This site requires JavaScript to be enabled
IT Knowledge Base > General > Using 2-Factor Authentication
Using 2-Factor Authentication
Article: KB0010700 Published: 11-29-2016 Last modified: 11-29-2016 Views: 1345
Permalink: 

Contents

Getting Started

When Should I Enroll

On July 4, 2016, 2-factor enrollment became required to log into many Virginia Tech Web-based systems.

To use these Web sites and services that use the Login service, you are now required to authenticate with a second factor.

Top of the page

Can I Un-enroll or Stop Using 2-Factor

Once you enroll in 2-factor, you cannot un-enroll or stop using 2-factor.

Top of the page

What Devices Can I Use as a Second Factor

Mobile App  
Image of the green and white logo of Duo authentication

The Duo app on a smartphone, which allows:

  • $ - If wireless Internet is not connected, push notifications may incur carrier data charges
  • $ - Passcodes are no charge.
 

Hardware Tokens

For comparison and purchasing information on D-100 and YubiKey tokens, see YubiKey and D-100 Hardware Tokens for Duo 2-Factor Authentication.

  
   a D-100 which is a physical token smaller than a deck of playing cards that can display a 6-digit passcode when the button is pressed. It does not require any Internet or data connection. (For instructions, see Authenticating Using the Duo D-100.)  
  • Individual: $27+
  • Departmental purchase available
 Image of a YubiKey  a YubiKey which is a physical hardware token you can insert into a USB slot on your computer (For instructions, see Authenticating with a YubiKey.)  
  • Individual: $40+
  • Departmental purchase available
 Phones    
 Clip art of a blank smartphone and a blank callout / speech balloon  text messages on any cellular phone or smartphone (For instructions, see Authenticating Using an SMS Text Message Passcode.)  $ - Any carrier fee for SMS text message
 Clip art of a black, rotary telephone  a landline, smartphone, or cellular phone that can receive voice calls at your office, home, or other location. (For instructions, see Authenticating Using 'Call Me' on a Landline.)  $ - Any carrier fee for voice calls

Using a smartphone as your second factor will present multiple authentication options each time you authenticate, including receiving a voice call or a text message, or generating a passcode from the Duo app which does not require Internet or cellular service.

Top of the page

End of Support for Smartphone Operating Systems

  • Blackberry: After February 1, 2017 the Duo app will be removed from the Blackberry World app store, so the app will no longer be downloadable to new Blackberry devices. Registered Blackberry devices with the Duo app already installed will continue to be able to authenticate with push notifications and app-generated passcodes. All registered Blackberry devices will continue to be able to authenticate with SMS passcodes and voice calls. For more information, see the Guide to BlackBerry end of support page.
  • Android 3: After December 1, 2016 the Duo app will no longer be downloadable to devices using Android 3. Registered devices using Android 3 with the Duo app already installed will continue to be able to authenticate with push notifications and app-generated passcodes. All registered devices will continue to be able to authenticate with SMS passcodes and voice calls.
  • Apple iOS 6: After December 1, 2016 the Duo app will no longer be downloadable to devices using iOS 6. Registered devices using Apple iOS 6 with the Duo app already installed will continue to be able to authenticate with push notifications and app-generated passcodes. All registered devices will continue to be able to authenticate with SMS passcodes and voice calls.
  • Apple iOS 7: After March 1, 2017 the Duo app will no longer be downloadable to devices using iOS 7. Registered devices using Apple iOS 7 with the Duo app already installed will continue to be able to authenticate with push notifications and app-generated passcodes. All registered devices will continue to be able to authenticate with SMS passcodes and voice calls.

The currently supported smartphone operating system versions for Duo Mobile can be found on the following pages:

4Help Recommendations

Once enrolled in 2-factor, 4Help strongly suggests enrolling a second device, in case your primary device has failed, is temporarily lost or broken, or left at home. (For instructions, see Enroll Additional Device.)

To use services that require 2-factor authentication while outside of the United States, overseas, or otherwise traveling to an international place, see the suggestions in the Authenticating without Internet, Network, or Cellular Service (International / Overseas) section of this document.

Top of the page

Enrolling

Enrolling for the First Time

Note: To view a comparison of the options and devices you can use as your second factor, see What Devices Can I Use as a Second Factor.

The first time that you enroll in 2-factor authentication, you will need to enroll a:

  • Cell phone,
  • Smartphone,
  • Landline telephone,
  • Tablet, or
  • Token in U2F mode.

Other types of devices can be enrolled later.

Authenticating via voice call or SMS text message when outside of the continental United States may not work. Consider the location from which you will be authenticating. If you are or will be overseas, see the Authenticating without Internet, Network, or Cellular Service (International / Overseas) section of this document.

It's a good idea to enroll at least two devices - one of which should be an SMS-capable device like a mobile phone - so that in the event of a lock-out condition for whatever reason you can get a SMS code and get in to manage your devices. To learn more about SMS, see What Is an SMS Passcode.

To access or enroll in 2-factor authentication at Virginia Tech:

  1. Go to MyVT Accounts, and select My Accounts.

  2.  On the Login page, type your PID and PID password, and click the Login button. (If you forgot your password, follow the instructions at Changing My Password.)
    Image of the Login service prompting for Username and Password
  3. When prompted to enroll, click the Enroll Now button.
  4. Click the link below corresponding to the type of device you want to use as your authentication method, and follow the instructions:
  5. 4Help strongly suggests enrolling a second device, in case your primary device has failed, is temporarily lost or broken, or left at home. (For instructions, see Enroll Additional Device.)

Top of the page

Where and How Do I Enroll Each Type of Device

Authenticating via voice call or SMS text message when outside of the continental United States may not work. Consider the location from which you will be authenticating. If you are or will be overseas, see the Authenticating without Internet, Network, or Cellular Service (International / Overseas) section of this document.

To enroll one of the following, before completing authentication with your second factor, in the Duo window frame click the "Add new device" link in the Duo interface:

To enroll one of the following, log onto MyVT Accounts, then click Manage Tokens and then Enroll Token:

To see and manage devices you have already registered, follow the instructions under Manage Existing 2-Factor Devices and Preferences.

Top of the page

Phones

Enrolling a Smartphone, Tablet, or Mobile Device by Installing the Duo Mobile App

Note: Using a smartphone as your second factor will present multiple authentication options each time you authenticate, including receiving a voice call or a text message, or generating a passcode from the Duo app which does not require Internet or cellular service.

The 2-factor mobile app (Duo Mobile Image of the square shaped green and white Duo logo) is supported on many mobile devices.

To enroll a smartphone, tablet, or mobile device:

  1. Download and install Duo Mobile app prior to enrollment.
    1. In the app store app on your mobile device, search for Duo Mobile.
    2. Download and install the Duo Mobile app. For information on how to download and install apps, see your mobile device's documentation.
  2. Start logging on to MyVT Accounts.

    1.  Go to MyVT Accounts, and select My Accounts.
      Image of the My Accounts highlighted on the Web page.
    2. On the Login page, type your PID and PID password, and click the Login button. (If you forgot your password, follow the instructions at Changing My Password.)
    3. If you have not yet registered for 2-factor, click the Enroll button.

