2-Factor Authentication with DUO

In response to phishing scams and related vulnerabilities, Auburn has implemented a high-security login process referred to as 2-factor authentication.


Auburn uses DUO Security to ask individuals for a secondary confirmation of their identity at log in using a physical device in their possession. This process is called 2-Factor Authentication. The physical device may be a smartphone or tablet using an app, a text message to a phone, pressing a hardware token device like a yubikey, or an automated voice call to landlines or cell phones. Since Auburn uses the "DUO" software to administer Auburn's instance of 2-factor, the instructions and screenshots below will be specific to the DUO interface and the DUO Mobile applications.

Auburn University employees and students are strongly encouraged to register at least two devices, such as a smartphone and a landline.

Self-registration and device management options are located at auburn.edu/2factor.

2FACTOR Registration instructions

DUO's self-enrollment process makes it easy to register your phone and install the DUO Mobile application on your smartphone or tablet. First, visit http://www.auburn.edu/2factor, log in with your Auburn credentials, and then follow the steps below.

Note: If you are a yubikey user or have a hardware token, this device may have already been registered for you and you may not be able to follow the instructions below. If you would like to register an additional device, close this "Self-registration process" section and see the "Add a new authentication device" section.

Video Tutorial (not Auburn branded)

Detailed Instructions

1. Welcome Screen

Begin Enrollment

Click Start setup to begin enrolling your device.

2. Choose your Authenticator

Select the type of device you'd like to enroll and click Continue. We recommend you using a smartphone for the best experience, but you can also enroll a landline telephone or iOS/Android tablets.

Select Device Type

3. Type your Phone Number

Select your country from the drop-down list and type your phone number. Use the number of your smartphone, landline, or cell phone that you'll have with you when you're logging in to a DUO-protected service. If you chose "Landline" in the previous step, complete this screen with your phone extension and skip to step 7.

Then double-check that you entered it correctly, check the box, and click Continue.

Enter and Confirm Phone Number

If you're enrolling a tablet you aren't prompted to enter a phone number.

4. Choose Platform

Choose your device's operating system and click Continue.

Select Device Platform

5. Install DUO Mobile

DUO Mobile is an app that runs on your smartphone and helps you authenticate quickly and easily. Without it you'll still be able to log in using a phone call or text message, but for the best experience we recommend that you use DUO Mobile.

Follow the platform-specific instructions on the screen to install DUO Mobile. After installing our app return to the enrollment window and click I have DUO Mobile installed.

Install Duo Mobile

6. Activate DUO Mobile

Activating the app links it to your account so you can use it for authentication.

On iPhone, Android, Windows Phone, and BlackBerry 10, activate DUO Mobile by scanning the barcode with the app's built-in barcode scanner. Follow the platform specific instructions for your device:

Scan Barcode to Activate

The "Continue" button is clickable after you scan the barcode successfully.

Activation Success

Can't scan the barcode? Click Having problems? We'll send you an activation link instead. and follow the instructions.

7. Configure Automatic Device Options (optional)

You can use Device Options to give your phone a more descriptive name, or you can click Add another device to start the enrollment process again and add a second device.

Employees and students are strongly encouraged to register at least two devices, such as a mobile device and a landline.

Ask me to choose an authentication method should be chosen for the "When I log in" option. The automatic option causes many more opportunities for confusion than conveniences.

Automatic Device Options

8. Continue to Login

Click Continue to login to proceed to the authentication prompt.

Successful Device Enrollment

Congratulations!

Your device is ready to approve DUO authentication requests. You'll automatically receive a push notification or phone call if you selected either of those earlier. If not, click Send me a Push or Call Me to give it a try. If you selected a push, all you need to do is tap Approve on the DUO login request received on your phone. When you receive a phone call from DUO, the number will always be 334-844-4944, which is the Auburn University HelpDesk.

Enrollment Complete

You can easily add new devices right from the DUO authentication prompt at auburn.edu/2factor.

