Frequently Asked Questions about Duo 2-Factor Authentication
Notice: Duo Security has announced that the existing 2FA interface is reaching end-of-life 1Q24 and as a result all applications that use the existing interface will be updated. This won't happen all at once, so until 2Q24 users may still see the existing interface.
Traditional Duo login
Duo UP
Introduction
2-factor enrollment is required to log into many Virginia Tech Web-based systems. To use these Web sites and services that use the Login service, you are required to authenticate with a second factor.
Authenticating via voice call or SMS text message when outside of the continental United States *may not work* because Duo rate charges exceed Virginia Tech's limit of 20. It is very important to note the credit rate for the location where you will be authenticating. As seen on Duo's Rate Card page, Duo will not send a voice call or SMS text message if a single phone call or SMS text message uses more than 20 credits. For additional information and rates that apply to your location, see Duo's Rate Card page.
In case you need to authenticate without Internet or cellular service in the future, 4Help advises doing at least one of the following when you are on campus:
Use a D-100 token which you have already enrolled to your account. D-100 tokens do not require any Internet or cellular connectivity to be used as a second factor. For more information, see Authenticating Using the Duo D-100.
What Do I Do about Duo Mobile App Errors, Problems, Connection Issues, or Duo Push Not Received?
Occasionally you may experience connectivity issues such as not receiving Duo Push notifications or timeout errors. This problem is often resolved by refreshing the Duo Mobile app. To do that:
If you recently disabled or turned off your device's airplane mode, wait five minutes after turning off airplane mode.
On your device, start the Duo Mobile app.
Between the Virginia Tech logo and the key, tap and pull down on the window, and then release.
What Do I Do when the Duo Window Frame in the Browser Doesn't Load or Is Blank?
Go to the Duo Security Status Web page, and look for any interruption of service. If that Web page does not list any issues, then one of these conditions may be causing the problem:
You have a firewall installed on your device and it is preventing your browsers from reaching Duo.
You have Parental Controls or other restrictions on your device and that is preventing your browsers from reaching Duo.
If you have difficulty correcting these issues, contact 4Help by clicking Get Help at the top of this page or at http://4help.vt.edu.
How do I Enable or Disable Duo Push to Automatically Push a Notification to My Phone?
When you turn on this auto-send feature, the "Remember Me for 7 days" feature cannot be turned on. In other words, you cannot use both auto-send and "Remember Me for 7 days" at the same time.
If the page appears dark with text overlaid, click anywhere on the page to dismiss the overlaid text.
If any OneCampus announcements appear, after reading the text, click the appropriate button to dismiss the announcement window.
Near the top-right corner of the page, below the maroon banner, in the black bar, click Sign In.
From the drop-down that appears, click Sign In.
Type your credentials.
In the Username text box, type your VT Username (PID), which is the first part of your @vt.edu email address.
In the Password text box, type your VT Username (PID) passphrase.
Click Login.
If you have not yet registered for 2-factor, click Enroll.
If you receive an automatic call or push notification, in the browser, click Cancel. (Do *not* complete authentication with your second factor, yet.)
In the Duo frame, under the Virginia Tech logo, click My Settings & Devices.
Complete the authentication with your second factor to access My Settings & Devices.
Use the When I log in: drop-down.
To turn on auto-send:
At the bottom of the Duo frame, from the Default Device: drop-down, click the device that you want to automatically be used each time you sign into a service that requires 2-factor.
From the When I log in: drop-down, click either Automatically send this device a Duo Push or Automatically call this device.
Click Save.
To turn off auto-send:
At the bottom of the Duo frame, from the Default Device: drop-down, click the device that is being used automatically.
From the When I log in: drop-down, click Ask me to choose an authentication method.
Click Save.
How Can I Temporarily Skip 2-Factor Authentication by Using the "Remember me for 7 days" Check Box?