    4.  Important: If you receive an automatic call or push notification, in the browser, click the Cancel button.
      Image of the Duo iframe with the Cancel button highlighted which is in the lower-right corner of the iframe
    5. Important: Do not complete authentication with your second factor, yet.

  3.  In the Duo frame, under the Virginia Tech shield logo, click the Add a new device link.
    Image of the Add a new device link highlighted under the VT shield symbol in the left column
  4. If prompted to Choose an authentication method, authenticate with a second-factor that is different from the second-factor you want to add.
  5. Follow the instructions on Duo’s Enrollment Guide page starting with the “2. Choose Your Authenticator” heading.
  6. When complete, you will see “Device successfully added!”. You may either click the “Continue to login” button, or leave the page.

For more information, see Duo's Enrollment Guide page.

Top of the page

Enrolling a Landline

  1. Authenticating via voice call or SMS text message when outside of the continental United States may not work. Consider the location from which you will be authenticating. If you are or will be overseas, see the Authenticating without Internet, Network, or Cellular Service (International / Overseas) section of this document.
  2. If your phone number requires an extension, do not follow these steps, and instead contact 4Help at http://4help.vt.edu by clicking "Ask a Question".
  3. Start logging on to MyVT Accounts.
    1.  Go to MyVT Accounts, and select My Accounts.
      Image of the My Accounts highlighted on the Web page.
    2. On the Login page, type your PID and PID password, and click the Login button. (If you forgot your password, follow the instructions at Changing My Password.)
    3. If you have not yet registered for 2-factor, click the Enroll button.

    4.  Important: If you receive an automatic call or push notification, in the browser, click the Cancel button.
      Image of the Duo iframe with the Cancel button highlighted which is in the lower-right corner of the iframe
    5. Important: Do not complete authentication with your second factor, yet.

  4.  In the Duo frame, under the Virginia Tech shield logo, click the Add a new device link.
    Image of the Add a new device link highlighted under the VT shield symbol in the left column
  5. If prompted to Choose an authentication method, authenticate with a second-factor that is different from the second-factor you want to add.
  6. Select the Landline radio button.
  7. Click the Continue button.

  8.  In the text box on the Web page, type the landline phone number.
    Image of the Duo iframe with a phone number typed into the text box, the check box checked, and both of those along with the Continue button highlighted

    WARNING: If your phone number requires an extension, stop following these steps, and instead contact 4Help at http://4help.vt.edu by clicking "Ask a Question".

  9. Place a check in the check box to verify the phone number is correct.

  10. Click the Continue button.

  11. If the entered phone number you entered is already associated with another account you will see a Verify Ownership page.

    1.  Click Call me.
      Image of the Call me button highlighted on the Duo iframe
    2. Answer the phone call, and listen to the automated voice to receive a verification code.
    3. In the text box on the Web page, type the verification code.
    4. Click Verify.
    5. Once the code has been verified, click Continue.
  12. When complete, you will see “Device successfully added!”. You may either click the “Continue to login” button, or leave the page.

Top of the page

Enrolling a Cell Phone ('Dumb' Phone / Non-Smartphone)

  1. Authenticating via voice call or SMS text message when outside of the continental United States may not work. Consider the location from which you will be authenticating. If you are or will be overseas, see the Authenticating without Internet, Network, or Cellular Service (International / Overseas) section of this document.
  2. Start logging on to MyVT Accounts.

    1.  Go to MyVT Accounts, and select My Accounts.
      Image of the My Accounts highlighted on the Web page.
    2. On the Login page, type your PID and PID password, and click the Login button. (If you forgot your password, follow the instructions at Changing My Password.)
    3. If you have not yet registered for 2-factor, click the Enroll button.

    4.  Important: If you receive an automatic call or push notification, in the browser, click the Cancel button.
      Image of the Duo iframe with the Cancel button highlighted which is in the lower-right corner of the iframe
    5. Important: Do not complete authentication with your second factor, yet.

  3.  In the Duo frame, under the Virginia Tech shield logo, click the Add a new device link.
    Image of the Add a new device link highlighted under the VT shield symbol in the left column
  4. If prompted to Choose an authentication method, authenticate with a second-factor that is different from the second-factor you want to add.

  5. Select the Mobile phone radio button.
    Image of the Mobile phone recommended radio button selected at the top of the selections, and highlighted
  6. Click the Continue button.
  7. Follow the instructions in the 3. Type Your Phone Number section of Duo’s Enrollment Guide page.

  8.  When prompted to choose the type or platform of the device, select the Other (and cell phones) radio button.
    Image of the Other and cell phones radio button selected and higlighted at the bottom of the list of selections

  9. Click the Continue button.
  10. You will see “Device successfully added!”. You may either click the “Continue to login” button, or leave the page.

For more information, see Duo's Enrollment Guide page.

Top of page

Hardware and Software Tokens

For comparison and purchasing information on D-100 and YubiKey tokens, see YubiKey and D-100 Hardware Tokens for Duo 2-Factor Authentication.

Note: The Duo system does not allow you to name or rename any token; each token will be assigned a unique set of characters. 

Enrolling a Duo D-100 Token

(To view information about purchasing the D-100 token, see YubiKey and D-100 Hardware Tokens for Duo 2-Factor Authentication.)

  1. Log on to MyVT Accounts.
    1.  Go to MyVT Accounts, and select My accounts.
      Image of the My Accounts highlighted on the Web page.
    2. On the Login page, type your PID and PID password, and click the Login button. (If you forgot your password, follow the instructions at Changing My Password.)
    3. If you have not yet registered for 2-factor, click the Enroll button.
    4. If prompted to Choose an authentication method, authenticate with a second-factor that is different from the second-factor you want to add.

  2.  Near the bottom of the page, in the 2-factor account section, click the Manage tokens link.
    Image of the Manage tokens link on the MyVT MyAccounts Web page
  3. Under Enrolled Tokens, click the Enroll Token button.
  4. Click the Enroll Hardware OATH Token button.
  5. Select the Duo D-100 radio button.
  6. In the Serial Number text box, type the serial number that can be found on the back of your D-100.

    If the serial number on the back of the token starts with “DSEC”, type all of the characters. Example: DESC00000000

    If the serial number on the back of the token starts with a number (such as 00-0000000-0), type all of the characters without the dashes. Example: 0000000000

  7. Click the Lookup button.
  8. In the text box, type the six-digit numeric code displayed on your D-100 when you press the button on the D-100.
  9. Click the Verify button.
  10. Your D-100 is now added to your account.

The Duo system does not allow you to name or rename any token; each token will be assigned a unique set of characters.

Top of the page

Enrolling a YubiKey as U2F to Use Only in Chrome

(To view the different types of YubiKeys available, see YubiKey and D-100 Hardware Tokens for Duo 2-Factor Authentication.)

As of this writing (4/2016) only the Chrome browser supports U2F tokens.  The YubiKey 4 and Neo tokens support U2F and may be self-enrolled by following the instructions below.

