Duo Mobile - Multi-Factor Authentication for Auburn University


This article explains what Duo is and why it is an important addition to securing IT resources. In this article you will find instructions to help you get started with Duo, and how to best utilize Duo. Links to our instructional videos and frequently asked questions can be found at the conclusion of this article.

What is Duo Mobile?

Auburn uses Duo Security to prompt individuals for a secondary confirmation of their identity at log in using a physical device in their possession. This process is called multi-factor authentication (MFA). The physical device may be a smartphone or tablet using an app, a text message to a phone, pressing a hardware token, or an automated voice call to landlines or cell phones.

Auburn University employees and students are strongly encouraged to register at least two alternate devices, such as a smartphone or cell phone number (as a landline) or a tablet.

Why Do I Need Duo Mobile?

Duo Mobile is a security requirement for both students and employees. Duo Mobile uses multi-factor authentication to confirm your identity when accessing certain university resources.

This is a partial list of software utilized by Auburn and whether it is protected by VPN or Duo.

VPN Required:

  • Banner Administration
  • File Share (R Drive, etc.)
  • IT Support/ remote work
  • Remote Desktop Protocol (RDP)

MFA Required (VPN is NOT required):

  • ServiceNow
  • Box (Cloud Lock, etc.)
  • 0365: Email (OWA.auburn.edu and Client Based), Teams, OneDrive
  • OIT Virtual Desktop Interface (VDI) (Horizon, Azure, Windows Virtual Desktop, etc.)
  • Banner Self-Service (Human Resource Liaison may require VPN for some screens)

Auburn Credentials Required (VPN and MFA not required):

  • Canvas
  • Panopto
  • Zoom
  • Kronos

How Do I Set Up Duo Mobile?

You will need to register a device or cell phone number (as a landline) in order to receive the Duo pushes or phone calls for authentication purposes.

Duo's self-enrollment process makes it easy to register your phone and install the Duo Mobile application on your smartphone or tablet. First, visit auburn.edu/duo, log in with your Auburn credentials, and then follow the steps below.

Note: Duo passcodes are not an option during the initial Duo web registration process or when updating existing devices (for example: adding a new phone or changing the preferred order of devices). The passcode option will still display, but if selected, it will generate an "incorrect passcode" error message as shown below.

Duo passcode error message

Note: If you are a yubikey user or have a hardware token, this device may have already been registered for you and you may not be able to follow the instructions below. If you would like to register an additional device, scroll down to the section on "Manage Existing Devices."

Navigate to auburn.edu/duo and click "Start Setup."

Begin Enrollment

Choose your Authenticator (Device)

Select the type of device you would like to enroll and click "Continue." A smartphone is recommended for the best experience, but a telephone (cell phone or landline) number or iOS/Android tablet may also be enrolled.

Select Device Type

Type your Phone Number

Select your country from the drop-down list and type your phone number. Use the number of your smartphone, landline, or cell phone that you will have with you when you are logging in to a Duo-protected service. If you chose "Landline" in the previous step, complete this screen with your phone extension.

Verify that you have correctly entered the telephone number, check the box, and click "Continue."

*If you are enrolling a tablet, you will not be prompted to enter a telephone number.

Enter and Confirm Phone Number

Choose Platform

Choose your device's operating system and click "Continue."

Select Device Platform

Install Duo Mobile

Duo Mobile is an app that runs on your smartphone and helps you authenticate quickly and easily. Without it you will still be able to log in using a phone call or text message, but for the best experience we recommend that you use Duo Mobile.

Follow the platform-specific instructions on the screen to install Duo Mobile. After installing our app return to the enrollment window and click "I have Duo Mobile installed."

Install Duo Mobile

Activate Duo Mobile

Activating the App will link it to your account so you can use it for authentication.

On iPhone, Android, Windows Phone, and BlackBerry 10, activate Duo Mobile by scanning the barcode with the app's built-in barcode scanner. Follow the platform specific instructions for your device:

Scan Barcode to Activate

The "Continue" button is clickable after you scan the barcode successfully.

Activation Success

Can't scan the barcode? Click Having problems? We will send you an activation link instead.

