Multi-Factor Authentication FAQ
What devices do you support?
Duo supports a wide range of mobile phones, tablets, watches, and hardware tokens. These include:
- Android – The current version of Duo Mobile supports Android version 5.0 and greater. Older versions of Android can still use the legacy Duo application. See Duo’s Android documentation for more details.
- iPhone/iPad – The current version of Duo Mobile supports iOS 9.0 and greater. Older releases of iOS can install Duo Mobile version 3.16.7 from the App Store. See Duo’s iPhone documentation for more details.
- Apple Watch – Duo supports login request approval and passcode generation from an Apple Watch. See Duo’s Apple Watch documentation for help configuring your iPhone to send prompts to your watch.
- Windows Phone – The current version of Duo Mobile supports Windows Phone 8 and greater. See Duo’s Windows Phone documentation for details.
- Hardware Tokens – In addition to the hardware token provided by Mines, Duo’s service supports any SHA-1 OATH HOTP-compatible hardware tokens. If you already have a token that you received from another organization that you would like to use with your Mines account, please contact our Technical Support Center (CT256 or 303.384.2345) for help.
- U2F Tokens – Duo supports the U2F protocol when used from inside a browser or application with U2F support. Since not all applications currently implement the U2F protocol you should be sure and enroll a second device for those situations where you cannot use U2F. See Duo’s U2F documentation for details. If you are interested in using the YubiKey U2F device, please see our YubiKey FAQ.
- Text Messages – If you have a cell phone that does not support the Duo Mobile App but can accept SMS text messages Duo can send an authentication code to your phone. Duo charges the school for every message sent, so this option should only be used as a backup by those who misplace their primary authentication device. See Duo’s text-message documentation for details.
- Desk Phones – If you have no other way to authenticate you can enroll your desk phone (or any other voice number). In this case Duo will call your phone and read off the authentication code. Duo charges the school for each phone call, so this option should only be used as a last resort by those who misplace their primary authentication device. See Duo’s voice-message documentation for details.
How do I add additional devices?
After enrolling your first device you can access your settings from the Duo Self Service Portal. Selecting Add New Devices inside the portal will guide you through the device enrollment process.
What if I don't want to use my personal phone?
If you do not have a cell phone or would prefer not to use your phone we will provide you with a hardware token. Simply indicate your choice on the enrollment form and CCIT will configure a token for your use and contact you when it is ready to be picked up.
Are YubiKeys or other U2F tokens supported?
Duo fully supports the U2F protocol. You can use the Duo Self-Service Portal to add your U2F token to the list of devices that you can use to authenticate. Please be aware that not all browsers or applications support U2F, you should be sure that you have at least one other device enrolled so that you can log into your account from systems that don’t yet support U2F. See Duo’s U2F documentation for details.
What if I forget my device?
No problem. We all leave our cell phone at home every now and then. If you have enrolled a voice number like your desk phone, selecting the Call Me button on the Duo authentication will prompt Duo to call you and read off an authentication code. If you have not enrolled your desk phone, or you are not in your office, you can contact the CCIT Technical Support Center (CT156 or 303.384.2345) and they can provide you with a bypass code that can be used as many times as you need for the next 24 hours.
What if I lose my device?
No problem. If you have another device or a voice number configured, you should use that to access the Duo Self-Service Portal as soon as possible and delete the lost device (you can always put it back if you find it later). If you are not replacing the lost device right away you may contact our Technical Support Center (CT156 or 303.384.2345) and we will be happy to provide you with a replacement hardware token for as long as you need.
If you do not have another device or voice number that you can use to access the self-service portal please contact CCIT immediately so we can disable the missing device and provide you with a hardware token that you can use until you find or replace your missing device.
What is the Duo Self-Service Portal and how do I log into it?
The Duo Self-Service Portal allows you to customize your Duo environment, including the addition or removal of devices and which authentication mechanism you would like to use by default (see “How do I configure my settings?” above for more information). To access the self-service portal, select the “Settings” button after providing your username/password but before providing the second factor while accessing any web service. After clicking on the “Settings” button, you will be asked to provide your second authentication factor and will be presented with a menu that includes options to Add a New Device or manage your settings. More information on accessing the self-service portal is available from Duo.
How do I configure my settings?
The Duo self-service portal provides allows you customize your Duo environment. Options include:
- Adding new devices.
- Removing old devices.
- Selecting the default authentication method.
What Mines applications are protected by MFA?
Multi-factor authentication protects the Mines Shibboleth authentication service, which in turn protects:
- Student email service (MyMail)
- EzProxy at the Library
- Logins to Windows computers in labs, classroom podiums, and some desktops
- Linux logins
- Logins via ssh for JumpBox and Isengard
- And more