On the screen where you are prompted to choose an authentication device, if you place a check in Remember me for 7 days and then successfully authenticate with your second factor, you will not be prompted for your second factor again within seven days *when on this computer, and using this browser*. This will remain in effect for 7 days, even if you use "CAS Logout". You will still be prompted for your VT Username and passphrase when logging on, but not for your second factor
What Do I Do When I Can't Add a New Device, Can't Access Manage My Settings and Devices, 2-Factor Is Automatically Skipped, or "Remember me for 7 days" Is Greyed Out?
If you have any of the following enabled:
Auto-send (Duo Push notifications)
Auto-call
"Remember me for 7 days"
You will bypass and skip all of the 2-factor pages and prompts.
To get to "Add a new device" or "My Settings and Devices" or to enable or disable "Remember me for 7 days":
Why Does "Remember Me for 7 Days" Not Work, and Not Keep Me Logged in?
The "Remember me" functionality requires persistent cookies in your browser. If your browser is not remembering that you checked the "Remember me for 7 days" box, then check the cookie settings of your browser. To find information on the cookie settings of your browser, click the following link to search Google: browser cookie settings.
Chrome's "incognito" setting, Firefox's "private window", and Internet Explorer's/Edge's "InPrivate" settings will cause the "Remember me for 7 days" feature to not work.
How Can I Use "Remember Me for 7 Days" while Blocking Cookies?
If you set your browser to block all cookies, the 'Remember me for 7 days' feature will not work. To fix this, allow "duosecurity.com" as an trusted exception. To do this:
Edge:
In Edge, in the top-right of the window, click the hamburger menu represented by three dots.
Click Settings.
Click on Cookies and site permissions.
Click on the > at the end of Manage and delete cookies and site data.
Click on Add in the Allow section
In the Site: text box, type: duosecurity.com
Click Add.
Firefox:
In Firefox, in the top-right of the window, click the hamburger menu represented by three horizontal lines.
Click Settings.
In the left pane, click Privacy & Security.
In the Cookies and Site Data section, click ManageExceptions.
In the Address of website: text box, type: duosecurity.com
Click Allow.
Click Save Changes.
Chrome:
In Chrome, near the top-right of the window, click the hamburger menu represented by three horizontal dots.
From the drop-down, click Settings.
In the left hand menu click on Privacy and security.
In the Privacy and security box click Cookies and other site data.
Scroll down to Always clear cookies when windows are closed and click on the Add button.
In the Add a site popup, in the Site text box, type: duosecurity.com
2-factor can be used with landlines and hardware tokens. Employees who have university landlines should enroll their landlines by following the instructions at Enrolling a Landline.
Although mobile phones, tablets and landlines are the preferred options, hardware fobs and tokens that use the OATH (HOTP or TOTP) and YubiKey AES protocols are supported.
You can use your phone as your second factor without using the Duo App. To do this:
Enroll your smartphone or cell phone as Other (including cellphones) by following the instructions at Enrolling a Cellphone ('Dumb' Phone / Non-Smartphone). This will allow you to receive SMS codes or a telephone call to your phone and use the given code as your second factor.
Enroll your smartphone or cell phone as Landline by following the instructions at Enrolling a Landline. This will allow you to receive a telephone call to your phone and use the given code as your second factor.
Enroll a landline at your office or other location as Landline by following the instructions at Enrolling a Landline. This is useful when you are physically close to the telephone.
How Do I Set a Token as My Default Authentication Device?
Duo does not provide the option to set a YubiKey, D-100, or other token as the default authentication method, because those devices are not capable of receiving an automatic prompt.
Only devices that can receive a notification (such as a smartphone with the Duo app or any type of telephone that can receive a voice call) can be your default authentication method.
However, you can authenticate with a YubiKey, D-100, or other token any time you are prompted for a second factor: click Enter a Passcode and then complete authentication with your token. If a push notification or automatic phone call has been sent, you can ignore that and authenticate with your token instead. The token does not need to be selected in the Device drop-down list in order for token authentication to work.
When you get to the QR code screen, depending on the type of device:
Smart phone:
On the Activate Duo Mobile screen, tap Having Problems? We'll send you an activation link instead. (You may have to scroll down to see this link.)
In the text box, type an email address that you can access with your mobile device.
Tap Send email. You may need to scroll down to see all the instructions.
