Access Keys:
Skip to content (Access Key - 0)

Q: How do I login to MIT services that leverage Duo two-factor authentication?

On this page:

Authenticating via Touchstone with the Duo authentication requirement enabled

  1. Launch a webpage (Chrome, Firefox, Safari and Internet Explorer), that requires Touchstone authentication and begin to authenticate as normal
  2. Once you have completed the Touchstone authentication steps (via Certificates, kerberos tickets or kerberos username and password), you will be prompted for Duo Authentication
  3. Select your Device and choose a Method
    Touchstone@MIT page with Duo Authentication screen.
    Method
    • Duo Push (smartphones with Duo app installed)
    • Phone Call (default for landline)
    • Passcode (request via SMS or from mobile app)
  • (Optional) Remember this device for 30 days: If you choose this, Duo will treat your device as "trusted".

Duo Push

  1. A request will be sent to your mobile device via the Duo app
    You must have an active mobile (cellular) or wifi connection to receive this request
  2. Tap Approve on your Mobile Device's Duo app. It should look similar to one of these:
    Example of Duo Push with Android Example of Duo Push with iOS |
  1. Result: Your web browser's Touchstone session should automatically complete authentication
    If your mobile phone doesn't automatically show the Duo Push request, you can force a refresh of push requests by tapping and dragging the "MIT" account downwards on your phone.

Phone Call

  1. An automated attendant will call your phone
  2. Answer and wait for the Duo automated message to begin playing
  3. Push any valid dialpad key on your phone (0-9,# or *) and hang-up
  4. Result: Your web browser's Touchstone session should automatically complete authentication

Passcode

  1. Request a new passcode
    On the Duo Mobile App, you can click the key icon to the right of MIT to display a current passcode
    Duo Mobile app with the key icon next to MIT highlighted. Duo Mobile app displaying the passcode.
    For a mobile phone that can accept SMS messages, you can request SMS passcodes by clicking the link underneath the passcode prompt in the Touchstone authentication window
    Duo Authentication page with arrow pointing at 'Send SMS passcodes' link.
  2. Enter the passcode obtained from the Duo Mobile App or from the SMS message
    If using SMS, the Touchstone login page will tell you which code to use: Next SMS passcode starts with ...
    Mobile texting client with received passcodes.
  3. Click Login
  4. Result: Your web browser's Touchstone session should automatically complete authentication
    If you type the incorrect passcode, you will be prompted to enter the correct one or you can choose another device or method

Connect to a Duo-protected VPN account with Cisco AnyConnect

  1. Launch Cisco AnyConnect.
  2. Make sure the address listed is vpn.mit.edu/duo and click Connect.
    Cisco AnyConnect with 'vpn.mit.edu/duo' in the connect box.
  3. When prompted, enter your MIT username and password.
  4. In the field labeled “Second Password,” you can type one of the following words:
    1. "push" - Duo will send a push notification to your registered cell phone with the Duo Security mobile app installed
    2. "sms" - Duo will send an SMS to your registered cell phone
    3. "phone" - Duo will call your registered cell phone
    4. The one time code generated by your hardware token or the Duo Security mobile app (the code changes ever 60 seconds)
      Username and password entry for AnyConnect.
      In this example, we've entered "push" in the "Second Password" field.
      'How to call different devices'
      If you have multiple devices that can use the same method, for instance two mobile phones or two phones that can receive phone calls, you can reference them by different numbers. For instance, to call the top device on your managed devices page (http://duo.mit.edu), you can use 'phone' (for the default) or 'phone1' to call the second phone, you can use 'phone2'.


  5. In this example, you will receive a push notification on your cell phone. Click Approve.
    Duo Mobile having received a push notification.
  6. Cisco AnyConnect should now present you with the MIT VPN banner and the VPN connection will complete.
    AnyConnect's success page.