Configure Automatic Device Options (optional)

You can use Device Options to give your phone a more descriptive name, or you can click "Add another device" to start the enrollment process again and add a second device.

Employees and students are strongly encouraged to register at least two devices, such as a mobile device and a tablet or landline.

If this is the device that you will most often use with Duo then you may want to enable automatic push requests by changing the When I log in: option and changing the setting from "Ask me to choose an authentication method" to "Automatically send this device a Duo Push" or "Automatically call this device" and click Save. With one of the automatic options enabled Duo automatically sends an authentication request via push notification to the Duo Mobile app on your smartphone or a phone call to your device (depending on your selection).

Automatic Device Options

Continue to Login

Click "Continue to login" to proceed to the authentication prompt.

Successful Device Enrollment

Congratulations!

Your device is ready to approve Duo authentication requests. You will automatically receive a push notification or phone call if you selected either of those earlier. If not, click Send me a Push or Call Me to give it a try. If you selected a push, all you need to do is tap Approve on the Duo login request received on your phone. When you receive a phone call from Duo, the number will always be 334-844-4944, which is the IT Service Desk.

Enrollment Complete

Using Duo Mobile

Below you will find instructions on using Duo Mobile on an iPhone or an Android. The minimum requirements for the Duo Mobile App are iOS 13 or Android 8. For each device type below, you will find information on the following:

The Duo Mobile application makes it easy to authenticate — just tap “Approve” on the login request sent to your iPhone. You can also quickly generate login passcodes, even without an internet connection or cell service.

Find the latest version of Duo Mobile in the App Store.

Supported Platforms: The current version (4.0.0) of Duo Mobile supports iOS 13.0 and greater.

To see which version of Duo Mobile is installed on your device, go to the iOS Settings menu, then scroll down and tap Duo Mobile. The "System Info" section shows the app version.

Duo Push

Duo Push is the easiest and quickest way of authenticating. You'll get a login request sent to your phone — just press Approve to authenticate.

If you get a login request that you weren't expecting, press Deny in order to reject the request. You’ll be given the ability to report it as fraudulent, or you can tap It was a mistake to deny the request without reporting it.

You can respond to Duo Push requests from the iOS lock screen or banner notification starting with Duo Mobile version 3.8

Swipe right on the lock screen Duo Mobile notification to reveal the "Open" action.

Swipe down on the Duo Mobile banner notification received when your screen is unlocked to approve or deny the request.

If you missed the banner notification you can still approve the Duo request. Swipe down from the top of your screen to reveal the Notification Center, then swipe right to "Open."

Passcodes

In the event that you do not have an internet connection, you can still use a passcode from Duo in order to authenticate.

Follow the below instructions on how to obtain a passcode:

  • Open your Duo App
  • Locate the account that you need a passcode for
    1. Some users may have two accounts
  • When you locate the account tap "Show" to see the 6-digit passcode.
  • Tap the double arrows to the right of the passcode to generate a new passcode.
  • Once you obtain a passcode from the app, enter it into the Duo prompt on your computer or device.

The passcode is always available, just hidden. This works anywhere, even in places where you don't have an internet connection or can't get cell service.

Adding Accounts to Duo Mobile

During the setup process you'll see a barcode to scan.

Tap "Add Account" (or the plus button in the upper right). Scan the barcode to add the account to Duo Mobile.

Removing Accounts

Delete an account by tapping the Edit button in the upper left. Then tap the delete icon, tap "Delete", and confirm the deletion.

Pull to Refresh

Check for authentication requests by pulling the account list down. Duo Mobile automatically checks for authentication requests, but if you think you have missed a request, open the app and pull down to refresh.

Backup & Restore

Your Duo Mobile account information is backed up automatically when you enable iCloud Backup on your phone, and this back up can be restored only on the same device. The iCloud backup can't be used to migrate your Duo accounts to a new phone. See Apple's guide to enabling iCloud backup for more information.

The Duo Mobile application makes it easy to authenticate — just tap “Approve” on the login request sent to your Android device. You can also quickly generate login passcodes, even without an internet connection or cell service.

Supported Platforms: The current version of Duo Mobile supports Android 10 and greater.

To see which version of Duo Mobile is installed on your device, go to the Android Settings menu, tap "Apps", then scroll down and tap "Duo Mobile." The "App Info" screen shows the version.

