Duo Two-factor Authentication FAQ
On this page:
- Overview
- Setting up Duo:
- How do I register a Smart phone for Duo two-factor authentication?
- How do I prepare for traveling?
- What should I do if I forgot my Smartphone or YubiKey
- How do I register a landline or MIT VoIP phone for Duo two-factor authentication?
- How do I register my YubiKey for use with Duo two-factor authentication?
- How to configure MacPorts Kerberos for Duo Authentication?
- Using Duo:
- How do I login to MIT services that leverage Duo two-factor authentication?
- How do I deactivate a device registered with Duo
- Troubleshooting
- What should I do if I changed my Duo registered phone number, lost my Smartphone or YubiKey?
- How can I switch my Duo authentication to a new device if I get a new phone?
- My account has been locked out due to excessive authentication failures.
- How can staff that share the office VoIP phone and don't have a Smartphone enable Duo?
- I am having trouble with my International phone number. What do I do?
- I get a blank grey box instead of my push options when trying to authenticate with duo. What do I do?
- See Also
- Get Help
Overview
IS&T has been working for a few years to strengthen its IT environment through the use of two-factor authentication. Duo Security’s system, called Duo, was selected as part of a U.S.-government-sponsored initiative with MIT and Internet2 to explore the use of two-factor technology in higher education environments. As part of these efforts, Duo has been integrated into several IT services, including Touchstone, Kerberos, and VPN. IS&T can now make these services more broadly available to the community.
With increased vulnerabilities within the Internet’s underlying encryption systems, such as the Secure Socket Layer (SSL), depending solely on passwords alone has demonstrated high risk in compromising systems, services and accounts.
For more information, see the Duo Authentication Landing Page
What services require Duo for login?
A number of MIT services including Touchstone, Kerberos, and VPN are enabled for Duo two-factor authentication. When you enable two-factor authentication with Duo for Touchstone, you will need to have your Duo activated device available in order to login to any service or web application that requires Touchstone for authentication. Touchstone and two-factor authentication enabled services include:
- Stellar
- VPN
- Atlas
- iMIT
- Request Tracker
- Webmoira
- Dropbox
- Athena Dialups
- The Duo management pages
Supported Browsers include Chrome, Firefox, Safari and Internet Explorer.
Services such as MIT Email, Knowledge Base, and SAP Services do not currently use Touchstone and do not require Duo authentication. The Athena Dialup service does not use Touchstone, but does require two-factor authentication through Duo.
Do I need a smartphone with a data plan?
It is not necessary to have a smartphone to use Duo. You can use a tablet, landline phone or YubiKey for your second factor instead. A data plan is not required for your device.
Setting up Duo:
How do I register a Smart phone for Duo two-factor authentication?
How to Register a Smart Phone for Duo two-factor authentication
How do I prepare for traveling?
- Bring a registered smartphone with the IS&T Recommended Duo Security Mobile app (available for iOS, Android, BlackBerry and Windows Phone)
- Or bring a mobile phone that you have signed up as a "landline" for Duo Two-Factor authentication;
- Or bring a YubiKey with you.
- You can submit a request for one
What should I do if I forgot my Smartphone or YubiKey
- Please contact the Service Desk. See: Get Help.
How do I register a landline or MIT VoIP phone for Duo two-factor authentication?
How to Register a non-smart Phone for Duo two-factor authentication
How do I register my YubiKey for use with Duo two-factor authentication?
How do I register my YubiKey for use with Duo 2FA?
How to configure MacPorts Kerberos for Duo Authentication?
Configuring MacPorts Kerberos for Duo Authentication
Using Duo:
By default, every time a website prompts you to login via Touchstone, you will also be prompted via Duo to confirm the login. This is generally once per day, or whenever you restart your web browser. This default behavior is the most secure option available.
How do I login to MIT services that leverage Duo two-factor authentication?
How do I login to MIT services that leverage Duo two-factor authentication?
How do I deactivate a device registered with Duo
- Login to Duo
- Click Next to take you to the main Duo management page
- Find all the entries that correspond to the device you want to deactivate and click Delete Phone
Result: You will not be asked to confirm the deletion. After a brief period, you should see the device removed from your list.
Only my lost/stolen one device is registered, so I can't login to Duo to deactivate my device IS&T Service Desk can help. In order to do so, IS&T will need to verify your identity. See: Get Help. |
Troubleshooting
What should I do if I changed my Duo registered phone number, lost my Smartphone or YubiKey?
You will need to deactivate your old phone number/device and register a new one for Duo.
See: What do I do if my duo enabled device is lost, stolen or I changed my phone number?
How can I switch my Duo authentication to a new device if I get a new phone?
Duo - What should I do if I get a new phone? How to switch registered devices
My account has been locked out due to excessive authentication failures.
- A behavioral change has been implemented that will lock users out of their accounts after 10 failed attempts.
- Accounts will automatically revert to an unlocked state after 90 minutes.
- In exceptional circumstances, you may Contact the IS&T Help Desk <helpdesk@mit.edu>, 617-253.1101 to request your account be unlocked.
How can staff that share the office VoIP phone and don't have a Smartphone enable Duo?
You can get a hardware token that will generate passcodes for Duo. You can contact the IS&T Help Desk <helpdesk@mit.edu>, 617-253.1101 to request a hardware token, or request using a web form at https://ist.mit.edu/duo/token-request.
I am having trouble with my International phone number. What do I do?
- There may be issues registering a mobile device with an international number for Duo because you do not receive the initial text with link that will connect the mobile device to your Duo. If you are unable to obtain a Yubikey in the meantime and will have the international number for an indefinite period, please register the international mobile phone number as a landline device. Input the phone number with the international code to authenticate. You MUST add + before number. With this method, you will get a phone call asking you to authenticate rather than the text with the link. Also, please use the "Remember me for 30 days" option, so the you can avoid receiving exuberant fees from the international Duo authentication calls.
- You can also register your smartphone as a tablet device to use push notifications over the internet, or the 6-digit code generated by the Duo Mobile App which requires no internet access.
I get a blank grey box instead of my push options when trying to authenticate with duo. What do I do?
- This can happen if you have no devices registered for Duo. Check to see if you have registered a device for Duo at http://duo.mit.edu. If not, register one.
- Clear your browser cache and try again.
- Quit and restart your browser, then try again. this can clear up any lingering issues from other sites you've visited recently.
- Disable any custom browser extensions you've installed. Some can cause issues with Duo.
- Try another browser. For example, if you're using IE, try Chrome or Firefox.
See Also
- Duo Authentication Landing Page
- Duo Token (Yubikey) Request Form
- More documentation can be found on the vendor's website.
Get Help
For additional assistance with Duo, troubleshooting, lost/stolen devices, or any other Duo issues, contact the Service Desk.
Account resets for lost/stolen devices or changed phone numbers require identity verification. You will need to provide proof via a valid photo ID (MIT ID, government issued ID card, driver's License, passport, etc).