Frequently Asked Questions about Duo 2-Factor Authentication


 

Introduction

2-factor enrollment is required to log into many Virginia Tech Web-based systems. To use these Web sites and services that use the Login service, you are required to authenticate with a second factor.

 

Contents

Related Links

 

How many devices/factors should I enroll?

Enroll a minimum of two devices. That way if one is unusable you can use the backup and therefore if you have a backup you will still be able to access Virginia Tech 2FA websites.

Duo authentication methods from most to least secure:

  1. Touch ID
  2. Security keys
  3. Verified Duo Push
  4. Duo Mobile push approval
  5. YubiKey passcodes
  6. Duo Mobile generated passcodes
  7. Hardware token passcodes
  8. SMS passcodes
  9. Phone call approval

Top of the page

How do I add a New Device

  1. When logging into a VT 2fa protected website, at the first login screen enter username/password normally.
  2. When the duo login screen is presented, click on "Other options".
    NOTE if the two factor screen is bypassed, open a new Chrome incognito / Edge inPrivate / Firefox private window.
  3. Follow the directions at Add or manage devices

Top of the page

How Do I Login without My Phone or Any 2-Factor Device if It Is Lost, Forgotten, Broken or Unavailable?

If you temporarily misplaced, left, forget it at home, broke, or otherwise can't use or access your 2-factor device to authenticate:

  1. If you have an additional device enrolled, use that device to authenticate.
  2. Otherwise, you must *call* 4Help at 540-231-4357 to get a bypass code. Bypass codes are *not* given online or by email.

Top of the page

How Can I Login without Internet, Network, or Cellular Service Connectivity? (International / Overseas)

****When outside of the continental United States, 4Help highly recommends Authenticating with a Passcode from Duo App , Backup codes from the Virginia Tech Website or a previously enrolled Hardware Token .****

Authenticating via voice call or SMS text message when outside of the continental United States *may not work* because Duo rate charges exceed Virginia Tech's limit of 20. It is very important to note the credit rate for the location where you will be authenticating. As seen on Duo's Rate Card page, Duo will not send a voice call or SMS text message if a single phone call or SMS text message uses more than 20 credits. For additional information and rates that apply to your location, see Duo's Rate Card page.

Some locations will be blocked due to government regulations that are subject to change without notice per https://help.duo.com/s/article/7544?language=en_US.

(If you do not have access to any method of authenticating with a second factor, follow the instructions at Lost, Forgot, Broke, or Unavailable 2-Factor Device.)

In case you need to authenticate without Internet or cellular service in the future, 4Help advises doing at least one of the following when you are on campus:

Top of the page

What Do I Do about Duo Mobile App Errors, Problems, Connection Issues, or Duo Push Not Received?

Occasionally you may experience connectivity issues such as not receiving Duo Push notifications or timeout errors. This problem is often resolved by refreshing the Duo Mobile app. To do that:

  1. If you recently disabled or turned off your device's airplane mode, wait five minutes after turning off airplane mode.
  2. On your device, start the Duo Mobile app.
  3. Between the Virginia Tech logo and the key, tap and pull down on the window, and then release.
  4. The app will be refreshed.

Top of the page

What Do I Do when the Duo Window in the Browser Doesn't Load or Is Blank?

Go to the Duo Security Status Web page, and look for any interruption of service.  If that Web page does not list any issues, then one of these conditions may be causing the problem:

If you have difficulty correcting these issues, contact 4Help by clicking Get Help at the top of this page or at http://4help.vt.edu.

Top of the page

How Do I Get and Print Backup Codes from the Virginia Tech Web Site?

  1. If you cannot authenticate with any second factor, follow the instructions at Lost, Forgot, Broke, or Unavailable 2-Factor Device instead of these instructions.
  2. Log in to the Virginia Tech accounts site at Accounts.it.vt.edu.
  3. Use the left hand menu to navigate to the 2-Factor page.
  4. In the middle of the page click Generate passcodes.
  5. To confirm that you understand the warning displayed, click Generate.
  6. On the Web page, click Print.
  7. Your printer settings will appear. Select the printer you want to use, and then click OK.
  8. Store the printed paper in a secure location, and use a pencil or pen to mark when you use each code. Each code can only be used once.
  9. Any Duo passcodes you previously printed from this Virginia Tech Web site will no longer work.

Top of the page

How do I Enable or Disable Duo Push to Automatically Push a Notification to My Phone?

Duo Up does not have an auto send feature.

