplest way to use Duo.
- The Duo Mobile app can still be used if your phone has no signal.
- Duo will work in most countries outside of the UK.
- Other authentication options are available if your phone doesn’t support the Duo Mobile app.
Access instructions
Use the Duo SelfService Console to:
- Add and manage your Duo devices yourself.
- Restore access to your account when you change your phone.
After you’ve added at least one device, you can use Duo to log in to University services.
Open the Duo SelfService Console
- Log in with your York username and password. Duo two-factor authentication is required.
- There are some limitations to using this service in sanctioned countries.
Available to staff and students
You can use this service on University-managed and personal devices.
App and web-based
This service works in your web browser. The Duo Mobile app is compatible with iOS/iPadOS and Android devices.
Additional information
Authentication without the mobile app
You can use Duo without needing to install the Duo Mobile app.
Text message passcodes
Register your mobile phone number and you can receive passcodes via text message instead.
The University will never charge for using the text message passcodes option but your mobile provider's standard charges will apply - for example, if you are roaming and receiving text messages you may attract a charge.
If you have an Android phone and are unable to download the Duo Mobile app on the Google Play Store, you will need to use text message passcodes instead.
YubiKey security key
If you're unable to use your work or personal mobile device for Duo, you can request a YubiKey security key.
This is a small USB device that you connect to your computer. You tap the gold contact during the login process to authenticate. These security keys also work with Google two-factor authentication.
Duo versus Google
At York, we use two types of two-factor authentication: Duo and Google. Duo authentication protects several key University services, however, it isn't used to log into your University Google account – this is so that your Google access doesn't depend on campus infrastructure. This means you'll be able to access Google services, such as Gmail, even if campus services are completely down. To protect your Google account, set up Google two-factor authentication.
- To use the Duo Mobile app you do not need to provide a phone number.
- To use the text message passcode option you do not have to install the Duo Mobile app onto your phone.
- When using the text message passcode option no information is transmitted from your phone to Duo.
- When using the Duo Mobile app, no information other than your phone number (if provided), phone model, phone operating system version and Duo Mobile software version is transmitted by the app.
See Duo Mobile privacy information for further details.
Access instructions
Use the Duo SelfService Console to:
- Add and manage your Duo devices yourself.
- Restore access to your account when you change your phone.
After you’ve added at least one device, you can use Duo to log in to University services.
Open the Duo SelfService Console
- Log in with your York username and password. Duo two-factor authentication is required.
- There are some limitations to using this service in sanctioned countries.
Guides and help
How-to guides and set up
- Add and manage devices
- Logging in to University services
- Back up and restore Duo
- When you change your phone
- Troubleshooting login issues
Frequently asked questions
- Why does the University need 2FA?
- When and how do I use Duo?
- What if my device is lost or stolen?
- Can I install Duo on my computer?
- Why have I received an email/notification about a new device?
- Can I use Duo outside of the UK?
- Can I use Duo with no signal?
- Hardware tokens and security keys
Accessibility
- View accessibility reports from Duo (duo.com)
If you have accessibility requirements which make using the Duo Mobile app difficult, please see the other authentication options that are available, or contact IT Services to discuss your options.
Contact for support
If you're experiencing technical issues and need advice, please contact IT Services.
Service commitments
We expect you to:
- Register for the Duo 2FA service.
- Carry or have access to your registered second factor device (eg your mobile or key token) at all times when you may need to log in to a protected system.
- Maintain the security of the service by not allowing anyone else to authenticate using their second factor device.
- Contact IT Services promptly if your second factor device is lost or stolen.
The following policies apply to all IT services provided by the University.
Availability
- This is a live service, available 24/7.
- Check the status of this service and any planned maintenance.
Support
- This service is managed by IT Services, in collaboration with a third party (Duo).
- We are responsible for monitoring, identifying and fixing faults. We will liaise with Duo where necessary.
- Support is available during our opening hours.
Standards
- Our service performance and standards have been produced in consultation with our customers. We regularly monitor the delivery, performance and availability of facilities and services.
We appreciate feedback as it helps us review and continually improve our service.
Page last reviewed: 9 September 2024