Options for Two-Factor Authentication (2FA)

This document describes the many options available to you when using Duo for two-factor authentication (2FA) and includes links to enrollment instructions for each option. For a one-page chart designed to help you decide which options are right for you, refer to the Duo Two-Factor Options at-a-Glance chart.

You must enroll a device in Duo before you can use it for two-factor. We recommend that you enroll in a primary option plus at least one backup option. During each login session, you can choose which of your enrolled options to use. (For login instructions, see Using Duo Two-Factor to Log In.)

Duo Mobile App on a Smartphone

Enrolling the Duo Mobile app on a smartphone (a cell phone that allows you to download and install applications) gives you the greatest number of options when you log in to a 2FA-protected system. Most people find the push notification the most convenient option.

  • Push Notification: From the login page, click Send me a Push, open the push notification on your smartphone, and tap Approve to log in. Requires WiFi or mobile data connection. Duo Mobile Push uses a minimal amount of mobile data—less than 2 KB per authentication.
  • Generate a Passcode: No WiFi or mobile data connection needed! The app generates a passcode for you. When you log in and are prompted for two-factor, click the Enter a Passcode button, enter the passcode from the smartphone, then click Log In.
  • Phone Call: From the login page, click Call Me, answer the call on your phone, and press 1 to log in.
  • Passcodes via Text Message: From the login page, click Enter a Passcode, click Text me new codes, and receive a text message that includes 10 passcodes. Enter your passcode on the login page, and click Log In. Ten passcodes are sent because each can be used only once. Passcodes expire after 12 hours.

Enrollment Instructions: Enroll a Smartphone or Tablet in Duo
Supported Device OS Versions: iPhone, Android, Windows Phone

Duo Mobile App on a Tablet

A tablet provides two options with the Duo Mobile app:

  • Push Notification: From the authentication page, click Send me a Push, open the push notification on your tablet, and tap Approve to log in. Requires WiFi or mobile data connection. Duo Mobile Push uses a minimal amount of mobile data – less than 2 KB per authentication.
  • Generate a Passcode: No WiFi or mobile data connection needed! The app generates a passcode for you. When you log in and are prompted for two-factor, click the Enter a Passcode button, enter the passcode from the tablet, then click Log In.

Enrollment Instructions: Enroll a Smartphone or Tablet in Duo
Supported Device OS Versions: iPad, Android

Duo Mobile App on an Apple Watch

An Apple Watch that you have paired with an iPhone with the Duo Mobile app provides two options:

  • Push Notification: From the authentication page, click Send me a Push, open the push notification on your Apple Watch, and tap Approve to log in. Requires WiFi or mobile data connection. Duo Mobile Push uses a minimal amount of mobile data – less than 2 KB per authentication.
  • Generate a Passcode: No WiFi or mobile data connection needed! The app generates a passcode for you. When you log in and are prompted for two-factor, click the Enter a Passcode button, enter the passcode from the Apple Watch, then click Log In.

Enrollment Instructions: Enroll a Smartphone or Tablet in Duo to enroll the paired iPhone. Then use the companion Watch app on the iPhone to show the Duo app on your Apple Watch.
Supported Device OS Versions: iPhoneApple Watch

Duo Push Notifications on an Android Smartwatch

There is not a standalone Duo Mobile app for Android smartwatches, but you can approve authentication requests on your watch via the notification.

  • Push Notification: To approve authentications from an Android smartwatch or wearable device, your Android phone must be unlocked. If your phone is normally locked (recommended), you can enable Smart Lock on your Android phone in order to approve notification actions from a wearable device. For instructions, refer to Set your device to automatically unlock.

Enrollment Instructions: Enroll a Smartphone or Tablet in Duo to enroll an Android phone that you have paired with an Android smartwatch. Ensure that notifications are enabled on your phone and that your watch is paired with your phone. To approve authentications, your phone must be unlocked. If your phone is normally locked, you can enable Smart Lock in order to approve notification actions.

Other Cell Phone—Phone Call or Text

Cell phones with text messaging and phone service provide two options:

  • Phone Call: From the login page, click Call Me, answer  the call on your phone, and press 1 to log in.
  • Passcodes via Text Message: From the login page, click Enter a Passcode, click Text me new codes, and receive a text message that includes 10 passcodes. Enter your passcode on the login page, and click Log In. Ten passcodes are sent because each can be used only once. Passcodes expire after 12 hours.

Enrollment Instructions: Enroll a Landline or Non-Smart Cell Phone in Duo

Landline Phone Call

  • Phone Call: From the login page, click Call Me, answer the call on your phone, and press 1 to log in.

Enrollment Instructions: Enroll a Landline or Non-Smart Cell Phone in Duo

Duo Hardware Token

  • From the login page, click Enter a Passcode. Press the button on your Duo hardware token to generate a passcode, enter your passcode on the authentication page, and click Log In. Hardware tokens are available for purchase from the Computer Showcase. A hardware token costs $25.

Purchase and Enrollment Instructions: Hardware Tokens - Purchase and Enrollment

Emergency Bypass Code

In an emergency when you don't have any of your Duo options available to you, you can phone the ITS Service Center for an emergency bypass code.

  1. Phone the Service Center at 734-764-HELP (764-4357).
  2. Ask for a Duo two-factor emergency bypass code and say how long you need it for. The Service Center can give you a bypass code that is good for up to four days. Extended-use bypass codes require security approval, which the Service Center can request for you if needed.
  3. You will be asked to verify your identity by providing information such as your date of birth.
  4. When you log in and are prompted for two-factor, click the Enter a Passcode button, enter the passcode, then click Log In.

Future Possibilities

Some people have asked about the possibility of using third-party hardware tokens (for example, YubiKey) with Duo. At this time we are not enrolling third-party hardware tokens, although the options are being reviewed.

Last Updated: 
Friday, July 27, 2018