Duo Two-Factor Authentication (2FA)

Duo Logo
Planning to travel internationally? Update your Duo phone number, use the Duo Mobile app, and download spare passcodes before leaving the US.

Duo Security is the 2FA provider for the North Dakota University System, and its 11 Higher Ed institutions, including UND. 2FA, or two-factor authentication adds a second layer of security to your NDUS/UND accounts. Verifying your identity using a second factor (like your phone or other authentication device you have with you) prevents anyone but you from logging in, even if they know your password. Here's how it works:

How It Works Graphic

  1. Enter your username and password as usual
  2. Use your registered device to verify your identity
  3. That's it! You'll be logged in securely.

Once you've enrolled an authentication device, you're ready to go. You can verify (authenticate) via a Push notification through the Duo Mobile app, a voice call, a USB Security Key, or a single-use passcode.

Enroll in Duo 2FA

When using NDUS/UND credentials to log in to a system/site for the first time, Duo will prompt users to enroll and add an authentication device. First-time users can also visit portal.ndus.edu to initiate Duo enrollment.
Enrolling a smartphone or tablet must be done from an additional computer or device.

NDUS Portal Login Screen

When prompted, enter your user.name credentials, select Log In, then Start setup to begin enrolling a device.

Unable to receive calls or texts on your smartphone?

What type of device are you adding?

Select the type of device you would like to enroll and click Continue. UIT recommends using a smartphone for the best experience, but you can also enroll a land-line telephone, a USB security key, Touch ID, or an iPad/Android tablet.

Enter your phone number

Select your country from the drop-down menu and enter your phone number. Use the number of the smartphone, landline, or cell phone that you have with you when logging in to a Duo-enabled account.

Verify that you entered the phone number correctly, check the box, and click Continue.

What type of phone is this?

Choose your device's operating system and click Continue. Options include iPhone, Android, Windows Phone, or Other (and cell phones).

Install Duo Mobile

Install Duo Mobile prompt

If you choose to enroll a smartphone or tablet, you will be prompted to install Duo Mobile on that device. Duo Mobile is an app that helps you authenticate quickly and easily. Without it, you'll still be able to log in using a phone call, passcode, or USB security key, but for the best experience, UIT recommends that you use Duo Mobile.

Install the Duo Mobile app from the Apple App Store or Google Play Store

After installing Duo Mobile on your device, return to the enrollment window on your computer and click I have Duo Mobile.

Activate Duo Mobile QR code

A QR code will appear on the computer screen. From your phone or tablet, Launch the newly installed Duo Mobile app.

Apple

Android

 

iOS Duo Mobile welcome screen

Android Duo Mobile welcome screen

Activating Duo Mobile links the app to your Duo account so you can use it for authentication. From the Duo Mobile app, select Continue on iPhones, or Set up account on Android devices.

iOS Add your account screen

Android Add your account screen

Select Use a QR code. Duo Mobile will need permission to access your device's camera to scan the QR code. You can revoke this permission after setup if you choose.

iOS Scan QR code screen

Android Scan QR code screen

Point the iPhone or Android camera at the QR code displayed on the computer screen until the next screen appears.

Can't scan the QR code?

iOS Name account screen

Android Name account screen

Optionally include a name for the account you are adding to the Duo Mobile app, like "UND".

Users are strongly encouraged to take a minute to practice approving and denying Duo authentication requests. Tap Practice now to go through some training screens.
iPhones respond to Duo Mobile even faster by enabling notifications. You'll see new Duo Push requests when they arrive at your device, and you can approve or deny them without opening the app by long-pressing the notification. Tap Allow notifications to permit notifications from Duo Mobile in iOS settings.

Computer screen with QR code

You'll see your newly-added Duo account in the accounts list. Now you're able to respond to Duo Push authentication requests. The app will also generate single-use passcodes regardless of internet connectivity.

From the device with the QR code, select the Continue button to complete Duo Mobile activation. Now with enrollment and activation complete, you should go back to the main login screen of the system/site you were originally trying to access so you can use your device to authenticate.

How to Authenticate with Duo 2FA

Getting unexpected Duo authentication requests?