Duo Push

Duo Push is the easiest and quickest way of authenticating. You'll get a login request sent to your phone — just press "Approve" to authenticate.

If you get a login request that you weren't expecting, press Deny to reject the request. You’ll be given the ability to report it as fraudulent, or you can tap It was a mistake to deny the request without reporting it.

Passcodes

In the event that you do not have an internet connection, you can still use a passcode from Duo in order to authenticate.

Open the Duo app to see the Passcode option. This works anywhere, even in places where you don't have an internet connection or can't get cell service.

Adding Accounts to Duo Mobile

During the setup process you'll see a barcode to scan. Tap "Add Account" (or the plus button in the upper right). Scan the barcode to add the account to Duo Mobile.

If you ever need to re-add your account to DUO Mobile, contact your administrator.

Removing Accounts

Delete an account by tapping the three buttons in the right corner. Then tap "Delete."

Pull to Refresh

Check for authentication requests by pulling the account list down. Duo Mobile automatically checks for authentication requests, but if you think you have missed a request, then tap the list of accounts and pull down to refresh.

Backup & Restore

It is not currently possible to backup and restore your registered Duo Mobile accounts on Android.

Duo works with all cell phones and landlines by supporting authentication via phone call and SMS passcodes.

Follow the steps below on how to utilize the "Call Me" and "SMS Text" methods.

Phone Call

Click the "Call Me" button on the authentication prompt (or type "phone" in the "second password" field if you don't see Duo's interactive prompt) and Duo will call your phone. The status bar at the bottom of the authentication prompt updates at each step of the process.

Answer the call and listen to the instructions to authenticate. The authentication prompt's status bar also tells you how to approve the request over the phone.

SMS or "Text" Passcodes

In the event that you do not have an internet connection, you can still use a passcode from Duo in order to authenticate.

You can authenticate using a passcode texted to your phone. To have Duo text you a batch of passcodes click the "Send codes" button after clicking "Enter a Passcode" (or type "sms" in the "second password" field).

The authentication prompt's status bar indicates the passcodes were sent to your phone. The number of SMS passcodes sent in one batch is defined by your administrator (ten maximum). Sending multiple passcodes at once lets you use those passcodes to authenticate multiple times when you may not have cellular service.

To authenticate using an SMS passcode, click the "Enter a Passcode" button, type in a passcode you received from Duo via text message, and click "Log In."

Duo keeps track of which SMS passcodes you've already used in your batch, letting you know which one to use next.

You can have new passcodes sent to you at any time. A new batch of passcodes will invalidate all old passcodes, so it's probably best to delete the old message when a new one comes in.

Managing Devices in Duo Mobile

Once you have registered your device with Duo you will be able to manage and make changes by navigating to auburn.edu/duo. Below you will find instructions on the following:

When your previous device was set up, you may have chosen to automatically push or call your device. If so, DO NOT respond to the Duo prompt on the device and instead press the "Cancel" button (see image below). If this does not apply to you, continue on with the instructions.

Device is trying to automatically authenticate with the previously registered device

Click the My Settings & Devices link on the left.

My Settings & Devices link

To manage your devices, choose an authentication method and complete second factor authentication (you may need to scroll down to see all authentication options).

You can't access the device management portal if you do not have access to any enrolled devices; you'll need to contact the IT Service Desk at (334) 844-4944 for assistance.

If you do have an enrolled number but have just received a new device with the same number, choose another authentication method and you will be able to access your Devices and Settings and reactivate the device. Choose "Call Me" for the authentication method. You will receive a phone call from Duo. Answer the call, and press "7" on the keypad to authenticate.

Authenticate to My Settings & Devices

After authenticating you'll see the device management portal. This is where you can reactivate, edit, or delete your existing devices. Scroll down to see all your authentication devices.

My Settings & Devices

To exit My Settings & Devices, click the "Done" button below your listed devices or click your organization's logo on the left (or the Duo logo if shown).

Default Authentication Options

If you authenticate with more than one device, you can specify which you would like to be the default. In the list of actions, simply click "Set as Default" and that device will be moved to the top of the list making it your default device for authentication.