However, if you prefer (or have need of) another browser, the YubiKey 4 and Neo tokens also support AES mode.  YubiKeys may be enrolled in AES mode via MyVT's Accounts' Self-Service Token Enrollment by following the instructions at Enrolling a YubiKey as AES/OTP to Use in Any Browser.

  1. Enable pop-ups in your browser until you are finished adding the token, because this process uses a pop-up window.
  2. Start logging on to MyVT Accounts.
    1.  Go to MyVT Accounts, and select My Accounts.
      Image of the My Accounts highlighted on the Web page.
    2. On the Login page, type your PID and PID password, and click the Login button. (If you forgot your password, follow the instructions at Changing My Password.)
    3. If you have not yet registered for 2-factor, click the Enroll button.
    4. Important: If you receive an automatic call or push notification, in the browser, click the Cancel button.
      Image of the Duo iframe with the Cancel button highlighted which is in the lower-right corner of the iframe
    5. Important: Do not complete authentication with your second factor, yet.

  3.  In the Duo frame, under the Virginia Tech shield logo, click the Add a new device link.
    Image of the Add a new device link highlighted under the VT shield symbol in the left column
  4. If prompted to Choose an authentication method, authenticate with a second-factor that is different from the second-factor you want to add.
  5. On the Add New Device screen, select the U2F Token radio button. (If the browser you are using does not support U2F, this option will be greyed out, and the requirements will be listed after U2F token in parentheses.)
  6. Click the Continue button.
  7. Click the Continue button.
  8. A new window will appear. When prompted, on the physical U2F token, tap in the yellow depressed area, (This area will be back-lit when the token is inserted correctly in the USB slot.), or re-insert and tap the token.
  9. The token will be added to your list of devices.
  10. If you have auto-send enabled, whenever you are prompted for your second factor, you will see "Sending push to your device" and "Login with U2F" even if the token is not in your computer. Complete authentication by either approving the push notification or physically tapping the U2F token. Once authenticated, you may disable auto-send or un-register the U2F token if you like.

If you need help, please submit an incident to 4Help at http://4help.vt.edu requesting assistance enrolling a hardware token.  For more information about U2F and Duo, see the Duo U2F Authenticators and Duo page.

The Duo system does not allow you to name or rename any token; each token will be assigned a unique set of characters.

Top of the page

Enrolling a YubiKey as AES/OTP to Use in Any Browser

(To view the different types of YubiKeys available, see YubiKey and D-100 Hardware Tokens for Duo 2-Factor Authentication.)

  1. If you did not obtain a pre-registered YubiKey from your department or Hokie Centric, go to the Registering and Enrolling YubiKey Using the Personalization Tool section, instead.
  2. Log on to MyVT Accounts.
    1.  Go to MyVT Accounts, and select My Accounts.
      Image of the My Accounts highlighted on the Web page.
    2. On the Login page, type your PID and PID password, and click the Login button. (If you forgot your password, follow the instructions at Changing My Password.)
    3. If prompted to Choose an authentication method, authenticate with a second-factor that is different from the second-factor you want to add.
  3.  Near the bottom of the page, in the 2-Factor Account section, click the Manage tokens link.
    Image of the Manage tokens link on the MyVT MyAccounts Web page
  4. Under Enrolled Tokens, click the Enroll Token button.
  5. Click the Enroll YubiKey OTP Token button.
  6. In the browser window, in the Serial Number text box, type the serial number of the YubiKey.

    The number is usually printed in small letters on the YubiKey. It may also be found on the packaging in which  the YubiKey came.

  7. Click the Lookup button.
  8. When prompted about the token already exist, click the Enroll button.
  9. If you see the Private ID text box, stop following these instructions, and go to the Registering and Enrolling YubiKey Using the Personalization Tool section instead of continuing.
  10. Insert the YubiKey into a USB port of your computer.
  11. Click to place your cursor in the Use the token to generate a Passcode text box.
  12. While the YubiKey is in the USB port of your computer, press the center of your YubiKey for 1 to 3 seconds to generate a string of letters.
  13. If the page does not automatically start loading, click the Submit button.
  14. You should see a message saying you’ve successfully enrolled your YubiKey.

Registering and Enrolling YubiKey Using the Personalization Tool

  1. If you were already using your YubiKey for other services, this procedure will cause it to stop working for those other services.
  2. Configure your YubiKey using the Personalization Tool.

    1. Download and install the YubiKey Personalization Tool from the Yubico website.
      • For Windows:
        1. Click the following link to download the installer: yubikey-personalization-gui-3.1.24.exe.
        2. When the download is complete, in Windows Explorer of File Explorer, double-click the yubikey-personalization-gui-3.1.24 icon that you just downloaded.
        3. If prompted by a user account control window, click the Yes button.
        4. Click the Next button.
        5. To accept the default installation location. click the Next button.
        6. To accept the default Start menu folder, click the Install button.
        7. When the installation is complete, click the Finish button.
      • For Mac OS:
        1. Click the following link to open the Mac App Store to the YubiKey Personalization Tool page: YubiKey Personalization Tool app.
        2. If the Mac App Store does not automatically open, on the Web page, click the View in Mac App Store button.
        3. When the App Store opens and loads, if available, click the Get button.
        4. Click the Install App button.
        5. If prompted to sign in, type your Apple ID email address and Apple ID password, and then click the Sign In button.
          • If you have forgotten your Apple ID or password, see Apple's Having trouble signing in? page.
          • To create an Apple ID and password with an existing email address, go to Apple's Create Your Apple ID page.
          • If you don't have an Apple ID and don't want to create an Apple ID, submit a request to 4Help at http://4help.vt.edu to enroll your YubiKey in person with Identity Management Services (IMS).
    2. Insert your YubiKey into the USB port. Verify it is plugged in correctly by the solid/blinking green light in the middle of the gold circle.
      • In Mac OS, if you see a prompt to set up a new keyboard, close the window, and continue with these instructions.
      • YubiKey Nano users may not see a green light. The upper-right corner of the YubiKey Personalization Tool window should display “YubiKey is inserted”, and the Serial number fields below it should show the serial number that is written on the back.
    3. Start the YubiKey Personalization Tool.

    4.  Under Personalize your YubiKey in:, click Yubico OTP Mode.
      Image of the Yubico OTP Mode link in the YubiKey Personalization Tool program
    5. Click the Quick button.
    6.  Select the Configuration Slot 1 radio button.
    7. Clear the Hide values checkbox to reveal the Private Identity and Secret Key.
    8. Click the Write Configuration button.
      Image of the Configuration Slot 1 radio button
    9. Keep this window open in order to register your token with Duo 2-factor authentication.