Duo authentication prompt

Yubikey USB security key devices

When logging in to any system that is protected by Duo , you are prompted to choose a method to verify your identity.

Send Me a Push - Pushes a login request notification to your phone or tablet (if you have Duo Mobile installed and activated on your iOS or Android device) . Just review the request and tap Approve to log in.

Call Me - Authenticate via phone callback.

Enter a Passcode - Generated with Duo Mobile, or sent via SMS. Select Text me new codes to get 10 new single-use passcodes texted to your phone. More on texted passcodes.

Yubikey USB Security Key - Click into the passcode entry field and tap your Yubikey to generate and submit a passcode.

Add, Configure, and Remove Devices

Add a New Device

NDUS Portal Log In screen

Visit portal.ndus.edu , enter your user.name credentials.

Duo prompt, select settings

At the Duo prompt, select Settings in the upper-right.

Duo prompt settings slide-out

Select Add a new device.

Duo prompt authenticate to add a new device

Choose an authentication method and verify your login attempt.

Follow the same steps used during initial device enrollment.

Configure Settings & Devices

NDUS Portal Log In screen

Visit portal.ndus.edu , enter your user.name credentials.

Duo prompt, select settings

At the Duo prompt, select Settings in the upper-right.

Duo prompt settings slide-out

Select My Settings and Devices.

Duo prompt authenticate for My Settings & Devices

Choose an authentication method and verify your login attempt.

Duo My Settings & Devices screen

From the settings screen you can:

  • Set a default device to use at Duo prompts

  • Set Duo to automatically send your device a push or phone call when the prompt appears

  • Add or delete devices

Duo My Settings & Devices Device Options

Select the gear icon next to each device to re/activate Duo Mobile, change the name, or delete a device.

Tips & Best Practices

Download Spare Passcodes

Duo Mobile Passcode Generator screen

From Duo Mobile, tap an account to get a one-time passcode for login. This works anywhere, even in places where you don't have an internet connection or can't get cell service. The passcode shown is valid until used. Tap Refresh Passcode to generate a new Duo passcode.

Duo prompt passcode field and text me new codes button

You can also select Text me new codes from a Duo prompt when you select the passcode method, which will text you a list of 10 single-use passcodes. Only the most recent batch of codes are valid. Using Text me new codes more than once will invalidate all but the most recent batch you receive.

Use Push & Remember Me

Duo Mobile Send Push & Remember Me Checkbox screen

The next time you're prompted by Duo, select "Send Me a Push." You will receive a notification on your device with the Duo app installed.  All you need to do is to tap on that notification, approve it and you’re in. The Duo app must be installed for Push to work.

On systems that require you to log in for every instance, you can have Duo remember you for up 10 hours.  To activate this, click the check box in front of "Remember me for 10 hours" next time you're prompted by Duo.

Enroll Multiple Devices

Duo Prompt Settings slide-out

You can enroll multiple devices on your Duo account. We recommend that you add at least one secondary device such as the phone number of a trusted friend and/or family member.

 

International Travel Precautions

Duo hardware token key-fob

YubiKey USB devics

Download spare passcodes , which can be printed and saved for future use or emergencies.

Purchase a hardware token or security key and enroll it before your trip, which allows you to authenticate without the need of your phone.

How do I get a Security Key (Yubikey)?

Third-Party Accounts

Duo Mobile third-party accounts screen

Some online services and web applications, like Instagram, Facebook, and Snapchat, let you protect your account with a mobile-generated passcode. Use Duo Mobile to generate these passcodes, and keep all your accounts in one app.

Visit this link to learn how to add third-party accounts to Duo Mobile.

Common Issues

I'm getting an error saying my account is locked

If you fail to authenticate for any reason 10 times in a row, you will see "Your account has been locked out due to excessive authentication failures. Please contact your administrator."

Please contact UND Tech Support to unlock your account.

I have stopped receiving push notifications on Duo Mobile

  1. Try turning the phone to airplane mode and back to normal operating mode again if there is a reliable internet connection available. Similarly, the issue may be resolved by turning off the WiFi connection on your device and using the cellular data connection.

  2. Check the time and date on your phone and make sure they are correct. If the date and time on your phone are manually set, try changing your device's configuration to sync date and time automatically with the network.