If you are:

  1. registering a new phone with a new phone number,
  2. have not registered a second device already, AND
  3. are no longer in possession of the previous device, contact the OIT HelpDesk at (334) 844-4944 to purge your old device from your account.

If you want to reactive the DUO mobile app on a new device with the same phone number, skip this section and review the Register DUO on a new device with the same phone number section.

1. Welcome screen

When your previous device was set up, you may have chosen to automatically push or call your device. If so, DO NOT respond to the DUO prompt on the device and instead press the Cancel button (see image below).  If this does not apply to you, continue on with the instructions.

Device is trying to automatically authenticate with the previously registered device

To add a new device, click Add a new device.

Add a New Device Link

2. Add a new device screen

Choose an authentication method and complete the second factor authentication to begin adding your new device.

Yubikey and hardware token users should select Enter a Passcode if that's the only device you currently have registered. After pressing the Enter a Passcode button, click into the text field with your mouse and then press your plugged in yubikey to generate a passcode or press the button on your hardware token and insert that generated passcode.

If you're adding a new device to replace one that you previously activated for DUO Push, don't select the DUO Push authentication method on this page. If you have a new device with the same phone number then you can authenticate with a phone call or SMS passcode.

Authenticate to Add a Device

3. Device type selection

Proceed with the device enrollment process as shown in the initial registration guide. As an example, let's add another phone.

Select Device Type

4. Device details (assuming you selected Mobile Phone)

Enter and confirm the second phone's number. Press the Continue button.

Enter and Confirm Phone Number

Select the new phone's operating system. Press the Continue button.

Select Device Platform

5. Install and activate the DUO Mobile app (if you selected Mobile Phone)

Install DUO Mobile on the new phone following the instructions on the screen (Android example below) and press the "I have DUO Mobile installed" button when you have installed the app.

Install Duo Mobile for Android

Scan the barcode with the DUO mobile app to activate the account.

Scan Barcode to Activate

6. Confirmation screen

The new phone is added and listed with your other enrolled devices.

New Device Added

Employees and students are strongly encouraged to register at least two devices, such as a mobile device and a landline.

7. Configure Device Options (optional)

Click the Device Options button next to any of your enrolled devices to view the actions available for that type of device. You can Reactivate DUO Mobile for an enrolled smartphone, Change Device Name for any type of phone, or delete any authentication device.

Device Options

Change Device Name

Clicking Change Device Name will open up an interface to change the display name of your phone (hardware tokens can't be renamed). Type in the new name and click Save.

Change Device Name

After successfully modifying your phone's name, not only will you see this from now on when managing devices, but it will also be how your phone is identified in the authentication dropdown.

Renamed Device

If you want to continue using your original device with DUO, you can specify which of your devices you would like to be the default. Click the Default Device: drop-down menu and pick your default device for authentication. Click Save if you're done making changes.

Choose Default Device

Ask me to choose an authentication method should be chosen for the "When I log in" option. The automatic option causes many more opportunities for confusion than conveniences.

Enable Automatic Authentication

Remove a Device

If your new device is replacing the one you previously enrolled, you can remove the device you won't be using any more for authentication. Click the Device Options button next to the device you want to remove, and then click the trash can button to delete that device.

Delete a Device

You'll have the chance to confirm that you want to delete that device.

Confirm Deletion

The authentication device is removed from your profile.

Device Removed

Welcome screen

When your previous device was set up, you may have chosen to automatically push or call your device. If so, DO NOT respond to the DUO prompt on the device and instead press the Cancel button (see image below).  If this does not apply to you, continue on with the instructions.

Device is trying to automatically authenticate with the previously registered device

Click the "My Settings & Devices" link on the left.

My Settings & Devices link

To manage your devices, choose an authentication method and complete second factor authentication (you may need to scroll down to see all authentication options). You can't get into the device management portal if you do not have access to any enrolled devices; you'll need to contact the OIT HelpDesk at 334-844-4944 for assistance.

Authenticate to My Settings & Devices

After authenticating you'll see the device management portal. This is where you can reactivate, edit, or delete your existing devices. Scroll down to see all your authentication devices.