    10.  If you see the following window about overwriting the configuration in Slot 1, click the Yes button. This is normal as some YubiKeys come preconfigured with YubiCloud credentials in Slot 1.
      Image of the OK button highlighted in the warning dialog about overwriting configuration slot 1
    11. If prompted to save the log file, we recommend you click the Cancel button to NOT save the log file. (It would contain your private key and can compromise the security of your token.)
  3. Register your token with Duo 2-factor authentication through MyVT Accounts.
    1. Log on to MyVT Accounts.
      1.  Go to MyVT Accounts, and select My Accounts.
        Image of the My Accounts highlighted on the Web page.
      2. On the Login page, type your PID and PID password, and click the Login button. (If you forgot your password, follow the instructions at Changing My Password.)
      3. If prompted to Choose an authentication method, authenticate with a second-factor that is different from the second-factor you want to add.
    2.  Near the bottom of the page, in the 2-factor account section, click the Manage tokens link.
      Image of the Manage tokens link on the MyVT MyAccounts Web page
    3. Under Enrolled Tokens, click the Enroll Token button.
    4. Click the Enroll YubiKey OTP Token button.
    5. Return to the YubiKey Personalization Tool window that you left open. In the right pane, under the image of your token, under the Serial Number heading, to the right of Dec:, click the clipboard icon.
    6. In the browser window, in the Serial Number text box, paste the copied serial number.
    7. Click the Lookup button.
    8. If prompted about the token already exists, click the Enroll button.
    9. If you see the Use token to generate a passcode text box, follow the instructions at the top of this section instead of continuing below.
    10. In the YubiKey personalization Tool, find the token Private ID and Secret Key.
    11. In the YubiKey Personalization Tool window, in the Private Identity (6 bytes Hex) text box, highlight all of the text.
    12. Copy the highlighted text.
    13. In the browser window, in the Private ID text box, paste the copied text.
    14. In the YubiKey Personalization Tool window, in the Secret Key (16 bytes Hex) text box, highlight all of the text.
    15. Copy the highlighted text.
    16. In the browser window, in the Secret Key text box, paste the copied text.
    17. Click the Verify Token button.
    18. Press the center of your YubiKey for 1 to 3 seconds to generate a passcode in the Passcode text box.
    19. Click the Submit button.
    20. You should see a message saying you’ve successfully enrolled your YubiKey.

You can now use your YubiKey as your second factor to login to Duo protected applications and services.

The Duo system does not allow you to name or rename any token; each token will be assigned a unique set of characters.

Top of the page

YubiKey Enrolled as Both U2F and AES

For comparison and purchasing information on YubiKey tokens, see YubiKey and D-100 Hardware Tokens for Duo 2-Factor Authentication.

If your YubiKey has BOTH U2F and AES configured, the Virginia Tech Login system will detect the U2F key automatically.

To authenticate:

      • If you are using Chrome, tap your YubiKey, and it will authenticate with the U2F key.

        Note: If you have auto-send enabled, whenever you are prompted for your second factor, you will see "Sending push to your device" and "Login with U2F" even if the token is not in your computer. Complete authentication by either approving the push notification or physically tapping the U2F token. Once authenticated, you may disable auto-send or un-register the U2F token if you like.

      • If you are not using Chrome:
        1. Click the Enter Passcode button.
        2. Place the cursor in the text box.
        3.  Tap your YubiKey.  The passcode will be generated by the YubiKey for you.
          Photograph of a human index finger hovering over the gold-colored letter "Y" on a YubiKey which is plugged into a USB slot of a computer

Top of the page

Enrolling the WinAuth Software

      1. You must first enroll a different type of device such as a mobile phone, landline telephone, tablet, or token before enrolling with WinAuth . For instructions, see the Enrolling section on this page.
      2. Download and extract the WinAuth program.
        1. Go to the WinAuth Download page.
        2. Under the WinAuth Version X.X heading, click the WinAuth X.X link where X.X is a version number. The link will look similar to: WinAuth 3.3.7.
        3. If prompted, save the file to your computer.
        4. Extract the .zip file that you just downloaded.
          1. When the download is complete, in Windows Explorer of File Explorer, right-click the WinAuth-X.X.zip icon where X.X is a version number.
          2. From the drop-down list, select Extract All....
          3. To accept the default location for the extracted files, click the Extract button. Another window will appear with the extracted file.
      3. Optionally, to pin the icon to the taskbar at the bottom of your screen for easy access:
        1. Right-click the WinAuth icon.
        2. Select Pin to taskbar.
      4. Start WinAuth by double-clicking the WinAuth icon.
      5. The WinAuth window will appear.
      6. Log on to MyVT Accounts.
        1.  Go to MyVT Accounts, and select My Accounts.
          Image of the My Accounts highlighted on the Web page.
        2. On the Login page, type your PID and PID password, and click the Login button. (If you forgot your password, follow the instructions at Changing My Password.)
        3. If prompted to Choose an authentication method, authenticate with a second-factor that is different from the second-factor you want to add.
      7. In MyVT Accounts, start enrolling a software OATH token.

        1.  Near the bottom of the page, to the right of the 2-factor account heading, click the Manage tokens link.
          Image of the Manage tokens link on the MyVT MyAccounts Web page
        2. Under Enrolled Tokens, click the Enroll Token button.
        3. Click the Enroll Software OATH Token button.
        4. Place your mouse cursor over the QR code, and right-click.
        5. Select Copy image address or Copy image location or Copy shortcut or Copy link depending on the browser you are using.
      8. In the WinAuth window:
        1. In the WinAuth window, click the Add button.
        2. Select Authenticator. The Add Authenticator window will appear.
        3. In the Add Authenticator window:
          1. In the Name: text box, type Virginia Tech (ABC) but replace ABC with your PID.
          2. Under step 1, in the text box to the left of the Decode button, right-click, and from the drop-down list, select Paste.
          3. Click the Verify Authenticator button.
      9. In the Accounts window:
        1. Click the Verify Token button.
        2. In the Passcode text box, type the 6-digit code generated in the WinAuth Add Authenticator window under step 4.
        3. Click the Submit button.
      10. In the WinAuth Add Authenticator window:
        1. Click OK.
        2. In the Protection window, verify that the Protect with my own password check box is checked.
        3. In the Password text box, type a new password. Please see the Password Rules and Tips at Virginia Tech page for information on creating a strong password.
        4. In the Verify text box, re-type the new password.
        5. Click OK.
      11. WinAuth is now successfully added. The WinAuth window will now display a 6-digit code you can use as your second factor.

You can now use WinAuth from this computer for 2-factor authentication.

Top of the page

Authenticating with Your Second Factor

Logging on and Authenticating with 2-Factor

      1. Start a Web browser such as Edge, Safari, Chrome, or Firefox.
      2.  Go to MyVT Accounts, and select My Accounts.
        Image of the My Accounts highlighted on the Web page.
      3. On the Login page, type your PID and PID password, and click the Login button. (If you forgot your password, follow the instructions at Changing My Password.)
      4. When prompted to Choose an authentication method, complete authentication with your second factor. For detailed instructions, see the appropriate section below.

Top of the page

What Is an SMS Passcode

An SMS passcode is a unique 6-digit number that can be sent to your mobile device or cell phone via SMS text message. You can use this SMS passcode as your second factor when authenticating. This can be useful as a backup second factor. In other words, if you do not have your mobile device with you when prompted to authenticate with your second factor, you can enter one of the SMS passcodes you received earlier. When you receive the SMS passcodes, save them in a safe place for later use.

You can request a new SMS text message containing a new set of codes be sent to you at any time. At that time, previous codes sent via SMS text message will expire.

