1. What is two-factor (Duo) authentication and why is Baylor implementing it?
Passwords are becoming increasingly easy to compromise. They can often be stolen, guessed, or compromised in some other manner -- you might not even know who else has your password and is accessing your account. Duo two-factor authentication adds a second layer of security to your account to make sure that it stays safe, even if someone else knows your password, by using your phone or other device to verify your identity. You will be alerted right away (on your phone - mobile or landline - or tablet) if someone tries to log in using your password. This prevents anyone but you from accessing your accounts.
2. How do I get Duo?
Duo's self-enrollment process makes it easy to register your phone or tablet and install the application on your device. To begin the enrollment process, please see the First-Time Enrollment Guide for device-specific installation instructions.
3. Can I opt out of Duo?
No. Two-factor authentication adds a second layer of security to our online accounts. In an effort to keep the university systems and your personal account information secure, we are enabling two-factor authentication on most services.
4. What devices can I use as a second factor with Duo?
See our Duo Authentication Methods page that has a list of device types and the types of 2-factor authentication available on each device (note: some devices are limited to only one type of authentication, where other device types may have multiple authentication methods). We recommend having more than one device registered and that one of the devices be a mobile phone with the Duo Mobile app.
More Information: https://www.baylor.edu/its/index.php?id=964207
5. What mobile OS versions are supported by Duo?
Periodically, support for older operating systems (OS) and devices will be discontinued. The OS versions listed below are no longer supported by Duo/Duo Mobile (the device and Duo Mobile will continue to function, but will no longer receive critical security updates to the OS or the app and the older, unsupported app versions will not be available on the app store):
6. Where & how do I enroll each type of device?
Enrollment is available when attempting to authenticate to a service protected by Duo or by going directly to our enrollment portal (see the link below and click on the 'Do you? We Duo.' graphic on the top right hand side). We have published some video tutorials that will walk you through how to enroll smart phones, landlines, and tablet, they are available at the link below (look for the Duo Video Tutorials link).
To enroll a secondary/backup device, in the Duo authentication window before you authenticate to the service, click the "Add new device" link on the left hand side under the interlocking BU logo.
To enroll a Duo Hardware Token, please call the Help Desk at 254-710-HELP (4357) as you will not be able to enroll the token on your own.
More Information: http://www.baylor.edu/its/weduo
7. How do I manage the 2-factor devices on my account?
To perform management of your existing 2-factor devices, click on the My Settings & Devices link on the Duo Authentication screen BEFORE authenticating via Duo into the service. You will have to authenticate via an enrolled device after clicking the My Settings & Devices link to verify your identity before being allowed to manage your devices and settings.
8. How do I enroll an additional device?
We strongly recommend having more than one device enrolled for backup purposes. If you have enabled the 'automatically send a push' option, you will need to cancel the push notification before you can enroll an additional device. To enroll additional devices, click on the 'Add a New Device' link on the left-hand side of the Duo authentication window before authenticating in to a service protected via Duo. Follow the on-screen instructions to complete the enrollment of the new device.
9. How do I disable the automatically send a push each time I log in setting?
Although the automatic push option may seem ideal, we recommend against setting your Duo authentication up this way because you are unable to take advantage of the "Remember me for 7 days" feature and if something happens to your primary device it is more difficult to authenticate via Duo with this automatic setting in place.
To disable the automatic push:
10. What can I do if I the Duo Mobile app is not working or I am not receiving Duo Push notifications?
Many of these issues can be resolved by refreshing the Duo Mobile app:
11. How can I fix my Duo Authentication Window that appears in a browser because it is blank or not loading correctly?
Open a browser & load the website, status.duo.com to look at any possible interruptions of Duo service. If there are no issues listed, then it is likely one of the following conditions causing the Duo Window to load incorrectly: Many of these issues can be resolved by refreshing the Duo Mobile app:
12. I cannot add a device, access the My Settings & Devices section, it appears that 2-Factor authentication is being skipped, and/or the Remember Me for 7 Days setting is grayed out & I cannot select it, what do I do to fix this?
If you have the auto send of Duo Push notifications, auto call, or have previously checked the "Remember me for 7 days" option, you will not be able to add a new device, manage your settings or devices because you will bypass the Duo Authentication screen. The easiest way to make changes in this situation is to open a browser in private browsing mode, pick a browser from the list below & click the link:
*Be sure if you have it set to automatically send you a push that you click the Cancel button on the Duo Authentication screen without accepting the Duo Push sent to your mobile device in order to access the Add a New Device and/or My Settings & Devices links.
Use of the 'Remember me for 7 days' feature requires persistent cookies in your browser. If the feature isn't working, check the cookie settings of your browser (the exact method depends on which browser you are using, Google browser name & cookie settings for assistance).
If your browser is operating in incognito mode (Chrome), private mode (FireFox), or InPrivate mode (Edge), it will not save cookies & therefore the 'Remember me' feature will not function.
To use the "Remember me for 7 days" feature while blocking cookies you will need to allow cookies from "duosecurity.com" as a trusted exception. To do this, find your broswer in the list below and follow the instructions:
15. What if I do not have a mobile phone?
Duo can be used with a tablet, a landline telephone and/or various hardware tokens, such as a Duo Hardware Token (available for purchase at the Baylor Bookstore), a U2F Token, or a Yubikey.
Although we strongly recommend the Duo Mobile app as it stores no Baylor information on your device, there are other ways to authenticate with a mobile phone without using the app.
17. What if I get a new mobile phone with the same phone number?
The Duo Mobile app uses your phone number & some information from the device to establish the connection, so if you get a new device but keep the same number you will have to re-activate the Duo Mobile app. The instructions are available here: New Phone Reactivation.