My Settings & Devices

To exit My Settings & Devices, click the Done button below your listed devices or click your organization's logo on the left (or the DUO logo if shown).

Default Authentication Options

If you authenticate with more than one device, you can specify which you would like to be the default. In the list of actions, simply click Set as Default and that device will be moved to the top of the list making it your default device for authentication.

Choose Default Device

Ask me to choose an authentication method should be chosen for the "When I log in" option. The automatic option causes many more opportunities for confusion than conveniences.

Enable Automatic Authentication

Manage Existing Devices

Click the Device Options button next to any of your enrolled devices to view the actions available for that type of device. You can Reactivate DUO Mobile for an enrolled smartphone, Change Device Name for any type of phone, or delete any authentication device.

Device Options

Reactivate DUO Mobile

Click the Reactivate DUO Mobile button if you need to get DUO Push working on your phone, for example, if you replaced your phone with a new model but kept the same phone number. After answering some questions about your device, you'll receive a new QR code to scan with your phone, which will complete the DUO Mobile activation process.

Reactivate Duo Mobile

Change Device Name

Clicking Change Device Name will open up an interface to change the display name of your phone (hardware tokens can't be renamed). Type in the new name and click Save.

Change Device Name

After successfully modifying your phone's name, not only will you see this from now on when managing devices, but it will also be how your phone is identified in the authentication dropdown.

Renamed Device

Remove Device

Click the trash can button to delete a phone or token device.

Note: You may not remove your last device. If you wish to remove it, first add another, then delete the original. If you are unable to delete a device, contact the OIT HelpDesk at 334-844-4944 to have it removed.

Remove Device

You are given the chance to confirm or cancel deleting the authentication device.

Confirm Device Deletion

The device is deleted. It can no longer be used to approve DUO authentication requests.

Device Removed

These instructions should be followed if you:

  1. obtained a new device for your existing phone number,
  2. the DUO Mobile app was uninstalled, or
  3. if the account within the DUO Mobile app was deleted.

Quick Start

  1. Go to auburn.edu/2factor and log in.
  2. Press Cancel if you are presented the blue bar at the bottom with the option button.
    Device is trying to automatically authenticate with the previously registered device
  3. Click My Settings & Devices
    My Settings & Devices link
  4. Choose an authentication method that you can fulfill
  5. Follow the on-screen instructions to add your new device. If you require more detailed instructions, see below.

Detailed Step-by-Step Instructions

1. My Settings & Devices

Go to auburn.edu/2factor and log into AUthenticate. When your previous device was set up, you may have chosen to automatically push or call your device. If so, DO NOT respond to the DUO prompt on the device and instead press the Cancel button (see image below).  If this does not apply to you, continue on with the instructions.

Device is trying to automatically authenticate with the previously registered device

Click the My Settings & Devices link on the left.

My Settings & Devices link

To manage your devices, choose your device from the list and press Call Me OR press Enter a Password and then Text me new codes (DO NOT press Send me a Push).

If you choose Call Me, answer when it calls and press 1 to continue. If you choose Enter a Password and then Text me new codes, retrieve the code from the text message you received, enter it in the input box available (see screenshot below), and press Log In.

Text me new codes button

2. Edit Device Options

After authenticating you'll see the device management portal. Press the Device Options button next to the phone number you need to reactivate.

My Settings & Devices

Press the Reactivate DUO Mobile button.

Device Options

You will now be walked through reactivating your DUO Mobile account on this device.

3. Choose Platform

Choose your device's operating system and click Continue.

Select Device Platform

4. Install DUO Mobile

DUO Mobile is an app that runs on your smartphone and helps you authenticate quickly and easily. Without it you'll still be able to log in using a phone call or text message, but for the best experience we recommend that you use DUO Mobile.

Follow the platform-specific instructions on the screen to install DUO Mobile. After installing our app return to the enrollment window and click I have DUO Mobile installed.

Install Duo Mobile

5. That's it!

Your device should be setup for 2-factor authentication via DUO.

Employees and students are strongly encouraged to register at least two devices, such as a mobile device and a landline.

