Two-Factor Authentication (Duo)


 

This article serves as a guide for managing Two-Factor Authentication (2FA) using Duo Mobile.

2FA adds an extra layer of security to your account by combining:

The focus of this article is on setting up 2FA on your smartphone using the Duo Mobile app. Although other 2FA methods are available, as described in the panels below, using the Push Notification option in Duo is strongly encouraged for the best experience. Additionally, 2FA is required for all active members of the university community.

The Duo Mobile app is available in Google's Play Store and Apple's App Store. The app can be installed on most smartphones and on some tablets.

Note: Duo Mobile is a secure, popular 2FA service that can be used to log in to accounts other than those at the university. Duo can also be used as an alternative to Google Authenticator for logins to Instagram, Snapchat, PayPal, Amazon, and more. UITS support for Duo Mobile is for UA accounts only. For more information, see Duo's Third-Party Accounts website.
Note: These instructions use an iPhone, but you can apply them to Android as long as you can install apps from the Play Store.

Instructions

  1. Download and install the Duo Mobile application from your device's app store.

    Note: Search for Duo Mobile (the logo is a green square with white lettering) to make sure you are installing the correct app.

  2. Open the installed app and Accept the End User License Agreement.

With Duo Mobile installed, you are ready to go to the next panel where you'll enroll your smartphone in 2FA.

Enroll and Activate Your Cellphone

After you install Duo Mobile on your smartphone, follow these steps to enroll your smartphone in 2FA for the first time.

Note: If you have previously activated Duo Mobile with the same phone number, please review the Reactivate 2FA.
  1. Go to the 2FA Portal.
  2. Select Enroll in Duo.
  3. Enter the requested information, such as
    1. NetID
    2. Student/Employee ID number
    3. Date of Birth
  4. Choose one of the verification Account Recovery Options to log in.
  5. Confirm the log in.
  6. Scroll down and select Add New Device.
  7. Choose the radio button for your platform (Apple iOS or Google Android).
  8. Enter a Nickname for your device (this will help you find your device later).
  9. If your device can receive text messages, check the box for "This device can receive SMS (text messages)."
  10. Enter your phone number.

    Add a device
  11. Select Next.
  12. Click on Yes, Send Code if the number shown is correct.
  13. Enter the verification code you received via SMS text and click Confirm.
  14. In the app, select Add > Use QR code.
  15. Activate the Duo application:
    1. Using a computer: Use your phone to scan the QR code on your computer screen.
    2. Using only your phone: Tap the enrollment link or choose the SMS option to get a verification code sent to you.
      Note: Duo will present a list of numbers in the app that are used for log in purposes. You do not need to save these numbers.
  16. Select Done.

    Activate 2FA device

Once you activate your account, follow these instructions to verify that your 2FA is functioning. You can use your DUO credentials to log into all U of A resources that are behind NetID.

Note: Please be aware that if you are using DUO from an unusual location or if DUO identifies unusual activity on your account, you may be asked to complete an additional authentication step. Please see the Duo - Risk-Based Authentication article for details.

Use the instructions below to log into UAccess using a Duo Mobile Push on your device.

  1. Navigate to the UAccess portal and select the UAccess application of your choice.
    (For example: UAccess Student or UAccess Employee)
  2. Enter your NetID and password when prompted and select LOGIN.
  3. Your computer screen directs you to check your device for a Duo push.

    Check for Duo push
    Note: If you have previously logged in to 2FA, the default method will be the option that you last used. If you want to use a different method, click the Other Options button.

    Optional    : If you wish to use a Duo Mobile passcode instead of the Duo Mobile Push, skip down to the bottom of this panel.
  4. Check your smartphone for a notification from Duo and select Approve.

    Approve login
    Note: ONLY select Approve if you are are actively attempting to log in using Duo.
  5. Confirm your identity on the browser screen as follows:

    Is this your device
    Note: ONLY confirm your identity if you are not using a shared device.
  6. If you are presented with the following screenshot, click on the checkbox to Trust this browser for 30 days.

    Trust browser
    Note: Depending upon the service to which you are logging in, you may or may not see this prompt within the 30-day time frame. Our recommendation is that if you want your browser to retain your credentials, you should always check the box as long as you are not on a shared device. Do not use this option on shared devices.
  7. Select Continue to application.
  8. You have successfully logged into UAccess.
 

(Optional) Use a Duo Mobile Passcode

  1. If desired, you can log in with a Duo Mobile passcode instead of using the Duo Mobile Push.

    Note: Duo Mobile can generate passcodes in 30-second windows for offline access.
    1. Select the Other options link.

      Other options
    2. Select Duo Mobile passcode.

      Duo Mobile passcode option
    3. Open the Duo Mobile app on your device and tap the Refresh Passcode link to generate a new code.
    4. Enter the code into the passcode field on your computer and select Verify.
    5. The rest of the process is the same as the Duo Mobile Push continuing from step 5 above.

After setting up Duo Mobile on your mobile device, it's important to regularly verify all the devices connected to your account. This is a key information security practice, as unfamiliar devices on your account could mean it has been compromised.

Note: For enhanced security and easier account recovery, the university recommends configuring two backup options:
  • Set up an additional device (connected to your main Duo Mobile account).
  • Establish a Lifeline, which is a phone number belonging to a trusted contact who can assist you in regaining access if you are locked out.

To confirm your account devices, you can follow the steps you used to enroll your smartphone in 2FA:

  1. Go to the 2FA Portal.
  2. Click Manage your Account and follow any prompts that appear to log in.
  3. Locate the My Devices section.
  4. Confirm that all the listed devices are the ones you recognize.
  5. Select the Settings gear icon to view the device details.
  6. Select Remove device to remove any unfamiliar devices or devices you are not using.

Immediately perform a Password Reset (NetID) if you notice any unfamiliar devices listed on your account.

Please contact the 24/7 Support Center if you need additional assistance.

2FA account lockouts occur after four (4) failed attempts. The actions listed below will cause failed attempts. Any combination of the following four actions will cause your 2FA account to be locked:

Failed Duo Push

  • Duo Mobile will time out if you don't accept the Duo Push notification within 60 seconds.
  • If you are NOT attempting to log in using Duo, you should deny any Duo Push notification that appears on your device.
    Note: Selecting Deny registers as a failed attempt.

Invalid Duo Mobile Passcodes

  • Do not use invalid Duo Mobile passcodes.
    • The passcode on display is valid until you either generate another passcode or close the application.

Invalid or expired SMS Passcodes

  • Note: SMS passcodes are not described in this article and are not recommended as your primary option (push notifications are the recommended option); however, if you have set up SMS passcodes through Duo, they will expire six (6) days after they are sent to your device. Do not use old text message codes once you generate new codes. You must use the code from the most recent NetID+ text message.