You will receive an email from no-reply@duosecurity.com. Open that email on the device you want to activate.
In the email, tap the activation link.
If you see a message that says "Visit this link on your phone to add your account to Duo Mobile:", either your selection of platform was incorrect, or you have opened the email on the wrong device. To fix this, follow the instructions at this section from the beginning.
If you see a Complete the action message:
Tap Duo.
Tap Always.
You will see Account Added Successfully. Virginia Tech will appear in your Duo Mobile app. Tap Continue.
Within the Duo window, you will see Device successfully enrolled. Under Enrolled Devices (PID), your device will be listed. You may need to scroll down to see the entire list.
Tap Done. You will see the normal Duo login prompt.
Tablet:
Select the radio button corresponding to the OS of your device.
Tap Continue.
On the Activate Duo Mobile screen, tap Having Problems? We'll send you an activation link instead.
In the text box, type an email address that you can access with your device.
Tap Send email. You may need to scroll down to see all the buttons.
You will receive an email from no-reply@duosecurity.com. Open that email on the device you want to activate.
In the email, tap the activation link.
If you see a message that says "Visit this link on your phone to add your account to Duo Mobile:", either your selection of platform was incorrect, or you have opened the email on the wrong device. To fix this, follow the instructions in this section from the beginning.
If you see a Complete the action message:
Tap Duo.
Tap Always.
You will see Account Added Successfully. Virginia Tech will appear in your Duo Mobile app. Tap Continue.
Within the Duo window, you will see Device successfully enrolled. Under Enrolled Devices, your device will be listed. You may need to scroll down to see the entire list.
Tap Done. You will see the normal Duo login prompt.
To avoid this problem in the future, we strongly recommend enrolling at least two devices, one of which should be a phone, so that you can always get an SMS code to get in to manage your devices.
If you do not have any previously enrolled second factor devices that can receive SMS text messages from Duo:
You must *call* 4Help at 540-231-4357 and ask for a bypass code, because bypass codes cannot be sent via email or Web browser.
To avoid this problem in the future, we strongly recommend enrolling at least two devices, one of which should be a phone, so that you can always get an SMS code to get in to manage your devices.
If you do not have any previously enrolled second factor devices that can receive SMS text messages from Duo:
You must *call* 4Help at 540-231-4357 and ask for a bypass code, because bypass codes cannot be sent via email or Web browser.
Why Does 2-Factor Authentication Fail or Not Work with the Nuance Dragon 13 Web Browser Extension?
There are two separate solutions for both Firefox and Chrome: disable the extension, or use an incognito / private window. Each method is listed separately below.
Method 1 Google Chrome: Disable the Nuance Dragon 13 Web Extension
Remove the Dragon Web Extension. by following the instructions at Install and manage extensions, under the Manage your extensions heading.
Why Do I Get the D-100 Incorrect Passcode or Token Out of Sync Error Message?
Tokens can become out of sync if 20 different codes are displayed without using one of the codes to authenticate to Duo.
To fix this:
If you do not have access to a second factor other than your D-100, you must *call* 4Help at 540-231-4357. Duo administrators will re-sync the token for you.
If you have access to a second factor other than your D-100:
Log on to the Virginia Tech accounts site through OneCampus.
Why Am I Locked out of HokieServ or Web-CAT? Why Did I Get an Automatic Push when Trying to Log in to HokieServ or Web-CAT?
When you log on to either HokieServ or Web-CAT, after submitting your VT Username (PID) and passphrase, Duo will either auto-push or auto-call your default device. If you have not set a default device, Duo will either auto-push or auto-call the first device you enrolled with Duo.
When attempting to log on to either HokieServ or Web-CAT, your Duo account may become locked if:
you do not have a smartphone with the Duo app installed that can receive Duo Push notifications, or a telephone that can receive automated voice calls from Duo,
or if your enrolled devices are temporarily incapable of receiving an auto-push or an auto-call.
If you are locked out of your Duo account and thus unable to complete second factor authentication, you must *call* 4Help at 540-231-4357 to have an operator assist you in enrolling another device after verbally verifying your identity.