Enrolling or Adding a Second Factor Device to Duo 2-Factor Authentication


Introduction

2-factor enrollment (setup and configuration) is required to log into many Virginia Tech Web-based systems. To use these Web sites and services that use the Login service, you are required to authenticate with a second factor.

Top of the page

Contents

Related Links

Instructions

Devices that Can Be Used as a Second Factor

  Device Type Cost
Image of the green and white logo of Duo authentication

The Duo app on a smartphone.

If wireless Internet is not connected, push notifications may incur carrier data charges.

Representation of the described device A D-100 which is a physical token smaller than a deck of playing cards that will display a 6-digit passcode. It does not require any Internet or data connection.  

Individual: $27+
Departmental purchase available

 Image of a YubiKey A YubiKey which is a physical hardware token you insert into a USB slot on your computer.  

Individual: $40+
Departmental purchase available

 Clip art of a blank smartphone and a blank callout / speech balloon Text messages on any cellular phone or smartphone Any fee for SMS text message
 Clip art of a black, rotary telephone A landline, smartphone, or cellular phone that can receive voice calls at your office, home, or other location. Any fee for voice calls

Using a smartphone as your second factor will present multiple authentication options each time you authenticate, including receiving a voice call or a text message, or generating a passcode from the Duo app which does not require Internet or cellular service.

Requirements for Enrolling for the First Time

Enrolling a Smartphone, Tablet, or Mobile Device by Installing the Duo Mobile App

Using a smartphone as your second factor will present multiple authentication options each time you authenticate, including receiving a voice call or a text message, or generating a passcode from the Duo app which does not require Internet or cellular service.

  1. Ensure that you are within the continental United States, because enrolling when outside of the continental United States may not work.
    (For more information, see Authenticating without Internet, Network, or Cellular Service (International / Overseas).)
  2. Download and install the Duo Mobile app.
    1. In the app store app on your mobile device, search for Duo Mobile.
    2. Download and install the Duo Mobile app.
      (For information on how to download and install apps, see your mobile device's documentation.)
  3. Start logging on to OneCampus.
    1.  Go to the OneCampus page.
    2. If the page appears dark with text overlaid, click anywhere on the page to dismiss the overlaid text.
    3. If any OneCampus announcements appear, after reading the text, click the appropriate button to dismiss the announcement window.
    4. Near the top-right corner of the page, below the maroon banner, in the black bar, click Sign In.
    5. From the drop-down that appears, click Sign In.
    6. Type your credentials.
      1. In the Username text box, type your VT Username (PID), which is the first part of your @vt.edu email address.
      2. In the Password text box, type your VT Username (PID) passphrase.
      3. Click Login.
    7. If you have not yet registered for 2-factor, click Enroll.
    8. If you receive an automatic call or push notification, in the browser, click Cancel.
      (Do not complete authentication with your second factor, yet.)
  4.  In the Duo frame, under the Virginia Tech logo, click Add a new device.
  5. If prompted to Choose an authentication device, authenticate with a second-factor that is different from the second-factor you want to add.
  6. Follow the instructions on Duo’s Enrollment Guide page starting with the “Step 2: Choose Your Authentication Device Type” heading.

Top of the page

Enrolling a Landline

  1. If your phone number requires an extension, stop following these steps, and instead contact 4Help by clicking Get Help at the top of this page.
  2. Ensure that you are within the continental United States, because enrolling when outside of the continental United States may not work.
    (For more information, see Authenticating without Internet, Network, or Cellular Service (International / Overseas).)
  3. If your phone number requires an extension, do not follow these steps, and instead contact 4Help by clicking Get Help at the top of this page.
  4. Start logging on to OneCampus.
    1.  Go to the OneCampus page.
    2. If the page appears dark with text overlaid, click anywhere on the page to dismiss the overlaid text.
    3. If any OneCampus announcements appear, after reading the text, click the appropriate button to dismiss the announcement window.
    4. Near the top-right corner of the page, below the maroon banner, in the black bar, click Sign In.
    5. From the drop-down that appears, click Sign In.
    6. Type your credentials.
      1. In the Username text box, type your VT Username (PID), which is the first part of your @vt.edu email address.
      2. In the Password text box, type your VT Username (PID) passphrase.
      3. Click Login.
    7. If you have not yet registered for 2-factor, click Enroll.
    8. If you receive an automatic call or push notification, in the browser, click Cancel.
      (Do not complete authentication with your second factor, yet.)
  5.  In the Duo frame, under the Virginia Tech logo, click Add a new device.
  6. If prompted to Choose an authentication device, authenticate with a second-factor that is different from the second-factor you want to add.
  7. Click Landline.
  8. Click Continue.
  9.  In the text box on the Web page, type the landline phone number.
  10. If your phone number requires an extension, stop following these steps, and instead contact 4Help by clicking Get Help at the top of this page.
  11. Place a check in the check box to verify the phone number is correct.
  12. Click Continue.
  13. If you see Verify Ownership:
    1.  Click Call me.
    2. Answer the phone call, and listen to the automated voice to receive a verification code.
    3. In the text box on the Web page, type the verification code.
    4. Click Verify.
    5. Once the code has been verified, click Continue.