Top of the page

Authenticating Using an SMS Text Message Passcode

To get 10 passcodes via SMS text message to your enrolled cell phone (flip phone, "dumb" phone) or smartphone:

      1. Consider whether or not you will be authenticating from outside the continental United States. If you are or will be overseas, see the Authenticating without Internet, Network, or Cellular Service (International / Overseas) section of this document.
      2. Start logging on by following the instructions at Logging on and Authenticating with 2-Factor.
      3. When prompted to select your second factor, from the drop-down list, select a device that can receive SMS text messages. (Your office phone will not work.)
      4. Click the Enter a Passcode button.
      5. Near the bottom of the screen, in the blue bar, click the Send codes button or the Text me new codes button..
      6. When a text message that starts with "SMS passcodes:" arrives to your enrolled mobile phone, open that text message. The text message will contain 10 different passcodes that are each 6-digits long.
      7. In the Web browser, in the Enter your passcode text box, type one of the 6-digit passcodes from the text message you received.

        (These codes do not expire until you use them to authenticate. Once you use one of the codes, you cannot use that same code again. You do not have to use the passcodes in the order given, but it may be easier to remember which ones you have used if you do use them in order, because the first digit of each of the 10 passcodes is sequential. For example: 1XXXXX, 2XXXXX, 3XXXXX. When you use the tenth and last passcode, you will automatically receive an SMS text message with an additional ten passcodes.)

      8. Click the Log In button.
      9. 4Help recommends you write down all of the passcodes on paper and store the paper in a secure place, so that you can use those codes as a backup second factor if your other second factor devices fail or are unavailable.

For more information on using SMS passcodes, see Duo's Using Duo With Any Cell Phone or Landline page.

Top of the page

Authenticating Using 'Call Me' on a Landline

      1. Start logging on by following the instructions at Logging on and Authenticating with 2-Factor.
      2. On the Choose an authentication method screen, click the Call Me button.
      3. Duo will call your phone.
      4. Your phone will ring. When you answer the phone you will hear a prerecorded message from Duo. When the recorded message prompts you to “Press any key on your phone to log in”, press any number on the keypad of your phone (including * or #) to complete log on.

        (Do not press the End Call button.)

        Note: If 1 minute passes before you press a key, the authentication will fail, and you will see the “Error during call: No keys pressed.” message.

      5. Successful login. You will now be logged on to and transferred to the application or Web site that you logged on to.

Top of the page

Authenticating Using the Duo D-100

(To view the different types of hardware tokens available and purchasing information, see YubiKey and D-100 Hardware Tokens for Duo 2-Factor Authentication.)

      1. Start logging on by following the instructions at Logging on and Authenticating with 2-Factor.
      2. When prompted to select your authentication method, click the green Enter a Passcode button.

        (The Device drop-down list can be set to any selection.)

      3. Push the physical button on the D-100 device. A 6-digit passcode will be displayed on the D-100 for a short time.
      4. In your browser, on the "Login with 2-Factor" screen, type the 6-digit code displayed.
      5. In your browser, click the green Login button.
      6. If you see an error about invalid passcode, follow the instructions at D-100 Incorrect Passcode Error or Token Out of Sync.

Top of the page

Authenticating with a Passcode from Duo App or MyVT Accounts

Duo Push requires Internet or cellular connectivity; however, the Duo Mobile app does not require network or cellular connection to generate a passcode.

      1. It is required that you have either already installed and enrolled the Duo app or already printed passcodes after logging into MyVT Accounts.
      2. Start logging on by following the instructions at Logging on and Authenticating with 2-Factor.
      3. In your browser, on the Login with 2-Factor screen, when prompted for a second factor, click the Enter a Passcode button.
        • To use the Duo app:
          1.  On your smartphone, start the Duo Mobile app.
          2. To the right of Virginia Tech, tap the key icon. This generates a 6-digit passcode that can only be used once.

            Image of the key icon highlighted in a representation of the Duo app on an iPhone
          3. In the browser, in the text box, type the 6 digits.
          4. Click the Login button.
        • To use printed codes from MyVT Accounts:
          1. In the browser, in the text box, type one of the sets of 6 digits that you have not used from the piece of paper.
          2. Click the Login button.

Top of the page

Authenticating with a YubiKey

(To view the different types of YubiKeys available, see YubiKey and D-100 Hardware Tokens for Duo 2-Factor Authentication.)

      1. Insert the YubiKey into a USB slot on your computer. A colored light will come on to indicate that the YubiKey is inserted correctly.
      2. Start logging on by following the instructions at Logging on and Authenticating with 2-Factor.
      3. When prompted for a second factor (voice, push, passcode, etc.):
        • If you are using Chrome, tap your YubiKey and it will use the U2F key.

          Note: If you have auto-send enabled, whenever you are prompted for your second factor, you will see "Sending push to your device" and "Login with U2F" even if the token is not in your computer. Complete authentication by either approving the push notification or physically tapping the U2F token. Once authenticated, you may disable auto-send or un-register the U2F token if you like.

        • If you are not using Chrome:
          1. Click the Enter a Passcode button.
          2. Click to place the cursor in the text box.
          3. Tap your YubiKey. The passcode will be generated by the YubiKey for you.

Top of the page

Manage / Change Preferences and Settings

Important: To see My Settings & Devices, you must use an incognito / InPrivate / private browsing window or a different browser, and do not authenticate with your second factor until after clicking the My Settings & Devices link.

Manage Existing 2-Factor Devices and Preferences

      • To enable or disable auto-send push notifications, see the Enable or Disable Auto-Send (Duo Push) section of this page.
      • To:
        • Change your default second factor device,
        • Reactivate the Duo Mobile app,
        • Change the display name of a device, or
        • Remove or delete a device:
          1. In your browser, open a new Chrome incognito / Edge inPrivate / Firefox private window.

          2.  Go to MyVT Accounts, and select My Accounts.
            Image of the My Accounts highlighted on the Web page.
          3. On the Login page, type your PID and PID password, and click the Login button. (If you forgot your password, follow the instructions at Changing My Password.)

          4.  Important: If you receive an automatic call or push notification, in the browser, click the Cancel button.
            Image of the Duo iframe with the Cancel button highlighted which is in the lower-right corner of the iframe
          5. Important: Do not complete authentication with your second factor, yet.

          6.  In the Duo frame, under the Virginia Tech shield logo, click the My Settings & Devices link.
            Image of the Duo iframe prompting for a second factor, with the My Settings & Devices link highlighted, which is the third link under the VT shield logo
          7. Complete the authentication with your second factor to access My Settings & Devices.
          8. Follow the instructions in the appropriate section of the Managing Your Devices page to add, remove, or rename a device, or reactive Duo Mobile app.

Top of the page

Enroll Additional Device

We recommend you enroll more than one device to use as a second factor device.

Note that if you are trying to enroll another device and you have checked the box to automatically send a push to your mobile device, you first need to cancel the push notification.

Follow the appropriate instructions in the Enrolling section of this document corresponding to the type of device you want to use as another second factor.

