On this page:
- Setting up Duo:
- How do I register a Smart phone for Duo two-factor authentication?
- How do I prepare for traveling?
- What should I do if I forgot my Smartphone or YubiKey
- How do I register a landline or MIT VoIP phone for Duo two-factor authentication?
- How do I register my YubiKey for use with Duo two-factor authentication?
- How to configure MacPorts Kerberos for Duo Authentication?
- Using Duo:
- How do I login to MIT services that leverage Duo two-factor authentication?
- How do I deactivate a device registered with Duo
- What should I do if I changed my Duo registered phone number, lost my Smartphone or YubiKey?
- How can I switch my Duo authentication to a new device if I get a new phone?
- My account has been locked out due to excessive authentication failures.
- How can staff that share the office VoIP phone and don't have a Smartphone enable Duo?
- I am having trouble with my International phone number. What do I do?
- I get a blank grey box instead of my push options when trying to authenticate with duo. What do I do?
- See Also
- Get Help
IS&T has been working for a few years to strengthen its IT environment through the use of two-factor authentication. Duo Security’s system, called Duo, was selected as part of a U.S.-government-sponsored initiative with MIT and Internet2 to explore the use of two-factor technology in higher education environments. As part of these efforts, Duo has been integrated into several IT services, including Touchstone, Kerberos, and VPN. IS&T can now make these services more broadly available to the community.
With increased vulnerabilities within the Internet’s underlying encryption systems, such as the Secure Socket Layer (SSL), depending solely on passwords alone has demonstrated high risk in compromising systems, services and accounts.
For more information, see the Duo Authentication Landing Page
A number of MIT services including Touchstone, Kerberos, and VPN are enabled for Duo two-factor authentication. When you enable two-factor authentication with Duo for Touchstone, you will need to have your Duo activated device available in order to login to any service or web application that requires Touchstone for authentication. Touchstone and two-factor authentication enabled services include:
- Request Tracker
- Athena Dialups
- The Duo management pages
Supported Browsers include Chrome, Firefox, Safari and Internet Explorer.
Services such as MIT Email, Knowledge Base, and SAP Services do not currently use Touchstone and do not require Duo authentication. The Athena Dialup service does not use Touchstone, but does require two-factor authentication through Duo.
It is not necessary to have a smartphone to use Duo. You can use a tablet, landline phone or YubiKey for your second factor instead. A data plan is not required for your device. If you have the Duo app on your phone, you can click key icon next to account to get a one-time passcode to log in, which doesn’t require any data usage.
- Bring a registered smartphone with the IS&T Recommended Duo Security Mobile app (available for iOS, Android, BlackBerry and Windows Phone) - No connectivity or data plan is required if you use a one time passcode.
- Or bring a mobile phone that you have signed up as a "landline" for Duo Two-Factor authentication;
- Or bring a YubiKey with you.
- You can submit a request for one
By default, every time a website prompts you to login via Touchstone, you will also be prompted via Duo to confirm the login. This is generally once per day, or whenever you restart your web browser. This default behavior is the most secure option available.
For those users desiring greater convenience, the Duo login page has a "Remember this device" checkbox. If this option is checked, your device will be treated as a trusted device. The trusted device can go longer periods between the times that you are asked to confirm with Duo. The current trust period is 30 days. We recommend using this setting with caution - make sure the device really is trusted, and it is a good idea to have extra security (for example, requiring a password to unlock the screen from sleep).
- Login to Duo
- Click Next to take you to the main Duo management page
- Find all the entries that correspond to the device you want to deactivate and click Delete Phone
Result: You will not be asked to confirm the deletion. After a brief period, you should see the device removed from your list.
|Only my lost/stolen one device is registered, so I can't login to Duo to deactivate my device|
IS&T Service Desk can help. In order to do so, IS&T will need to verify your identity. See: Get Help.
You will need to deactivate your old phone number/device and register a new one for Duo.
- A behavioral change has been implemented that will lock users out of their accounts after 10 failed attempts.
- Accounts will automatically revert to an unlocked state after 90 minutes.
- In exceptional circumstances, you may Contact the IS&T Help Desk <email@example.com>, 617-253.1101 to request your account be unlocked.
You can get a hardware token that will generate passcodes for Duo. You can contact the IS&T Help Desk <firstname.lastname@example.org>, 617-253.1101 to request a hardware token, or request using a web form at https://ist.mit.edu/duo/token-request.
- There may be issues registering a mobile device with an international number for Duo because you do not receive the initial text with link that will connect the mobile device to your Duo. If you are unable to obtain a Yubikey in the meantime and will have the international number for an indefinite period, please register the international mobile phone number as a landline device. Input the phone number with the international code to authenticate. You MUST add + before number. With this method, you will get a phone call asking you to authenticate rather than the text with the link. Also, please use the "Remember me for 30 days" option, so the you can avoid receiving exuberant fees from the international Duo authentication calls.
- You can also register your smartphone as a tablet device to use push notifications over the internet, or the 6-digit code generated by the Duo Mobile App which requires no internet access.
I get a blank grey box instead of my push options when trying to authenticate with duo. What do I do?
- This can happen if you have no devices registered for Duo. Check to see if you have registered a device for Duo at http://duo.mit.edu. If not, register one.
- Clear your browser cache and try again.
- Quit and restart your browser, then try again. this can clear up any lingering issues from other sites you've visited recently.
- Disable any custom browser extensions you've installed. Some can cause issues with Duo.
- Try another browser. For example, if you're using IE, try Chrome or Firefox.
- Duo Authentication Landing Page
- Duo Token (Yubikey) Request Form
- More documentation can be found on the vendor's website.
For additional assistance with Duo, troubleshooting, lost/stolen devices, or any other Duo issues, contact the Service Desk.
Account resets for lost/stolen devices or changed phone numbers require identity verification. You will need to provide proof via a valid photo ID (MIT ID, government issued ID card, driver's License, passport, etc).