Top of the page

Enrolling a Cell Phone ('Dumb' Phone / Non-Smartphone)

  1. Ensure that you are within the continental United States, because enrolling when outside of the continental United States may not work.
    (For more information, see Authenticating without Internet, Network, or Cellular Service (International / Overseas).)
  2. Start logging on to OneCampus.
    1.  Go to the OneCampus page.
    2. If the page appears dark with text overlaid, click anywhere on the page to dismiss the overlaid text.
    3. If any OneCampus announcements appear, after reading the text, click the appropriate button to dismiss the announcement window.
    4. Near the top-right corner of the page, below the maroon banner, in the black bar, click Sign In.
    5. From the drop-down that appears, click Sign In.
    6. Type your credentials.
      1. In the Username text box, type your VT Username (PID), which is the first part of your @vt.edu email address.
      2. In the Password text box, type your VT Username (PID) passphrase.
      3. Click Login.
    7. If you have not yet registered for 2-factor, click Enroll.
    8. If you receive an automatic call or push notification, in the browser, click Cancel.
      (Do not complete authentication with your second factor, yet.)
  3.  In the Duo frame, under the Virginia Tech logo, click Add a new device.
  4. If prompted to Choose an authentication device, authenticate with a second-factor that is different from the second-factor you want to add.
  5. Click Mobile phone.
  6. Click Continue.
  7. Follow the instructions under Step Three: Type Your Phone Number on Duo’s Enrollment Guide page, and then continue following these instructions.
  8.  When prompted to choose the type or platform of the device, click Other (and cell phones).
  9. Click Continue.
  10. You will see “Device successfully added!”.

Top of the page

Hardware and Software Token Information

For comparison and purchasing information on D-100 and YubiKey tokens, see YubiKey and D-100 Hardware Tokens for Duo 2-Factor Authentication.

Top of the page

Enrolling a Duo D-100 Token

  1. Ensure that you are within the continental United States, because enrolling when outside of the continental United States may not work.
    (For more information, see Authenticating without Internet, Network, or Cellular Service (International / Overseas).)
  2. From OneCampus, launch Manage Accounts.
    1. Go to the OneCampus page.
    2. If the page appears dark with text overlaid, click anywhere on the page to dismiss the overlaid text.
    3. If any OneCampus announcements appear, after reading the text, click the appropriate button to dismiss the announcement window.
    4. In the What would you like to do? search box, type: account.
    5. On the keyboard, press the Enter or Return key.
    6. In the search results, click Manage Accounts.
    7. On the Manage Accounts page that appears, click My accounts.
    8. On the Login page, type your VT Username (PID) and VT Username (PID) passphrase, and click Login.
    9. If you have not yet registered for 2-factor, click the Enroll button.
    10. If prompted to Choose an authentication device, authenticate with a second-factor that is different from the second-factor you want to add.
  3. Near the bottom of the page, in the 2-Factor Account section, click Manage tokens.
  4. Under Enrolled Tokens, click Enroll Token.
  5. Click Enroll Hardware Token.
  6. Click Duo D-100.
  7. In the Serial Number text box, type the serial number that can be found on the back of your D-100.
    • If the serial number on the back of the token starts with DSEC, type all of the characters. Example: DESC00000000
    • If the serial number on the back of the token starts with a number (such as 00-0000000-0), type all of the characters without the dashes. Example: 0000000000
  8. Click Lookup.
  9. In the text box, type the six-digit numeric code displayed on your D-100 displayed by pressing the button on the D-100.
  10. Click Verify.
  11. Your D-100 is now added to your account.