For more information on enrolling multiple devices, see Duo's Managing Your Devices page under the Add a New Device section.

Top of the page

Enable or Disable Auto-Send (Duo Push)

Important: When you enable this auto-send feature, the "Remember Me for 7 days" feature cannot be turned on. In other words, you cannot use both auto-send and "Remember Me for 7 days".

If you have auto-send enabled, whenever you are prompted for your second factor, you will see "Sending push to your device" and "Login with U2F" even if the token is not in your computer. Complete authentication by either approving the push notification or physically tapping the U2F token. Once authenticated, you may disable auto-send or un-register the U2F token if you like.

      1. In your browser, open a new Chrome incognito / Edge inPrivate / Firefox private window.

      2.  Go to MyVT Accounts, and select My Accounts.
        Image of the My Accounts highlighted on the Web page.
      3. On the Login page, type your PID and PID password, and click the Login button. (If you forgot your password, follow the instructions at Changing My Password.)

      4.  Important: If you receive an automatic call or push notification, in the browser, click the Cancel button.
        Image of the Duo iframe with the Cancel button highlighted which is in the lower-right corner of the iframe
      5. Important: Do not complete authentication with your second factor, yet.

      6.  In the Duo frame, under the Virginia Tech shield logo, click the My Settings & Devices link.
        Image of the Duo iframe prompting for a second factor, with the My Settings & Devices link highlighted, which is the third link under the VT shield logo
      7. Complete the authentication with your second factor to access My Settings & Devices.
      8. Turn auto-send on or off:
        • To turn auto-send on:
          1.  At the bottom of the Duo frame, from the Default Device: drop-down list, select the telephone device that you want to automatically be used each time you sign into a service that requires 2-factor.
            Image of the Device Options and When I log in drop-down lists set to enable Duo Push
          2. From the When I log in: drop-down list, select either Automatically send this device a Duo Push or Automatically call this device.
          3. Click the Save button.
        • To turn auto-send off:
          1.  At the bottom of the Duo frame, from the Default Device: drop-down list, select the device the device that is currently being used automatically.
            Image of the Default Device and When I log in drop-down lists set to disable Duo Push
          2. From the When I log in: drop-down list, select Ask me to choose an authentication method.
          3. Click the Save button.

'Remember me for 7 days'

When prompted to select your authentication method, there is a Remember me for 7 days checkbox.

If you place a check in this checkbox and successfully authenticate with your second factor, you will not be prompted for your 2nd factor again for 7 days when:

      • on this computer, and
      • using this browser.

This will remain in effect for 7 days, even if you use the "CAS Logout" feature

You will still be prompted for your PID and PID password when logging on, but not for your second factor

Top of the page

Remove a Device or Second Factor

      1. In your browser, open a new Chrome incognito / Edge inPrivate / Firefox private window.

      2.  Go to MyVT Accounts, and select My Accounts.
        Image of the My Accounts highlighted on the Web page.
      3. Log on with your PID and PID password. (If you have forgotten your PID password, follow the instructions at Changing My Password.)

      4.  Important: If you receive an automatic call or push notification, in the browser, click the Cancel button.
        Image of the Duo iframe with the Cancel button highlighted which is in the lower-right corner of the iframe
      5. Important: Do not complete authentication with your second factor, yet.

      6.  In the Duo frame, under the Virginia Tech Shield logo, click the My Settings & Devices link.
        Image of the Duo iframe prompting for a second factor, with the My Settings & Devices link highlighted, which is the third link under the VT shield logo
      7. Complete the authentication with your second factor to access My Settings & Devices.
      8. Follow the instructions under the Remove Device heading on Duo's Managing Your Devices page to remove and delete a device.

Top of the page

Print Passcodes from MyVT Accounts

This will cause any passcodes you previously printed from MyVT Accounts to not work. However, passcodes received in an SMS text message will continue to work.

  1. You must be able to authenticate with a second factor for these instructions. (If you cannot authenticate with any second factor, follow the instructions at Lost, Forgot, Broke, or Unavailable 2-Factor Device instead.)
  2.  Go to MyVT Accounts, and select My Accounts.
    Image of the My Accounts highlighted on the Web page.
  3. On the Login page, type your PID and PID password, and click the Login button. (If you forgot your password, follow the instructions at Changing My Password.)
  4. When prompted to Choose an authentication method, complete authentication with your second factor.
  5.  Near the bottom of the page, in the 2-Factor Account section, click the Print passcodes link.
    Image of the Print Passcodes link to the left of the Manage tokens link
  6. To confirm that you understand the warning displayed, click the Yes, generate button.

  7.  To start your printer's dialog window, click the Print button on the MyVT page.
    Image of the Print button below the list of codes on the  Web page
  8. Your printer settings will appear. Select the printer you want to use and settings, and click OK.
  9. Store the paper in a secure location, and use a pencil or pen to mark when you use each code. Each code can only be used once.
  10. Any Duo passcodes you previously printed from MyVT Accounts will no longer work.

Common Issues and Problems

Lost, Forgot, Broke or Unavailable 2-Factor Device

If you temporarily misplaced your primary 2-factor device, left or forget it at home, broke it, or otherwise can't use it to authenticate:

      1. If you have an additional device enrolled, use that second device to authenticate.
      2. If you have no other devices enrolled, call 4Help at (540) 231-4357 to have an operator assist you in enrolling another device after verbally verifying your identity.

Top of the page

Authenticating without Internet, Network, or Cellular Service (International / Overseas)

When outside of the continental United States, 4Help highly recommends authenticating with a passcode from your Duo App or MyVT or a previously enrolled D-100 or Yubikey token because of their ease of use.

Authenticating via voice call or SMS text message when outside of the continental United States may not work because Duo rate charges exceed Virginia Tech's limit of 20. It is very important to note the credit rate for the location where you will be authenticating. As seen on Duo's Rate Card page, Duo will not send a voice call or SMS text message if a single phone call or SMS text message uses more than 20 credits. For additional information and rates that apply to your location, see Duo's Rate Card page.

(If you currently do not have access to any method of authenticating with a second factor and need to get logged in temporarily, follow the instructions at Lost, Forgot, Broke, or Unavailable 2-Factor Device.)

In case you need to authenticate without Internet or cellular service in the future, 4Help advises doing at least one of the following when you are on campus:

Top of the page

Duo Mobile App Errors, Problems, and Connection Issues / Duo Push Not Received

Occasionally you may experience connectivity issues between your mobile device and the Duo Mobile app such as not receiving Duo Push notifications or timeout errors. This problem is often resolved by refreshing the Duo Mobile app. To do that:

      1. If you recently disabled or turned off your phone's airplane mode, wait 5 minutes before proceeding.
      2. On your device, start the Duo Mobile app.
      3. Between the Virginia Tech logo and the key, tap and pull down on the window, and then release.
      4. The app will be refreshed.

Top of the page

Duo Window Frame Doesn't Load or Is Blank

Go to the Duo Security Status Web page, and look for any interruption of service.  If that Web page does not list any issues, then one of these conditions may be causing the problem:

      • You have a firewall installed on your device and it is preventing your browsers from reaching Duo.
      • You have Parental Controls or other restrictions on your device and that is preventing your browsers from reaching Duo.

