Access Keys:
Skip to content (Access Key - 0)

Q: How do I login to MIT services that leverage Duo two-factor authentication?

Touchstone and Duo updates March 22
Touchstone and Duo authentication has been updated with some visual changes and an improved two-factor authentication experience as Information Systems and Technology (IS&T) implemented updates to the Institute's single sign-on web authentication service on Friday, March 22.

On this page:

Authenticating via Touchstone with the Duo authentication requirement enabled

  1. Launch a webpage (Chrome, Firefox, Safari and Internet Explorer), that requires Touchstone authentication and begin to authenticate as normal.
  2. Once you have completed the Touchstone authentication steps (via Certificates, kerberos tickets or kerberos username and password), the universal Duo prompt will automatically select your preferred authentication method and attempt to authenticate that way. In the case of a Duo Push, it will send one to you without prompting.

    check for duo push

    If you have not selected a preferred authentication method, it will select the one it considers most secure.
  3. To choose another authentication method, click the "Other options" link.

    "other options link circled on duo auth screen'

    Result: A personalized list of other options for authentication will open. Which options appear depend on which authentication methods you set up when you registered for Duo.

    list of other authentication options

  4. Select the option you want to use to authenticate, and authenticate with that method as usual.

Duo Push

  1. If it did not default to this, select "Duo Push" from the options as shown above.
  2. A request will be sent to your mobile device via the Duo app
    You must have an active mobile (cellular) or wifi connection to receive this request
  3. Tap Approve on your Mobile Device's Duo app. It should look similar to this:

    Example of Duo Push with iOS

  4. Result: Your web browser's Touchstone session should automatically complete authentication
    If your mobile phone doesn't automatically show the Duo Push request, you can force a refresh of push requests by tapping and dragging the "MIT" account downwards on your phone.

Phone Call

  1. If it did not default to this, select "Phone Call" from the options as shown above.
  2. An automated attendant will call your phone
  3. Answer and wait for the Duo automated message to begin playing
  4. Push any valid dialpad key on your phone (0-9,# or *) and hang-up
  5. Result: Your web browser's Touchstone session should automatically complete authentication


Effective January 23,2024 - Touchstone no longer accepts passcodes from the Duo mobile app as a second authentication factor. Passcodes sent via SMS will be limited to one per message, with a five-minute expiration time.
  1. If it did not default to this, select "Text message passcode" from the options as shown above.
    _Result: The passcode entry screen displays and you will receive a passcode via text message at the number specified.

    ""passcode entry screen'

  2. Enter the passcode in the field provided to authenticate. Click Verfiy.

Connect to a Duo-protected Microsoft Windows machine with Remote Desktop Connection (RDP)

  1. Launch Microsoft Remote Desktop and enter the hostname or IP address of the machine you wish to connect to (note: you may have to connect to MIT's VPN service to use RDP).
    Microsoft Remote Desktop with hostname entered.
  2. When presented with the Windows login screen, enter your MIT username and password.
  3. In the field labeled "Duo Password" you can enter one of the following options:
    1. push - Duo will send a push notification to your registered cell phone with the Duo Security mobile app installed
    2. sms - Duo will send an SMS to your registered cell phone
    3. phone - Duo will call your registered cell phone
    4. The one time code generated by your hardware token or the Duo Security mobile app (the code changes ever 60 seconds)
      Example of Windows login screen with push in the Duo Password field.
      In this example, we've entered "push" in the "Duo Password" field.
      'How to call different devices'
      If you have multiple devices that can use the same method, for instance two mobile phones or two phones that can receive phone calls, you can reference them by different numbers. For instance, to call the top device on your managed devices page (, you can use 'phone' (for the default) or 'phone1' to call the second phone, you can use 'phone2'.

  4. In this example, you will receive a push notification on your cell phone. Click Approve.
    Duo Mobile having received a push notification.
  5. The remote Windows system should now complete authentication and the Remote Desktop Connection will complete.
    Loading screen for Windows.

Acquire Kerberos tickets for a Duo-protected principal using kinit

  1. Log into an Athena machine (e.g. ssh
    Terminal with command 'kinit amunch/root' entered.
  2. Initiate Kerberos ticket acquisition (e.g. kinit username/root) and enter the appropriate Kerberos password when prompted.
    Note: not all Kerberos accounts will be protected with Duo. Typically, only root accounts or users with escalated privileges (e.g. username/root or username/extra) will be protected with Duo.
    Terminal with prompt for password.
  3. The Duo two-factor system will now challenge your login asking for a method to contact you. You can hit the "Enter" key to see all the options available to you. By default, option "1" will send a push notification to the Duo mobile app.
    Terminal with prompt for with authentication method to use.
    In this example, we've entered "1" as the option.
    Note: You will not see any input on the screen as you type.
  4. Duo will now output, "Press return after completing Duo authentication."
    Terminal with prompt 'Press return after completing Duo authentication.'
  5. In this example, you will receive a push notification on your cell phone. Click Approve.
    Duo Mobile app with push notification.
  6. Back in your console window, click the Enter key.
  7. If you have not received any error messages, you should be back at the > prompt and have valid Kerberos tickets.
    Terminal with standard input.
  8. You can view your Kerberos tickets by running klist from within your console window.
    Terminal with output of Kerberos tickets from running the command 'klist'.

Also See
Configuring MacPorts Kerberos for Duo Authentication

IS&T Contributions

Documentation and information provided by IS&T staff members

Last Modified:

April 11, 2024

Get Help

Request help
from the Help Desk
Report a security incident
to the Security Team
duo duo Delete
vpn vpn Delete
two-factor two-factor Delete
authentication authentication Delete
2-factor 2-factor Delete
rdp rdp Delete
kinit kinit Delete
c-security c-security Delete
c-duo c-duo Delete
Enter labels to add to this page:
Please wait 
Looking for a label? Just start typing.
This product/service is:
Easy to use
Difficult to use

This article is:
  1. May 09, 2013

    If your Duo app does not receive push notifications, it might mean your phone lost its network connection. Try turning Wifi off and on. Or try using the six-digit entry code instead of using push notification.

Adaptavist Theme Builder (4.2.3) Powered by Atlassian Confluence 3.5.13, the Enterprise Wiki