Top of the page

Enrolling a YubiKey as AES/OTP to Use in Any Browser

  1. Ensure that you are within the continental United States, because enrolling when outside of the continental United States may not work.
    (For more information, see Authenticating without Internet, Network, or Cellular Service (International / Overseas).)
  2. If you did not obtain a pre-registered YubiKey from your department or Hokie Centric, skip to step 15 "Registering and Enrolling YubiKey Using the Personalization Tool" of this section.
  3. From OneCampus, launch Manage Accounts.
    1. Go to the OneCampus page.
    2. If the page appears dark with text overlaid, click anywhere on the page to dismiss the overlaid text.
    3. If any OneCampus announcements appear, after reading the text, click the appropriate button to dismiss the announcement window.
    4. In the What would you like to do? search box, type: account.
    5. On the keyboard, press the Enter or Return key.
    6. In the search results, click Manage Accounts.
    7. On the Manage Accounts page that appears, click My accounts.
    8. On the Login page, type your VT Username (PID) and VT Username (PID) passphrase, and click Login.
    9. If you have not yet registered for 2-factor, click the Enroll button.
    10. If prompted to Choose an authentication device, authenticate with a second-factor that is different from the second-factor you want to add.
  4. Near the bottom of the page, in the 2-Factor Account section, click Manage tokens.
  5. Under Enrolled Tokens, click Enroll Token.
  6. Click Enroll YubiKey OTP Token.
  7. In the browser window, in the Serial Number text box, type the serial number of the YubiKey.
    (The number is usually printed in small letters on the YubiKey. It may also be found on the packaging in which the YubiKey came.)
  8. Click Lookup.
  9. If prompted about the token already exist, click Enroll.
  10. If you see the Private ID text box, skip to step 15 "Registering and Enrolling YubiKey Using the Personalization Tool" of this section.
  11. Insert the YubiKey into a USB port of your computer.
  12. Click to place your cursor in the Use the token to generate a Passcode text box.
  13. While the YubiKey is in the USB port of your computer, press the center of your YubiKey for 1 to 3 seconds to generate a string of letters.
  14. If the page does not automatically start loading, click Submit.
  15. You will see a message saying you’ve successfully enrolled your YubiKey.
  16. Registering and enrolling YubiKey using the Personalization Tool:
    1. If you were already using your YubiKey for other services, this procedure will cause it to stop working for those other services.
    2. Configure your YubiKey using the Personalization Tool.
      1. Download and install the YubiKey Personalization Tool from the Yubico website.
        • For Windows:
          1. Go to the YubiKey Personalization Tool page.
          2. Under the YubiKey Personalization Tool (preferred) heading, click Microsoft Windows Download.
          3. When the download is complete, in Windows Explorer of File Explorer, double-click the file that you just downloaded.
          4. Follow the directions in the installer to finish installing it.
        • For Mac OS:
          1. Go to the YubiKey Personalization Tool page.
          2. Under the YubiKey Personalization Tool (preferred) heading, click Mac Download (.pkg file).
          3. When the download is complete, in Finder, double-click the file that you just downloaded.
          4. Follow the directions in the installer to finish installing it.
      2. Insert your YubiKey into the USB port.
      3. Verify it is plugged in correctly by looking for either:
        • A solid or blinking green light in the middle of the gold circle
        • The upper-right corner of the YubiKey Personalization Tool window should display “YubiKey is inserted”
      4. In Mac OS, if you see a prompt to set up a new keyboard, close the window, and continue with these instructions.
      5. Start YubiKey Personalization Tool.
      6.  Under Personalize your YubiKey in:, click Yubico OTP Mode.
      7. Click Quick.
      8.  Click Configuration Slot 1.
      9. Clear the Hide values checkbox.
      10. Click Write Configuration.
      11. Keep this window open in order to register your token with Duo 2-factor authentication.
      12.  If you see a window about overwriting the configuration in Slot 1, click Yes.
        (This is normal as some YubiKeys come preconfigured with YubiCloud credentials.)
      13. If prompted to save the log file, we recommend you click Cancel.
        (It would contain your private key and can compromise the security of your token.)
    3. Register your token with Duo 2-factor authentication.
      1. From OneCampus, launch Manage Accounts.
        1. Go to the OneCampus page.
        2. If the page appears dark with text overlaid, click anywhere on the page to dismiss the overlaid text.
        3. If any OneCampus announcements appear, after reading the text, click the appropriate button to dismiss the announcement window.
        4. In the What would you like to do? search box, type: account.
        5. On the keyboard, press the Enter or Return key.
        6. In the search results, click Manage Accounts.
        7. On the Manage Accounts page that appears, click My accounts.
        8. On the Login page, type your VT Username (PID) and VT Username (PID) passphrase, and click Login.
        9. If you have not yet registered for 2-factor, click the Enroll button.
        10. If prompted to Choose an authentication device, authenticate with a second-factor that is different from the second-factor you want to add.
      2. Near the bottom of the page, in the 2-Factor Account section, click Manage tokens.
      3. Under Enrolled Tokens, click Enroll Token.
      4. Click Enroll YubiKey OTP Token.
      5. In the YubiKey Personalization Tool that you left open, in the right pane, under the image of your token, under the Serial Number heading, to the right of Dec:, click the clipboard.
      6. In the browser window, in the Serial Number text box, paste the copied serial number.
      7. Click Lookup.
      8. If prompted about the token already exists, click Enroll.
      9. If you see the Use token to generate a passcode text box, follow the instructions at the top of this section instead of continuing.
      10. In the YubiKey personalization Tool, find the token Private ID and Secret Key.
      11. In the YubiKey Personalization Tool, in the Private Identity (6 bytes Hex) text box, highlight all of the text.
      12. Copy the highlighted text.
      13. In the browser window, in the Private ID text box, paste the copied text.
      14. In the YubiKey Personalization Tool, in the Secret Key (16 bytes Hex) text box, highlight all of the text.
      15. Copy the highlighted text.
      16. In the browser window, in the Secret Key text box, paste the copied text.
      17. Click Verify Token.
      18. Press the center of your YubiKey for 1 to 3 seconds to generate a passcode in the Passcode text box.
      19. Click Submit.
      20. You will see a message saying you’ve successfully enrolled your YubiKey.