Device Support Guides

Below are the instructions for authenticating access with your second factor device. Choose your device for more information.

DUO Mobile on Android

The DUO Mobile application makes it easy to authenticate — just tap “Approve” on the login request sent to your Android device. You can also quickly generate login passcodes, even without an internet connection or cell service.

Supported Platforms: The current version of DUO Mobile supports Android 2.3.3 and greater.

To see which version of DUO Mobile is installed on your device, go to the Android Settings menu, tap Apps, then scroll down and tap DUO Mobile. The "App Info" screen shows the version.

DUO Push

DUO Push is the easiest and quickest way of authenticating. You'll get a login request sent to your phone — just press Approve to authenticate.

If you are running Android 4.1 or later, you can approve the request right from the notification.

If you get a login request that you weren't expecting, press Deny to reject the request. You’ll be given the ability to report it as fraudulent, or you can tap It was a mistake to deny the request without reporting it.

Passcodes

Just tap the key icon to get a one-time passcode for login. This works anywhere, even in places where you don't have an internet connection or can't get cell service.

Adding Accounts to DUO Mobile

During the setup process you'll see a barcode to scan. Tap "Add Account" (or the plus button in the upper right). Scan the barcode to add the account to DUO Mobile.

If you ever need to re-add your account to DUO Mobile, contact your administrator.

Removing Accounts

Delete an account by long-pressing on an account. Then tap "Remove account" and confirm the deletion.

Pull to Refresh

Check for authentication requests by pulling the account list down. DUO Mobile automatically checks for authentication requests, but if you think you have missed a request, then tap the list of accounts and pull down to refresh.

Backup & Restore

It is not currently possible to backup and restore your registered DUO Mobile accounts on Android.

DUO Mobile on BlackBerry

Support for DUO Mobile on Blackberry ended November 1, 2016.

Supported Platforms: The current version of DUO Mobile supports BlackBerry 10 and BBOS 4.5.0 and greater.

DUO Push

DUO Push is the easiest and quickest way of authenticating. You'll get a login request sent to your phone — just press Approve to authenticate.

If you get a login request that you weren't expecting, press Deny to reject the request. You’ll be given the ability to report it as fraudulent, or you can tap It was a mistake to deny the request without reporting it.

Passcodes

Just tap Generate Passcode to get a one-time passcode for login. This works anywhere, even in places where you don't have an internet connection or can't get cell service.

DUO Mobile on iPhone

The DUO Mobile application makes it easy to authenticate — just tap “Approve” on the login request sent to your iPhone. You can also quickly generate login passcodes, even without an internet connection or cell service.

Supported Platforms: The current version of DUO Mobile supports iOS 6.0 and greater. Older releases of iOS can install DUO Mobile v3.1.0 from the App Store.

To see which version of DUO Mobile is installed on your device, go to the iOS Settings menu, then scroll down and tap DUO Mobile. The "System Info" section shows the app version.

DUO Push

DUO Push is the easiest and quickest way of authenticating. You'll get a login request sent to your phone — just press Approve to authenticate.

If you get a login request that you weren't expecting, press Deny to reject the request. You’ll be given the ability to report it as fraudulent, or you can tap It was a mistake to deny the request without reporting it.

Touch ID

DUO Mobile for iOS also supports Touch ID for DUO Push-based logins; an additional layer of security to verify your users’ identities. If you're using a Touch ID capable iOS device you'll see a Touch ID prompt each time you authenticate via DUO Mobile (if required by your administrator).

If you're not able to scan your fingerprint using the TouchID sensor you can also approve the DUO authentication request using the device's passcode (the same one you use on the iOS lock screen).

DUO Push and Notifications

You can respond to DUO Push requests from the iOS lock screen or banner notification starting with DUO Mobile version 3.8

Swipe left on the lock screen DUO Mobile notification to reveal "Deny" and "Approve" actions.

Swipe down on the DUO Mobile banner notification received when your screen is unlocked to approve or deny the request.