There is no option to set a token as the default authentication method because tokens cannot receive an automatic authentication prompt. Only devices that can receive a notification (such as a smartphone with the Duo Mobile app or any type of telephone that can receive a voice call) can be your default authentication method.
You can use a U2F token or a Duo Hardware Token any time you are prompted to authenticate via Duo - click the Enter a Passcode button on the Duo Authentication screen and then use your U2F or Duo Hardware Token to authenticate. The token does not need to be selected in the drop-down list in order for token authentication to work.
The Duo system does not allow you to customize the name of any token (like you can mobile devices); each token will be assigned a unique set of characters.
The first step if you have a mobile device & a computer is to make sure that the Duo Mobile app has permission to use the camera on your device, if you only have the mobile device and no computer/separate screen (or the QR code will not scan on your mobile device) then you can follow the instructions below:
If you have more than one device enrolled, you can use one of the other devices to access the Manage Devices link on the Duo Authentication window - the method of authenticating to this screen will depend on what type of device you have enrolled.
If you only had one device enrolled and it is now removed from your Duo account, you will be prompted to enroll a device the next time you go to access a service protected via Duo.
21. What if I lose my mobile phone or it is stolen?
Contact the Help Desk via email or call 254-710-4357 immediately if you lose your phone or suspect that it has been stolen. The device will be disabled for authentication and you will be assisted in enrolling another phone/device. While it is important that you contact the Help Desk if you lose your phone, remember that your password will still protect your account.
First try using the Duo Mobile Passcode option inside the Duo Mobile App to replace Push notifications if you experience issues with Push. To access the Duo Mobile Passcode, click the down arrow head icon next to the Baylor University entry inside Duo Mobile.If the passcode option does not work, then you will need to re-enroll your device to reset the Duo Mobile Apps connection via these instructions: Re-Enroll a Device in Duo to reset the Duo Mobile App Connection (same instructions as if you get a new device with the same phone number).
23. How many chances will I get to authenticate?
A Duo push authentication is good for about 45 seconds before it expires, phone calls can be answered until voice mail answers, and passcodes are good until used once.
24. What systems utilize Duo two-factor authentication?
BearWeb, Canvas, Box, VPN, Banner, Office 365 (including your Baylor email), and other services that use the Shibboleth login all use Duo two-factor authentication. There are 60+ services that are protected by Duo.
Deny the request using the Report as Fraud function and report the incident to the Help Desk immediately via email or by calling 254-710-4357.
You will get an email from someone in ITS - Security with more information about the fraudulent authentication report so you can help them figure out what is happening.
26. How do I connect to VPN using Duo Two Factor authentication?
You can connect to VPN using these instructions:
VPN using GlobalProtect
27. I am getting a message that I am locked out or my account has been disabled. What do I do?
For assistance with this, please call the Help Desk at 254-710-HELP (4357).
28. What if I don't have a cell phone, landline, or a tablet for a secondary device?
Hardware tokens can be purchased from the Baylor Bookstore - Technology Desk (currently, the price is $30 for a token). These are devices that are approximately the size of a key fob that you will carry with you at all times. When you need to authenticate, you will press a button on the Duo Token to generate a code that you will enter on the Duo Authentication screen. Contact the Help Desk at 254-710-HELP (4357) after purchasing the token so it can be associated with your account. Duo also allows for other types of hardware tokens to be used that vary in price. More information about U2F tokens can be found on Duo's site below:
More Information: https://duo.com/product/trusted-users/two-factor-authentication/authentication-methods/u2f
29. Why am I seeing a gray screen instead of the Duo prompts on my iOS devices?
If you see a gray screen instead of the Duo prompts on your iPhone, iPad, or other iOS device, see these instructions for the ways to resolve the issue.
30. What if the "remember me" feature is not working?
Make sure that your web browser is not in private or incognito mode (cookies must be enabled/allowed for this feature to work). If this doesn't resolve the issue, contact the Help Desk at 254-710-HELP (4357).
If you are travelling internationally & have questions about how Duo will operate outside of the United States please see this page. If your question is not answered please call the Help Desk at (254) 710-HELP (4357) as we will be updating the information below as needed.
32. Duo appears to be in a loop. It jumps from the log-in screen to the application and then back to the log-in screen. How can I fix this?
If you are using the Safari Browser (or it sometimes happens in Chrome, as well) & Duo seems to loop from the Duo authentication screen into the app/service & then right back to the Duo prompt, please try one of the solutions below.
The process of restarting the device or the browser allows for memory reallocation back to the system & will temporarily resolve the issue with Duo getting stuck in a loop. However, the issue can reoccur in the future & the fix would be the same.
33. Why am I getting a "Session Expired" error when I try to authenticate?
This occurs on some iOS devices. To navigate past this error, see these instructions.
A Duo Hardware Token that is displaying any characters other than numbers is malfunctioning & will need to be replaced unless it is under warranty. Please call the Help Desk at 254-710-HELP (4357) for further assistance.
If the Duo Hardware Token is displaying numeric codes, but you an unable to authenticate via Duo, it could be that the button was pressed too many times without a code being used & now your token is out of sync. Please call the Help Desk at 254-710-HELP (4357) so that the token can be re-synced. You will need 5-10 minutes at least for this process as it requires you to generate a code, have the technician enter the code in the Duo Admin page for your token & repeat that 2 more times (for a total of 3 consecutive codes being entered to complete the re-sync process).
35. I upgraded my iOS device to iOS 13 and now Duo push notifications seem to be delayed, how do I fix this?
Duo has noticed slow push notifications with iOS 13 and the fix is to upgrade to iOS 13.1 and watchOS 6. For more information check out Duo's page on this issue below.
More Information: https://help.duo.com/s/article/5418?language=en_US