Access Keys:
Skip to content (Access Key - 0)

Duo Two-factor Authentication FAQ

On this page:

Overview

IS&T has been working for a few years to strengthen its IT environment through the use of two-factor authentication. Duo Security’s system, called Duo, was selected as part of a U.S.-government-sponsored initiative with MIT and Internet2 to explore the use of two-factor technology in higher education environments. As part of these efforts, Duo has been integrated into several IT services, including Touchstone, Kerberos, and VPN. IS&T can now make these services more broadly available to the community.

With increased vulnerabilities within the Internet’s underlying encryption systems, such as the Secure Socket Layer (SSL), depending solely on passwords alone has demonstrated high risk in compromising systems, services and accounts.

For more information, see the Duo Authentication Landing Page

What services require Duo for login?

A number of MIT services including Touchstone, Kerberos, and VPN are enabled for Duo two-factor authentication. When you enable two-factor authentication with Duo for Touchstone, you will need to have your Duo activated device available in order to login to any service or web application that requires Touchstone for authentication. Touchstone and two-factor authentication enabled services include:

  • Stellar
  • VPN
  • Atlas
  • iMIT
  • Request Tracker
  • Webmoira
  • Dropbox
  • Athena Dialups
  • The Duo management pages

Supported Browsers include Chrome, Firefox, Safari and Internet Explorer.

Services such as MIT Email, Knowledge Base, and SAP Services do not currently use Touchstone and do not require Duo authentication. The Athena Dialup service does not use Touchstone, but does require two-factor authentication through Duo.

Do I need a smartphone with a data plan?

It is not necessary to have a smartphone to use Duo. You can use a tablet, landline phone or YubiKey for your second factor instead. A data plan is not required for your device.

Setting up Duo:

How do I register a Smart phone for Duo two-factor authentication?

How to Register a Smart Phone for Duo two-factor authentication

How do I prepare for traveling?

  • Bring a registered smartphone with the IS&T Recommended Duo Security Mobile app (available for iOS, Android, BlackBerry and Windows Phone) - No connectivity or data plan is required if you use a one time passcode.
  • Or bring a mobile phone that you have signed up as a "landline" for Duo Two-Factor authentication;
  • Or bring a YubiKey with you.
  • You can submit a request for one

What should I do if I forgot my Smartphone or YubiKey

How do I register a landline or MIT VoIP phone for Duo two-factor authentication?

How to Register a non-smart Phone for Duo two-factor authentication

How do I register my YubiKey for use with Duo two-factor authentication?

How do I register my YubiKey for use with Duo 2FA?

How to configure MacPorts Kerberos for Duo Authentication?

Configuring MacPorts Kerberos for Duo Authentication

Using Duo:

By default, every time a website prompts you to login via Touchstone, you will also be prompted via Duo to confirm the login. This is generally once per day, or whenever you restart your web browser. This default behavior is the most secure option available.

For those users desiring greater convenience, the Duo login page has a "Remember this device" checkbox. If this option is checked, your device will be treated as a trusted device. The trusted device can go longer periods between the times that you are asked to confirm with Duo. The current trust period is 30 days. We recommend using this setting with caution - make sure the device really is trusted, and it is a good idea to have extra security (for example, requiring a password to unlock the screen from sleep).

How do I login to MIT services that leverage Duo two-factor authentication?

How do I login to MIT services that leverage Duo two-factor authentication?

How do I deactivate a device registered with Duo

  1. Login to Duo
  2. Click Next to take you to the main Duo management page
  3. Find all the entries that correspond to the device you want to deactivate and click Delete Phone
    Result: You will not be asked to confirm the deletion. After a brief period, you should see the device removed from your list.
Only my lost/stolen one device is registered, so I can't login to Duo to deactivate my device
IS&T Service Desk can help. In order to do so, IS&T will need to verify your identity. See: Get Help.

Troubleshooting

What should I do if I changed my Duo registered phone number, lost my Smartphone or YubiKey?

You will need to deactivate your old phone number/device and register a new one for Duo.

See: What do I do if my duo enabled device is lost, stolen or I changed my phone number?

How can I switch my Duo authentication to a new device if I get a new phone?

Duo - What should I do if I get a new phone? How to switch registered devices

My account has been locked out due to excessive authentication failures.

  • A behavioral change has been implemented that will lock users out of their accounts after 10 failed attempts.
  • Accounts will automatically revert to an unlocked state after 90 minutes.
  • In exceptional circumstances, you may Contact the IS&T Help Desk <helpdesk@mit.edu>, 617-253.1101 to request your account be unlocked.

How can staff that share the office VoIP phone and don't have a Smartphone enable Duo?

You can get a hardware token that will generate passcodes for Duo. You can contact the IS&T Help Desk <helpdesk@mit.edu>, 617-253.1101 to request a hardware token, or request using a web form at https://ist.mit.edu/duo/token-request.

I am having trouble with my International phone number. What do I do?

  • There may be issues registering a mobile device with an international number for Duo because you do not receive the initial text with link that will connect the mobile device to your Duo. If you are unable to obtain a Yubikey in the meantime and will have the international number for an indefinite period, please register the international mobile phone number as a landline device. Input the phone number with the international code to authenticate. You MUST add + before number. With this method, you will get a phone call asking you to authenticate rather than the text with the link. Also, please use the "Remember me for 30 days" option, so the you can avoid receiving exuberant fees from the international Duo authentication calls.
  • You can also register your smartphone as a tablet device to use push notifications over the internet, or the 6-digit code generated by the Duo Mobile App which requires no internet access.

I get a blank grey box instead of my push options when trying to authenticate with duo. What do I do?

  • This can happen if you have no devices registered for Duo. Check to see if you have registered a device for Duo at http://duo.mit.edu. If not, register one.
  • Clear your browser cache and try again.
  • Quit and restart your browser, then try again. this can clear up any lingering issues from other sites you've visited recently.
  • Disable any custom browser extensions you've installed. Some can cause issues with Duo.
  • Try another browser. For example, if you're using IE, try Chrome or Firefox.

See Also

Get Help

For additional assistance with Duo, troubleshooting, lost/stolen devices, or any other Duo issues, contact the Service Desk.

Account resets for lost/stolen devices or changed phone numbers require identity verification. You will need to provide proof via a valid photo ID (MIT ID, government issued ID card, driver's License, passport, etc).


IS&T Contributions

Documentation and information provided by IS&T staff members


Last Modified:

January 24, 2024

Get Help

Request help
from the Help Desk
Report a security incident
to the Security Team
Labels:
c-duo c-duo Delete
authorization authorization Delete
authentication authentication Delete
yubikey yubikey Delete
two-factor two-factor Delete
Enter labels to add to this page:
Please wait 
Looking for a label? Just start typing.
Feedback
This product/service is:
Easy to use
Average
Difficult to use

This article is:
Helpful
Inaccurate
Obsolete
Adaptavist Theme Builder (4.2.3) Powered by Atlassian Confluence 3.5.13, the Enterprise Wiki