If you have difficulty correcting these issues, submit an incident at http://4help.vt.edu for assistance.

Top of the page

Can't Add New Device, Access or Manage My Settings and Devices / 2-Factor Automatically Skipped / "Remember me for 7 days" Greyed Out

If you have any of the following enabled:

      • Auto-send (Duo Push notifications)
      • Auto-call
      • "Remember me for 7 days"

You will bypass and skip all of the 2-factor pages and prompts.

To get to "Add a new device" or "My Settings and Devices" or to enable or disable "Remember me for 7 days":

  1. In your browser, open a new Chrome incognito / Edge inPrivate / Firefox private window.
  2.  Go to MyVT Accounts, and select My Accounts.
    Image of the My Accounts highlighted on the Web page.
  3. Log on with your PID and PID password. (If you have forgotten your PID password, follow the instructions at Changing My Password.)

  4.  Important: If you receive an automatic call or push notification, in the browser, click the Cancel button.
    Image of the Duo iframe with the Cancel button highlighted which is in the lower-right corner of the iframe
  5. Important: Do not complete authentication with your second factor, yet.
  6. In the Duo frame, under the Virginia Tech Shield logo, click the link you want.
  7. Complete the authentication with your second factor to access My Settings & Devices or Add a new device.

Top of the page

Browser Doesn't Remember Me

The "Remember Me" functionality requires persistent cookies in your browser.  If your browser is not remembering that you checked the "Remember Me" box, then check the cookie settings of your browser. To find information on the cookie settings of your browser, click the following link to search Google: browser cookie settings.

Chrome's "incognito" setting, Firefox's "private window", and Internet Explorer's/Edge's "InPrivate" settings will affect this behavior and the "Remember Me" feature will not work.

'Remember me for 7 days' while Blocking Cookies

If you set your browser to block all cookies, the 'Remember me for 7 days' feature will not work. To fix this, allow "duosecurity.com" as an trusted exception. To do this:

  • Internet Explorer
    1. Close Internet Explorer.
    2. Click the Start button.
    3. Type: internet options
    4. As you type, results will appear and change. Select Internet Options.
    5. Select the Privacy tab.
    6. Under the Settings heading, click the Sites button.
    7. In the Address of website: text box, type duosecurity.com
    8. Click the Allow button.
    9. Click OK.
    10. Click OK to close the Internet Properties window.
  • Firefox
    1. In Firefox, in the top-right of the window, click the hamburger menu button represented by three horizontal lines.
    2. Click the Options icon.
    3. In the left pane, select Privacy.
    4. To the right of Accept cookies from sites, click the Exceptions... button.
    5. In the Address of website: text box, type: duosecurity.com
    6. Click the Allow button.
    7. Click the Save Changes button. You may close the Options tab.
  • Chrome
    1. In Chrome, near the top-right of the window, click the hamburger menu button represented by three horizontal lines.
    2. From the drop-down list, select Settings.
    3. Scroll to the bottom of the Settings.
    4. Click the Show advanced settings... link.
    5. Under the Privacy heading, click the Content settings... button.
    6. Click the Manage exceptions... button.
    7. Under Hostname pattern, in the text box, type: duosecurity.com
    8. Verify that the drop-down list to the right is set to Allow.
    9. Click the Done button.
    10. To close the Content settings window, click the Done button.

Top of the page

Using 2-Factor without a Mobile Device

2-factor can be used with landlines and hardware tokens in addition to mobile phones and tablets. Employees who have university landlines should enroll their landlines by following the instructions at Enrolling a Landline.

Although mobile phones, tablets and landlines are the preferred options, hardware fobs and tokens that use the OATH (HOTP or TOTP) and YubiKey AES protocols are supported. Universal 2-factor (U2F) is also supported. 

Top of the page

I Don't Want the Duo App on My Phone

You can use your phone as your second factor without using the Duo App. To do this:

      • Enroll your smartphone or cell phone as Other (including cellphones) by following the instructions at Enrolling a Cellphone ('Dumb' Phone / Non-Smartphone). This will allow you to receive SMS codes or a telephone call to your phone and use the given code as your second factor.
      • Enroll your smartphone or cell phone as Landline by following the instructions at Enrolling a Landline. This will allow you to receive a telephone call to your phone and use the given code as your second factor.
      • Enroll a landline at your office or other location as Landline by following the instructions at Enrolling a Landline. This is useful when you are physically close to the telephone.

Top of the page

What if I Get a New Phone

      • If you get a new phone with the same phone number, and you only want a phone call or SMS messages, you don't have to do anything.
      • If you want to use Duo Push or passcodes from the Duo App on the new phone, you need to re-activate your new phone by doing the following:
        1. Install the Duo Mobile app on the new phone, by following the instructions at Enrolling a Smartphone, Tablet, or Mobile Device by Installing the Duo Mobile App.
        2. When prompted to authenticate with your second factor:

          1.  Important: If you have auto-send enabled, click Cancel. Do not continue authenticating.
            Image of the Duo iframe with the Cancel button highlighted which is in the lower-right corner of the iframe

          2. Click the My Settings & Devices link.
            Image of the Duo iframe prompting for a second factor, with the My Settings & Devices link highlighted, which is the third link under the VT shield logo

        3. To get to My Settings & Devices, authenticate with a second factor other than Duo Push, such as Call Me or Enter a Passcode.
        4.  To the right of your mobile device, click the Device Options button.
          Image of the Device Options button highlighted int he Duo frame

        5. Click the Reactivate Duo Mobile button.
          Image of the Reactivate Duo Mobile button under the device name

        6. Follow the on-screen prompts to finish enrolling the new phone.

          For help or more information, see Duo’s Enrollment Guide page.
      • If you get a new phone with a different phone number, enroll it as a new device by following the instructions at Enrolling a Smartphone, Tablet, or Mobile Device by Installing the Duo Mobile App.

Top of the page

Token as Default Authentication Factor

Duo does not provide the option to set a U2F, D-100, or other token as the default authentication method, because those devices are not capable of receiving an automatic authentication prompt. Only devices that can receive a notification (such as a smartphone with the Duo app or any type of telephone that can receive a voice call) can be your default authentication method.

However, you can authenticate with a U2F, D-100, or other token any time you are prompted for a second factor. Click the Enter a Passcode button and complete authentication with your token. If a push notification or automatic phone call has been sent, you can ignore that and authenticate with your token instead. The token does not need to be selected in the Device drop-down list in order for token authentication to work.

Note: The Duo system does not allow you to name or rename any token; each token will be assigned a unique set of characters. 

