All users should be encouraged to use Enhanced 2FA eligible options and to have multiple 2FA devices.  All users should also be encouraged to print backup codes for themselves as well.

Regardless of their specific request, the goal of every call should be to get people off of SMS and Voice options for 2FA.

There is a limited supply of Yubikeys available.  We will not be able to accommodate all requests for Yubikeys.  We will attempt to fulfill requests in the order that they are received while supplies last and we will prioritize users that have no other options available.

While some users may call to check on the status of their request, most calls will relate to rejecting the request.

Users will be rejected if they do not meet certain eligibility criteria - only using telephony and being an employee. 

When users call 4Help because their request for a Yubikey has been rejected they have been rejected for one of these reasons:

Always complete the checks to determine user eligibility before proceeding. 

They were not in the group for eligibility 

Who Is Eligible?

ACTIVE EMPLOYEES who only use telephone options (voice and SMS) for their DUO 2-Factor authentication

This group is created by uploading data from Duo. It’s possible that this user has been missed due to the way these reports are run. 

Check the user’s affiliations in DAT.

If the user does not have any active employee affiliations (i.e., vt-employee, vt-staff, vt-faculty, vt-wage) they are not eligible for this request item. 

Advise the user that this request is for employees only and direct them to more information about the Enhanced 2FA project 

If the user IS an employee, check the user's Duo authentication logs.  Determine which methods they use. Remember people only using telephone options (voice and SMS) will be eligible.   

If the user has a device capable of complete Enhanced 2FA (any device other than SMS/telephony) that is why they were rejected. 

They do not need to complete this request. 

They can complete the E2FA OPT-IN request  

If the user does NOT have an Enhanced 2FA device (ONLY SMS/voice) find out why and advise them of different options available to be eligible for Enhanced 2FA that they may be unaware of. 

If the user says they have no devices available and no options other than SMS/voice escalate the incident to IMCS. They need to be added to the eligibility group.

They were administratively rejected  


If the user was rejected by the Dean / Director / Department Head (DDDH) they should be directed to the DDDH for questions.  They can resubmit their request after speaking with that person and ensuring approval will be granted.  

If the user was rejected by ISS check Duo logs to see what kinds of devices they have available. Check affiliations to see if this user is eligible.

The method which we use to create the eligible list of users is not real time because it requires using Duo authentication data to determine who is using only telephony.  So there may be a timing issue in some cases if users are very quick on the draw.