Choose Default Device

If this is the device that you will use most often with DUO then you may want to enable the "Automatically send me" option and choose either Duo Push or Phone Call.

From the When I log in drop-down, select "Automatically send this device a Duo Push" for mobile phones with the Duo app installed or "Automatically call this device" for landlines or mobile phones without the Duo app.

With either of these options enabled Duo automatically sends an authentication request via push notification to the Duo Mobile app on your smartphone or a phone call to your device (depending on your selection).

Enable Automatic Authentication

Manage Existing Devices

Click the "Device Options" button next to any of your enrolled devices to view the actions available for that type of device. You can Reactivate Duo Mobile for an enrolled smartphone, Change Device Name for any type of phone, or delete any authentication device.

Device Options

Add A New Device

You can easily add new devices right from the Duo authentication prompt at auburn.edu/2factor.

If you are 1) registering a new phone with a new phone number, 2) have not registered a second device already, AND 3) are no longer in possession of the previous device, contact the IT Service Desk at (334) 844-4944 to purge your old device from your account.

Follow the steps below to add a new authentication device.

When your previous device was set up, you may have chosen to automatically push or call your device. If so, DO NOT respond to the Duo prompt on the device and instead press the "Cancel" button (see image below). If this does not apply to you, continue on with the instructions.

Device is trying to automatically authenticate with the previously registered device

To add a new device, click "Add a new device."

Add a New Device Link

Choose an authentication method and complete the second factor authentication to begin adding your new device.

Yubikey and hardware token users should select Enter a Passcode if that's the only device you currently have registered. After pressing the Enter a Passcode button, click into the text field with your mouse and then press your plugged in yubikey to generate a passcode or press the button on your hardware token and insert that generated passcode.

If you're adding a new device to replace one that you previously activated for Duo Push, don't select the Duo Push authentication method on this page. If you have a new device with the same phone number, then you can authenticate with a phone call or SMS passcode.

Authenticate to Add a Device

Proceed with the device enrollment process. As an example, let's add another phone.

Select Device Type

Device details (assuming you selected Mobile Phone)

Enter and confirm the second phone's number. Press the "Continue" button.

Enter and Confirm Phone Number

Select the new phone's operating system. Press the "Continue" button.

Select Device Platform

Install and activate the Duo Mobile app (if you selected Mobile Phone)

Install Duo Mobile on the new phone following the instructions on the screen (Android example below) and press the "I have Duo Mobile installed" button when you have installed the app.

Install Duo Mobile for Android

Scan the barcode with the Duo mobile app to activate the account.

Scan Barcode to Activate

Confirmation screen

The new phone is added and listed with your other enrolled devices.

New Device Added

Employees and students are strongly encouraged to register at least two devices, such as a mobile device and a landline.

Configure Device Options (optional)

Click the Device Options button next to any of your enrolled devices to view the actions available for that type of device. You can Reactivate Duo Mobile for an enrolled smartphone, Change Device Name for any type of phone, or delete any authentication device.

Device Options

Reactivate Duo Mobile

Click the "Reactivate Duo Mobile" button if you need to get Duo Push working on your phone, for example, if you replaced your phone with a new model but kept the same phone number. After answering some questions about your device, you'll receive a new QR code to scan with your phone, which will complete the Duo Mobile activation process.

Reactivate Duo Mobile

Change Device Name

Clicking "Change Device Name" will open up an interface to change the display name of your phone (hardware tokens can't be renamed). Type in the new name and click "Save."

Change Device Name

After successfully modifying your phone's name, not only will you see this from now on when managing devices, but it will also be how your phone is identified in the authentication dropdown.

Renamed Device

Remove Device

Click the trash can button to delete a phone or token device.

Note: You may not remove your last device. If you wish to remove it, first add another, then delete the original. If you are unable to delete a device, contact the OIT Service Desk at 334-844-4944 to have it removed.

Remove Device

You are given the chance to confirm or cancel deleting the authentication device.

Confirm Device Deletion

The device is deleted. It can no longer be used to approve Duo authentication requests.

Device Removed

Remember Me Option

Is your checkbox for “Remember Me” grayed out in Duo?

If you have Duo set to send you a push automatically, the “Remember me for 7 days” checkbox may be grayed out.