If you missed the banner notification you can still approve the DUO request. Swipe left on the missed notification in the notification tray to approve or deny the authentication request.

Passcodes

Just tap the key button to generate a passcode. This works anywhere, even in places where you don't have an internet connection or can't get cell service.

Adding Accounts to DUO Mobile

During the setup process you'll see a barcode to scan.

Tap "Add Account" (or the plus button in the upper right). Scan the barcode to add the account to DUO Mobile.

Removing Accounts

Delete an account by tapping the Edit button in the upper left. Then tap the delete icon, tap "Delete", and confirm the deletion.

Pull to Refresh

Check for authentication requests by pulling the account list down. DUO Mobile automatically checks for authentication requests, but if you think you have missed a request, then tap the list of accounts and pull down to refresh.

Backup & Restore

Your DUO Mobile account information is backed up automatically when you enable iCloud Backup on your phone, and can be restored only on the same device. The iCloud backup can't be used to migrate your DUO accounts to a new phone. See Apple's guide to enabling iCloud backup for more information.

Using DUO With Any Cell Phone or Landline

DUO works with all cell phones and landlines by supporting authentication via phone call and SMS passcodes.

Phone Call

Click the Call Me button on the authentication prompt (or type "phone" in the "second password" field if you don't see DUO's interactive prompt) and DUO will call your phone. The status bar at the bottom of the authentication prompt updates at each step of the process.

Answer the call and listen to the instructions to authenticate. The authentication prompt's status bar also tells you how to approve the request over the phone.

SMS Passcodes

You can authenticate using a passcode texted to your phone. To have DUO text you a batch of passcodes click the Send codes button after clicking Enter a Passcode (or type "sms" in the "second password" field).

The authentication prompt's status bar indicates the passcodes were sent to your phone. The number of SMS passcodes sent in one batch is defined by your administrator (ten maximum). Sending multiple passcodes at once lets you use those passcodes to authenticate multiple times when you may not have cellular service.

To authenticate using an SMS passcode, click the Enter a Passcode button, type in a passcode you received from DUO via text message, and click Log In.

DUO keeps track of which SMS passcodes you've already used in your batch, letting you know which one to use next.

You can have new passcodes sent to you at any time. A new batch of passcodes will invalidate all old passcodes, so it's probably best to delete the old message when a new one comes in.

DUO Mobile on Windows Phone

The DUO Mobile application makes it easy to authenticate — just tap “Approve” on the login request sent to your phone. You can also quickly generate login passcodes, even without an internet connection or cell service.

Supported Platforms: The current version of DUO Mobile supports Windows Phone 7.5 and greater.

DUO Push

DUO Push is the easiest and quickest way of authenticating. You'll get a login request sent to your phone — just press Approve to authenticate.

If you get a login request that you weren't expecting, press Deny to reject the request. You’ll be given the ability to report it as fraudulent, or you can tap It was a mistake to deny the request without reporting it.

Passcodes

Just tap Generate Passcode to get a one-time passcode for login. This works anywhere, even in places where you don't have an internet connection or can't get cell service.

Activating DUO Mobile

DUO Mobile has to be activated to link it to your account. During the setup process you'll see a barcode to scan. Open DUO Mobile, tap "scan barcode", and then use the phone's camera to scan the barcode. This will add your account to DUO Mobile.

If you get an activation code in a text message from your administrator, tap and hold the text message to copy it to your clipboard. Then go to DUO Mobile, tap "Tap here", and then tap the paste button. Then tap "activate" to finish activation.

If you get a new phone and need to re-activate DUO Mobile, contact your administrator and have him or her send you a new activation link.

Note: DUO Mobile for Windows Phone 7 can currently only be activated for one account at a time.

Using DUO With a Yubikey or other Hardware Token

Hardware tokens are most basic way of authenticating.

Do you want a Hardware Token?
We recommend using other 2-factor authentication methods instead of a yubikey or hardware token; however, individuals may purchase a Hardware Token from Identity Management located in the Information Technology building.