  3. Restart the device.

If the push method does not work, try the call me, passcode, or security key option to avoid being locked out. If none of the methods work, contact UND Tech Support

Duo Prompt does not display as expected

iOS and macOS devices have configurable content restrictions that can potentially prevent the Duo Prompt from displaying correctly. Users might see a gray or white screen, or get the message, "You cannot browse this page at " duo.com " because it is restricted". Or "This site can't be reached".

iOS 12 or Higher
macOS 10.5 or Higher

My phone does not ring when Duo calls me

Check your blocked calls list for this number: +1.701.239.6697

Windows Duo screen shows "500 Internal Server Error"

Many times, this error occurs due to the use of McAffee Antivirus or McAffee WebAdvisor. Disabling or removing the McAffee software should allow the Duo window to pop up again.

I recently had a name change and now cannot log in

Because a username change creates a new login, you will have to re-enroll in Duo. Please contact UND Tech Support

Duo prompt displays the message "Access denied. Duo Security does not provide services in your current location"

In order to comply with U.S. regulations, Duo blocks authentications from users whose IP address originates in a country or region subject to economic and trade sanctions enforced by the U.S. Office of Foreign Assets Control .

Users attempting to authenticate to a Duo-protected application from an access device with an IP address originating in an OFAC-regulated country or region will be blocked from completing their login and receive an error message.

Web-based applications will display the following error message: “Access denied. Duo Security does not provide services in your current location.” Other applications may display a generic failed login message.

OFAC restrictions relevant to Duo currently apply to the following countries or regions:

  • Cuba (CU)

  • North Korea (KP)

  • Iran (IR)

  • Sudan (SD)

  • Syria (SY)

  • Crimea region (43)

  • Donetsk region (14)

  • Luhansk region (09)

  • Sevastopol region (40)

If you have questions about OFAC restrictions or requesting an exception, please work directly with the Office of Foreign Assets Control .

Duo 2FA Common Questions

What is Duo?

Duo is a security solution that gives you a second layer of protection by confirming that you’re really who you say you are before you can access your accounts. With Duo’s two-factor authentication, even if someone knows your password, unless they also have your mobile phone, tablet, or USB security key - Duo prevents them from accessing your account.

What is 2FA (Two-Factor Authentication)?

2FA, or Two-factor authentication, is an additional layer of authentication beyond a username and password. 2FA involves something you know (password) plus something you have with you (like Duo Mobile on your smartphone) to prevent someone from logging in with only your password. With Duo 2FA, you still enter your username and password. The second factor provided by Duo is simply an added layer of security on top of your existing credentials. We recommend using Duo Push via the Duo Mobile app to perform 2FA.

How does 2FA work?

By adding one more simple step when logging into an account, Two-factor authentication greatly increases the security of your account. Here’s how it works. Just like logging into your account, the first step is giving your password or passphrase. The second step is to provide an extra way of proving that you’re you, like entering a PIN code or texting/emailing a code to your mobile device, or accessing an authenticator app.

For NDUS accounts, 2FA can include:

  • An additional code either emailed to an account or texted to a mobile number

  • A biometric identifier like facial recognition or a fingerprint

  • A yes or no button or unique number generated by the Duo Mobile app

  • A secure token, which is a separate piece of hardware (like a key fob that holds information) that verifies a person’s identity with a database or system

Is 2FA the same as MFA?

Multi-Factor Authentication (MFA) is the practice of adding multiple (two or more) identity verification dimensions at login. MFA differs from its two-dimensional counterpart, 2FA, which only involves adding a single verification method.

MFA expands upon the 2FA concept by adding additional identity verification steps and therefore layers of security. The more additional factors you use to verify identity, the safer you, your device, and your data are!

Why does the North Dakota University System use Duo 2FA?

Passwords are increasingly easy to compromise. They can often be stolen, guessed, or hacked — you might not even know someone is accessing your account. 81% of hacking incidents used stolen or weak passwords.

Two-factor authentication adds a second layer of security, keeping your account secure even if your password is compromised. With Duo Push, you'll be alerted right away (on your phone) if someone is trying to log in as you.