Connect to a Duo-protected Microsoft Windows machine with Remote Desktop Connection (RDP)

  1. Launch Microsoft Remote Desktop and enter the hostname or IP address of the machine you wish to connect to (note: you may have to connect to MIT's VPN service to use RDP).
    Microsoft Remote Desktop with hostname entered.
  2. When presented with the Windows login screen, enter your MIT username and password.
  3. In the field labeled "Duo Password" you can enter one of the following options:
    1. push - Duo will send a push notification to your registered cell phone with the Duo Security mobile app installed
    2. sms - Duo will send an SMS to your registered cell phone
    3. phone - Duo will call your registered cell phone
    4. The one time code generated by your hardware token or the Duo Security mobile app (the code changes ever 60 seconds)
      Example of Windows login screen with push in the Duo Password field.
      In this example, we've entered "push" in the "Duo Password" field.
      'How to call different devices'
      If you have multiple devices that can use the same method, for instance two mobile phones or two phones that can receive phone calls, you can reference them by different numbers. For instance, to call the top device on your managed devices page (http://duo.mit.edu), you can use 'phone' (for the default) or 'phone1' to call the second phone, you can use 'phone2'.


  4. In this example, you will receive a push notification on your cell phone. Click Approve.
    Duo Mobile having received a push notification.
  5. The remote Windows system should now complete authentication and the Remote Desktop Connection will complete.
    Loading screen for Windows.

Acquire Kerberos tickets for a Duo-protected principal using kinit

  1. Log into an Athena machine (e.g. ssh athena.dialup.mit.edu).
    Terminal with command 'kinit amunch/root' entered.
  2. Initiate Kerberos ticket acquisition (e.g. kinit username/root) and enter the appropriate Kerberos password when prompted.
    Note: not all Kerberos accounts will be protected with Duo. Typically, only root accounts or users with escalated privileges (e.g. username/root or username/extra) will be protected with Duo.
    Terminal with prompt for password.
  3. The Duo two-factor system will now challenge your login asking for a method to contact you. You can hit the "Enter" key to see all the options available to you. By default, option "1" will send a push notification to the Duo mobile app.
    Terminal with prompt for with authentication method to use.
    In this example, we've entered "1" as the option.
    Note: You will not see any input on the screen as you type.
  4. Duo will now output, "Press return after completing Duo authentication."
    Terminal with prompt 'Press return after completing Duo authentication.'
  5. In this example, you will receive a push notification on your cell phone. Click Approve.
    Duo Mobile app with push notification.
  6. Back in your console window, click the Enter key.
  7. If you have not received any error messages, you should be back at the > prompt and have valid Kerberos tickets.
    Terminal with standard input.
  8. You can view your Kerberos tickets by running klist from within your console window.
    Terminal with output of Kerberos tickets from running the command 'klist'.

IS&T Contributions

Documentation and information provided by IS&T staff members


Last Modified:

August 03, 2016

Get Help

Request help
from the Help Desk
Report a security incident
to the Security Team
Labels:
duo duo Delete
vpn vpn Delete
two-factor two-factor Delete
authentication authentication Delete
2-factor 2-factor Delete
rdp rdp Delete
kinit kinit Delete
c-security c-security Delete
c-duo c-duo Delete
Enter labels to add to this page:
Please wait 
Looking for a label? Just start typing.
Feedback
This product/service is:
Easy to use
Average
Difficult to use

This article is:
Helpful
Inaccurate
Obsolete
  1. May 09, 2013

    If your Duo app does not receive push notifications, it might mean your phone lost its network connection. Try turning Wifi off and on. Or try using the six-digit entry code instead of using push notification.

  2. Jan 04, 2016

    Just a tip re. Cisco AnyConnect:

    It appears that if you already had received a batch of SMS passcodes prior to using AnyConnect, you can enter an unused (non-expired) passcode from the batch into the second password field.

Adaptavist Theme Builder (4.2.3) Powered by Atlassian Confluence 3.5.13, the Enterprise Wiki