New Yubikeys are no longer available
Yubikeys were required and distributed for very job specific tasks.  Employees who needed them for their job role were assigned them. You can still 2-factor authenticate without a Yubikey. We recommend using other 2-factor authentication methods instead of a yubikey or hardware token.

To authenticate using a yubikey or hardware token, click the Enter a Passcode button.

  • Yubikeys:
    Insert your yubikey into a USB port. When the green light is visible press the button on your yubikey to generate a new passcode. If your yubikey doesn't light up correctly, try flipping it over and reinserting it

  • Hardware Tokens:
    Press the button on your hardware token to generate a new passcode and type it into the space provided

Click Log In.

Note: Tokens can get "out of sync" if the button is pressed too many times in a row and the generated passcodes aren't used for login.

Frequently Asked Questions

Remember, it's best to have at least two devices registered.

Your Device Habits Recommended Device
I carry a mobile device but I don’t want to download an app. I don’t mind answering an automated call. MOBILE PHONE – REGISTERED AS A LANDLINE
I ONLY check my email at home and do not have a cell phone. LANDLINE
I frequently check my email out and about and don’t want to answer an automated call. I can download an app. MOBILE PHONE
I frequently travel out of the country without my mobile device or tablet. DUO TOKEN – AVAILABLE THROUGH IDENTITY MANAGEMENT
I check my email through my iPad and can download the DUO Mobile app. TABLET
I ONLY check my email at my desk and can answer my desk phone to authenticate. I do not want to use my cell phone or tablet. LANDLINE
I frequently check my email out and about and don’t want to answer an automated call. I can receive texts with an authentication code. MOBILE PHONE

Device Capabilities

  • MOBILE PHONE - SMS text, automated phone call, code generated by the DUO app
  • LANDLINE – automated phone call
  • TABLET – code generated by DUO app, (SMS text & automated phone call if you pay for cell service)
  • Assuming you have configured your device to receive DUO push notifications and have installed the DUO mobile app, you may need to power-cycle your device. On rare occasions, iPhone and Android may not display the DUO push notification, but a power-cycle usually clears this issue.
  • If you have a replacement phone with the same number, you will not receive DUO push notifications until you reactivate your phone. See the section "Register DUO on a new device with the same number."

This may be an attempt to compromise your account. It is recommended you change your password through My Account and notify the OIT HelpDesk at (334) 844-4944.

I have an International number on the same phone I have registered for local calls. Should I also register the International phone number?

No, because DUO push uses data and not the phone line. Also, the app can generate passcodes that can be used to log into VPN even when offline.

When outside the country, will I get an International push from DUO?

You must have a data or wifi connection in order to receive a push. However, you can also get a passcode from the app by pressing the key button or have DUO send you a passcode via SMS.

Can I get a few passcodes to take with me before I travel?

The DUO mobile app can generate new passcodes while offline so obtaining them early isn't necessarily beneficial.

Departments are strongly encouraged to protect their infrastructure with DUO. Contact Allan Farmer at afarmer@auburn.edu or (334) 844-9582 for more information.

We recommend using other 2-factor authentication methods instead of a yubikey or hardware token; however, individuals may purchase a Hardware Token from Identity Management located in the Information Technology building.

New Yubikeys are no longer available
Yubikeys were required and distributed for very job specific tasks.  Employees who needed them for their job role were assigned them. You can still 2-factor authenticate without a Yubikey. We recommend using other 2-factor authentication methods instead of a yubikey or hardware token.

Once you have a mobile device registered as a 2-factor authentication device you can use it to receive passcodes. When you log into the VPN client, append your password with ",SMS" (ex. mypassword,SMS). The login will fail because that's obviously not your actual password, but it will initiate a request to DUO to receive a passcode via SMS text. Very shortly you will receive a text containing your passcode. Now, log in again but this time append your password with a comma and the passcode you received (ex. mypassword,294348).

A secondary device you have access to is required for 2-factor authentication so you can verify you are the person trying to log in. Remember, you can register a tablet.

Contact the OIT HelpDesk at 334-844-4944 and we will be glad to assist you.

 

Last Updated: October 04, 2017