To correct this, tap or click the blue "Cancel" button in the lower right corner. You will then be able to utilize the check box. You will still need to select an authentication method.

If you do not check the “Remember me box” you will need to authenticate each time Duo is used.

You may also need to clear your cache and cookies to enable or disable this option.

Using A Duo Token

Since a majority of our faculty, staff, and students use a mobile device as part of their everyday life, many find that their mobile device works perfectly and conveniently as a 2-factor authentication option with DUO. However, we do have a smaller group of people who prefer not to use or carry a mobile device or tablet. For these individuals, a hardware token may be the easiest solution to 2-factor authentication. DUO Tokens are a very basic method of authentication and can be convenient method for those who prefer not to use or carry a mobile device.

Duo tokens are available for purchase from the Bookstore Kiosk in the RBD Library. They may be purchased via any method the bookstore accepts, even departmental charge.

Duo tokens are recommended for those who do not have a mobile device yet still need to access applications or resources that require Duo Security. For those with a mobile device, we recommend using the Duo app. Return to the section on "Duo Mobile Self-Registration Process" for more information.

Your new token will look like this:

Once you have purchased the Token, visit the OIT Service Desk for activation. We are located on the 3rd floor of the RBD Library (3010) and are available to activate the token from 8:00am to 4:00pm, Monday through Friday.

Once activated, you will use this token to access applications or resources that require Duo Security.

To authenticate using a token, click the "Enter a Passcode" button.
Press the button on your hardware token to generate a new passcode and type it into the space provided

Click "Log In."

Graphical user interface, applicationDescription automatically generated

To sign into an application or resource that requires Duo Security, for example Palo Alto Global Protect VPN:

  • Enter your Auburn username
  • Press the green button on the Duo Token to generate a new Duo Code
  • In the password field you will need to enter your Auburn password followed by a comma and the Duo Code generated by the token

NOTE: When entering your password, the comma, and the Duo Code, do not enter any spaces. Example: password,862325

Each time you sign into an application or resource that requires Duo Security, you will need to generate a new Duo Code from your Duo Token.

Note: Tokens can get "out of sync" if the button is pressed too many times in a row and the generated passcodes aren't used for login. If you have tried to generate a code several times and are still unable to log in, your Duo Token may need to be resynced.

You may call the OIT Service Desk at 334-844-4944 or visit us on the 3rd floor of the RBD Library. Please remember to bring your Duo Token with you.

More Important Information

I want to protect a University resource. How do I proceed?

Departments are strongly encouraged to protect their infrastructure with Duo. Contact the OIT Service Desk for questions or assistance.

I am a retiree. How do I access the VPN?

If you are a Retiree and need to access the VPN, you will need to setup Duo

I have received a push notification, text message, or phone call through Duo that I did not initiate. What should I do?

This may be an attempt to compromise your account. It is recommended you change your password through My Account and notify the IT Service Desk at (334) 844-4944.

Why am I not receiving the Duo push notification?

Assuming you have configured your device to receive Duo push notifications and have installed the Duo mobile app, you may need to power-cycle your device. On rare occasions, iPhone and Android may not display the Duo push notification, but a power-cycle usually clears this issue.

If you have a replacement phone with the same number, you will not receive Duo push notifications until you reactivate your phone. Please refer to the rest of this article for more instructions or call the Service Desk at 334-844-4944.

How do I resolve the Duo prompt display issues related to iOS content restrictions?

iOS has configurable content restrictions that can potentially prevent the Duo Prompt from displaying correctly. Please refer to this KB Article on how to edit these restrictions.

I will be traveling internationally. What do I need to know about traveling internationally and needing or using Duo?

Please refer to this KB articles on traveling internationally and using DUO

With cybercrime on the rise, more and more organizations are implementing best practices such as multi-factor authentication (MFA) to protect their users from credential theft, phishing attempts and brute-force password guessing. To get around this added layer of protection, hacking groups have developed a new tactic: MFA fatigue. MFA fatigue relies on spamming victims with endless authentication prompts until they grant the attacker access by accident or out of sheer frustration.

If you receive repeated MFA prompts, do not accept the prompt. Instead, deny the request and report it as suspicious using the app.