This second factor of authentication is separate and independent from your username and password — Duo never sees your password.

What is a Duo Prompt?

An interactive prompt that lets you choose how to verify your identity each time you log in (e.g. “Duo Push” or “Call Me”) to a web-based application. The Duo Prompt allows you to enroll and authenticate.

What is a Push Notification (Duo Push):

A push notification is an authentication request that is sent to the Duo Mobile App on an enrolled device. Push notifications include information like the geographical location of the access device, IP address of the access device, and the application being accessed so you can verify whether the push is real or fraudulent.

What is a Passcode?

These are numeric codes that can be generated either via the Duo Mobile app, SMS (text message), or a hardware token. Passcodes may be used at any time and are particularly handy for authenticating when your 2FA device doesn't have internet or cellular service.

Do I need a smartphone or data plan to use two-factor authentication?

No. Having a smartphone makes for an easier and more secure experience with Duo Push. However, it is also possible to enroll a non-smartphone mobile device or landline to receive SMS passcodes or phone calls.

What devices are supported?

  • iPhone/iPad: The current version of Duo Mobile supports iOS 14.0 and greater

  • Apple Watch: Requires Duo Mobile 3.8 or later

  • Android: The current version of Duo Mobile supports Android 10 and greater

  • Any cell phone or landline using the Call Me feature

Can Duo see my password?

No. Your password is only verified by NDUS and never sent to Duo. Duo provides only the second factor, using your enrolled device to verify it’s actually you who is logging in.

Why does Duo need access to my smartphone’s camera?

Duo only needs your camera during enrollment to scan an on-screen QR code to verify that your device is really yours.

What happens if I lose my phone, get a new one, or a change my number?

If you've lost your phone, and fear someone might use it to gain access to one of your accounts, contact UND Tech Support immediately to change your password and update your authentication device.

If you have a backup passcode, or another device registered with your Duo account, you can add, remove, or reactivate devices from any Duo prompt screen. More information.

If you don't have a backup passcode or other device enrolled with Duo, UIT will need to manually update the info and enroll/reactivate duo for you. To protect your account and ensure others can't add their own device to your Duo account, you will need to call UIT and verify your ID before we can manually update your information. Call 701.777.2222 24/7 to update your Duo info.

Can I opt-out of using Duo on my UND account?

No. Duo is required for all North Dakota University System accounts across the state.

Which UND systems are protected by Duo?

  • Campus Connection (Campus Solutions)

  • Microsoft 365, including email, Office 365 apps, Teams, OneDrive

  • GlobalProtect VPN

  • HRMS Employee Self-Service

What other types of accounts offer Two-factor authentication?

Most online services now offer the option to enable 2FA. Any service online that is storing your personal information (especially financial information), or any account that can be compromised and used to trick or defraud someone else should be protected with 2FA. Simply put, use 2FA everywhere!

What happens if I get an unexpected Duo prompt?

Receiving unexpected Duo push notifications or calls may indicate someone else is trying to gain access to your account. If you are not actively trying to log in to a system that requires Duo authentication, DO NOT APPROVE the request, choose DENY, and mark it as fraud.

Marking an authentication request as fraud will send a notification to UIT Cybersecurity, and lock your Duo account for 20 minutes. If you suspect someone is trying to gain access to your account, change your NDUS password immediately by calling 701.777.2222, or wait 20 minutes for your Duo account to unlock, then visit helpdesk.ndus.edu and select Change my password.

Details

Article ID: 65366
Created
Wed 10/17/18 12:22 PM
Modified
Tue 10/31/23 10:49 AM

Related Articles (2)

Get a Security Key (Yubikey)
Users can purchase an all-in-one security key through the Yubico website. In order to work with Duo Multi-Factor Authentication (MFA), keys will need to be set up by a Duo admin and assigned to a user.
New to UND! Student Account & Technical Resources
A complete guide to getting all your accounts and tech ready for your first semester at UND.

Related Services / Offerings (1)

Multi-Factor Authentication (DUO MFA)
Get help with Multi-Factor Authentication (MFA), importing or configuring a YubiKey token or setting up the Duo app on your smartphone.