Top of the page

Enrolling the WinAuth Software (Windows Only)

WinAuth is a no cost, third-party, software for your computer that can generate one-time-use passcodes so that no additional device interaction is necessary for authenticating.

  1. You must first enroll a different type of device such as a mobile phone, landline telephone, tablet, or token before enrolling with WinAuth . For instructions, see the other sections on this page.
  2. Download and extract the WinAuth program.
    1. Go to the Download WinAuth page.
    2. Under the WinAuth Version X.X heading, click WinAuth X.X where X.X is a version number. The link will look similar to: WinAuth 3.5.1.
    3. If prompted, save the file to your computer.
    4. Extract the .zip file that you just downloaded.
      1. When the download is complete, in Windows Explorer or File Explorer, right-click WinAuth-X.X.zip where X.X is a version number.
      2. From the drop-down, click Extract All....
      3. To accept the default location for the extracted files, click Extract. Another window will appear with the extracted file.
  3. Optionally, to pin the icon to the taskbar at the bottom of your screen for easy access:
    1. Right-click WinAuth.
    2. Click Pin to taskbar.
  4. Start WinAuth by double-clicking WinAuth.
  5. The WinAuth window will appear.
  6. Log on to VT Account Manager.
    1.  Go to VT Account Manager, and click My Accounts.
    2. On the Login page, type your VT Username and VT Username passphrase, and click Login.
    3. If prompted to choose an authentication device, authenticate with a second-factor that is different from the second-factor you want to add.
  7. In VT Account Manager, start enrolling a software OATH token.
    1.  Near the bottom of the page, to the right of the 2-factor account heading, click Manage tokens.
    2. Under Enrolled Tokens, click Enroll Token.
    3. Click Enroll Software OATH Token.
    4. Place your mouse cursor over the QR code, and right-click.
    5. From the drop-down, click Copy image address or Copy image location or Copy shortcut or Copy link depending on the browser you are using.
  8. In the WinAuth window:
    1. In the WinAuth window, click Add.
    2. Click Authenticator. The Add Authenticator window will appear.
    3. In the Add Authenticator window:
      1. In the Name: text box, type: Virginia Tech (ABC) but replace ABC with your VT Username.
      2. Under step 1, in the text box to the left of the Decode button, right-click, and from the drop-down, click Paste.
      3. Click Verify Authenticator.
  9. In the Accounts window:
    1. Click Verify Token.
    2. In the Passcode text box, type the six-digit code generated in the WinAuth Add Authenticator window.
    3. Click Submit.
  10. In the WinAuth Add Authenticator window:
    1. Click OK.
    2. In the Protection window, verify that the Protect with my own password check box is checked.
    3. In the Password text box, type a new password.
      (Please see Changing My Password for information on creating a strong password.)
    4. In the Verify text box, re-type the new password.
    5. Click OK.
  11. WinAuth is now successfully added. The WinAuth window will now display a six-digit code you can use as your second factor.

You can now use WinAuth from this computer for 2-factor authentication.

Top of the page

Search words: two-factor, two step, multi-factor, 2FA, sign in

Top of the page