Can't Scan QR Code when Enrolling / Enrolling without Computer

To activate Duo Mobile when you cannot get the barcode to scan, or when you only have access to a single screen or device:

      1. Start enrolling a smartphone by following the instructions at Enrolling a Smartphone, Tablet, or Mobile Device by Installing the Duo Mobile App.
      2. When you get to the QR code screen, depending on the type of device:
        • Smart Phone
          1. On the Activate Duo Mobile screen, tap the Having Problems? We'll send you an activation link instead. link. (You may have to scroll down to see this link.)
          2. In the text box, type an email address that you can access with your mobile device.
          3. Tap Send email. You may need to scroll down to see all the instructions.
          4. You will receive an email from no-reply@duosecurity.com. Open that email on the device you want to activate.
          5. In the email, tap the activation link.
          6. If you see a message that says "Visit this link on your phone to add your account to Duo Mobile:", either your selection of platform was incorrect, or you have opened the email on the wrong device. To fix this, re-enroll your device by following the instructions at this section from the beginning.
          7. If you see a Complete the action message:
            1. Tap Duo.
            2. Tap Always.
          8. You will see Account Added Successfully. Virginia Tech will appear in your Duo Mobile app. Tap Continue.
          9. Within the Duo window, you will see Device successfully enrolled. Under Enrolled Devices (PID), your device will be listed. You may need to scroll down to see the entire list.
          10. Tap Done.
          11. You will see the normal Duo login prompt. Login with your newly-enabled device.
        • Tablet
          1. Select the radio button corresponding to the OS of your device.
          2. Tap Continue.
          3. On the Activate Duo Mobile screen, tap the Having Problems? We'll send you an activation link instead. link.
          4. In the text box, type an email address that you can access with your mobile device.
          5. Tap Send email. You may need to scroll down to see all the buttons.
          6. You will receive an email from no-reply@duosecurity.com. Open that email on the device you want to activate.
          7. In the email, tap the activation link.
          8. If you see a message that says "Visit this link on your phone to add your account to Duo Mobile:", either your selection of platform was incorrect, or you have opened the email on the wrong device. To fix this, re-enroll your device by following the instructions in this section from the beginning.
          9. If you see a Complete the action message:
            1. Tap Duo.
            2. Tap Always.
          10. You will see Account Added Successfully. Virginia Tech will appear in your Duo Mobile app. Tap Continue.
          11. Within the Duo window, you will see Device successfully enrolled. Under Enrolled Devices (PID), your device will be listed. You may need to scroll down to see the entire list.
          12. Tap Done.
          13. You will see the normal Duo login prompt. Login with your newly-enabled device.

Top of the page

Accidentally Deleted Device / Account Removed from Duo App

If you accidentally delete your account or device, that account or device will be unusable until it is re-enabled.

We strongly recommend enrolling at least two devices, one of which should be a phone, so that if you get locked out, for whatever reason, you can get a SMS code and get in to manage your devices. However, if you only have one device enrolled and your account or your device gets deleted, here is how you recover:

Deleted Account

      1. Attempt to login to Duo.
      2. Request SMS passcodes.
      3. Use one of the SMS passcodes to get to Manage Devices.
      4. Add a land line, because you can't remove the last device.
      5. Remove the device from which you removed the account.
      6. Add the device back to your Duo account.
      7. Scan the barcode.
      8. Get the account put back onto your Duo app.

This process will work unless your device is registered to multiple accounts. If so, you will need to remove your account from all of the devices before Duo will prompt for the barcode again.

If you have only one device and it is not a phone, you will not be able to receive SMS messages. The "download SMS codes" link is only displayed on phones. If you only have a tablet, you will need to contact 4Help and ask for a bypass code.

Deleted Device

      1. Attempt to login to Duo.
      2. Request SMS passcodes.
      3. Use one of the SMS passcodes to get to Manage Devices.
      4. Add the device back.
      5. Scan the barcode.

If you have only one device and it is not a phone, you will not be able to receive SMS messages. The "download SMS codes" link is only displayed on phones. If you only have a tablet, you will need to call the administrator, and ask for a bypass code.

Top of the page

Nuance Dragon 13 Web Extension causes 2-Factor to Fail

There are 2 separate methods for both Firefox and Chrome. Each method is listed separately below.

      • Chrome
        • Disable the extension
        • Use an incognito window
      • Firefox
        • Disable the extension
        • Use a new private window

Method 1 Google Chrome: Disable the Nuance Dragon 13 Web Extension

      1. Click the Customize and control Google Chrome button, which is represented by three horizontal lines, in the top-right of the browser.
      2. Select Settings.
      3. Under Chrome at the top-left of the page, click Extensions.
      4. Deselect the Enable check box for Dragon Web Extension.
      5. Return to the address of your failed Login attempt and try again. You will need to retype the address.
      6. After providing valid credentials for Login, the Duo interface should now be accessible.

Method 2 Google Chrome: Use an Incognito Window

      1. Click the Customize and control Google Chrome button, which is represented by three horizontal lines, in the top-right of the browser.
      2. Select New incognito window.
      3. Browse to the address of the failed Login attempt in the new incognito window.
      4. After providing valid credentials for Login, the Duo interface should now be accessible.

Method 1 Firefox: Disable the Nuance Dragon 13 Web Extension

      1. Click the Open menu button, which is represented by three horizontal lines, in the top-right of the browser.
      2. Select Add-ons.
      3. Click the Disable button for Dragon Web Extension.
      4. Return to the address of your failed Login attempt and try again. You will need to retype the address.
      5. After providing valid credentials for Login, the Duo interface should now be accessible.

Method 2 Firefox: Use a New Private Window

      1. Click the Open menu button, which is represented by three horizontal lines, in the top-right of the browser.
      2. Select New Private Window.
      3. Browse to the address of the failed Login attempt in the New Private Window.
      4. After providing valid credentials for Login, the Duo interface should now be accessible.

Top of the page

D-100 Incorrect Passcode Error or Token Out of Sync

When a token is out of sync, the following error message is displayed when trying to authenticate:  "Incorrect passcode. Please try again." Tokens can become out of sync if 20 different codes are displayed without using one of the codes to authenticate to Duo.

To re-sync a token and fix this:

      • If you do not have access to a second factor other than your D-100, call 4Help at 540 231 4357.  Duo administrators will re-sync the token for you.
      • If you have access to a second factor other than your D-100, you can re-sync your own D-100 token. To do so:
        1. Go to the MyVT Accounts page.
        2. Click the My Accounts link.
        3. Log on with your PID and PID password.
        4. When prompted to authenticate, use a second factor that is not your D-100.
        5. To the far right of 2-factor account, click the Manage tokens link.
        6. Under Enrolled Tokens, to the right of the serial number of the token that is out of sync, click the Resync link.
        7. In the three text boxes, type three consecutive 6-digit passcodes from the D-100.
        8. Click the Resynchronize button.

Top of the page

Other Questions

VT Google Apps 2-Step Verification and Duo Mobile

The Duo Mobile app can be used on your mobile device instead of Google Authenticator. After you have installed Duo Mobile, follow the instructions at Google's Turn on 2-Step Verification page, but when you reach the step that says, "Open the Google Authenticator application," start the Duo Mobile application instead.

For more information, see the VT Google 2-Step Verification. Page.

Top of the page

More Information / Duo User Guide

For more information on these and other topics, see Duo's Guide to Two-Factor Authentication Web site.

Keywords: 2 factor, two factor, 2factor, 2FA, 2-step, 2 step

 


Was this helpful?
YesNo
Rate this article