How Can I Temporarily Skip 2-Factor Authentication by Using Remembered Devices?

For more information on using remember devices see Remembered Devices

Top of the page

What Do I Do When I Can't Add a New Device, Can't Access Manage My Settings and Devices, or 2-Factor Is Automatically Skipped?

If you have Remembered Devices enabled you will bypass and skip all of the 2-factor pages and prompts.

To get to "Manage Devices"

  1. Open a new Chrome incognito / Edge inPrivate / Firefox private window.
  2. When logging into a VT 2fa protected website, at the first login screen enter username/password normally.
  3. When the duo login screen is presented, click on Other options.
  4. On the Other options to log in screen, at the bottom, click on Manage Devices.
  5. Complete the authentication with your second factor to access Manage Devices.

Top of the page

What Are the Supported Browsers?

The currently supported browsers can be found on the supported browsers page:

Top of the page

How Do I Rename a YubiKey, D-100, or Software Token?

Yubikeys can be renamed by selecting "Other options" and "Manage Devices" during Duo login. The Duo system does not allow you to change the name of or rename any D-100 or software token; each of those tokens will be assigned a unique set of characters.

Top of the page

How Do I Reactivate the Duo Mobile App?

  1. In your browser, open a new Chrome incognito / Edge inPrivate / Firefox private window.
  2. When logging into a VT 2fa protected website, at the first login screen enter username/password normally.
  3. When the duo login screen is presented, click on Other options.
  4. On the Other options to log in screen, at the bottom, click on Manage Devices.
  5. Complete the authentication with your second factor to access Manage Devices.
  6. Follow the instructions on the Reactivate Duo Mobile for an Existing Device page.

Top of the page

How Do I Remove or Delete an Authentication Device from My Duo Account?

  1. Open a new Chrome incognito / Edge inPrivate / Firefox private window.
  2. When logging into a VT 2fa protected website, at the first login screen enter username/password normally.
  3. When the duo login screen is presented, click on Other options.
  4. On the Other options to log in screen, at the bottom, click on Manage Devices.
  5. Complete the authentication with your second factor to access Manage Devices.
  6. Follow the instructions in the Remove Device section on the Rename or Remove a Device page.

Top of the page

How Do I Set or Change the Default Duo Authentication Device?

Duo Up does not provide the option to set a default device.

Top of the page

Why Does Remembered Devices Not Work, and Not Keep Me Logged in?

The Remembered Devices functionality requires persistent cookies in your browser.  If your browser is not remembering that you enabled Remembered Devices, then check the cookie settings of your browser. To find information on the cookie settings of your browser, click the following link to search Google: browser cookie settings.

Chrome's "incognito" setting, Firefox's "private window", and Internet Explorer's/Edge's "InPrivate" settings will cause the Remembered Devices feature to not work.

How Can I Use Remembered Devices while Blocking Cookies?

If you set your browser to block all cookies, the Remembered Devices feature will not work. To fix this, allow "duosecurity.com" as an trusted exception. To do this follow the directions for your specific browser to make a trusted exception.

 

Top of the page

Can I Use 2-Factor without a Mobile Device?

2-factor can be used with landlines and hardware tokens. Employees who have university landlines should enroll their landlines by following the instructions at Phone for Call or Text.

Although mobile phones, tablets and landlines are the preferred options, hardware fobs and tokens that use the OATH (HOTP or TOTP) and YubiKey AES protocols are supported.

Top of the page

What if I Don't Want the Duo App on My Phone?

You can use your phone as your second factor without using the Duo App. To do this:

Top of the page

What if I Got a New Phone with the Same Phone Number?

Top of the page

 

How Do I Enroll a Device without a Computer or When I Can't Scan the QR Code?

To activate Duo Mobile when you cannot get the barcode to scan, or when you only have access to a single screen or device:

  1. Resolve not being able to scan the QR code by following the instructions at Duo Mobile step 4.

Top of the page

How Can I Log in if the Account Was Accidentally Deleted or Removed from the Duo App?

Top of the page

What Do I Do after I Accidentally Deleted or Removed My Second Factor Device?

Top of the page

 

Why Do I Get the D-100 Incorrect Passcode or Token Out of Sync Error Message?

Tokens can become out of sync if 20 different codes are displayed without using one of the codes to authenticate to Duo.

To fix this problem, follow the directions at Resync D-100.

Top of the page

 

Search words: two-factor, two step, multi-factor, 2FA, sign in

Top of the page