Skip to main content

Two-Factor Authentication

Duo two-factor authentication (2FA) is required for remote access from outside the CU trusted network.

Although it may seem like an inconvenience, two-factor authentication is a solution used to protect you from scammers accessing your information and to protect you from scammers impersonating you.

As more and more people become victim to advanced targeted phishing email campaigns and unknowingly give their password to scammers through an external website that looks like ours, as well as more and more external database exploits happen where people are using same or similar passwords, we have seen an ever-increasing amount of compromised accounts. With 2FA enforced, a scammer is unable to access protected resources and information by only knowing your password.

Duo 2FA Enrollment Info

Simply go to the Duo Management Portal at https://duo.commonwealthu.edu/ to enroll your device or manage your devices. You may also be prompted to enroll inline when you start using your new account.

If you have a smartphone, we highly recommend you enroll through the web browser on the device (i.e. Chrome, Safari, Firefox). This helps ensure you choose the correct app from the app store and streamlines activating your account on the device. When you need a second factor in order to log on remotely, using the "Duo Push" authentication method for the "Duo Mobile" app (by "Duo Security") on a smartphone is the most secure and user-friendly method.

If you do not have a smartphone, you may enroll a basic cell phone from a computer web browser.
If you do not ever access your CU account from outside the CU trusted network, then enrolling is not required.
If you do not have a mobile device, you may sign-out a small Duo hardware token for your keyring from the technology helpdesk at your campus, which will allow you to obtain passcodes.

How Duo 2FA changes your logon experience

2FA combines something you know (your password) with something you have (like your mobile phone).

When you log in to a Duo-protected application from outside the CU trusted network, you will still enter your password. Then you will be required to verify your identity, such as through a push notification on your smartphone or a text message passcode on a basic cell phone.

If your password becomes compromised and a scammer attempts to access your account remotely with your password through a Duo-protected application, they will not be able to successfully log in. If you did not trigger a Duo push notification by logging in to a Duo-protected app from outside the CU network, be sure NOT to approve the logon attempt. This will keep the scammer out of your account and alert Network Services that your password is compromised, at which time you should change your password immediately.

Video explanations of 2FA and Duo Push
Duo 2FA when traveling abroad

If you travel outside the country without the mobile device(s) you've enrolled into Duo, you need to sign-out a Duo hardware token from your campus technology helpdesk prior to departure. This duo hardware token fits on your keychain and allows you to obtain a passcode when you need one.

Information about other possible options using a device instead of the Duo hardware token:

  • If you take your U.S. mobile device that you've enrolled and activated, you will be able to do a Duo Push when you have it connected via Wi-Fi or foreign mobile data service.
  • If you take your U.S. mobile device that you've enrolled and activated, while you do not have Wi-Fi or foreign mobile data service, you can still open the "Duo Mobile" app to obtain a valid passcode (even though it's not connected to the Internet).
  • If you take your U.S. mobile device and will have foreign mobile service and can still receive text messages at your existing number, you will be able to obtain a text message passcode (although in this case, a Duo Push should be preferred via activated Duo Mobile app).
  • If you will instead have a separate foreign mobile device and already know what your foreign cell phone number will be, you can enroll it as an additional device/number in the Duo Device Management Portal before you leave while you still have access to your U.S. mobile device to pass 2FA.
Duo 2FA options in detail

You are able to enroll smartphones, basic cell phones, and tablets. If you have none of these, you will be able to obtain a small duo hardware token for your keyring from your campus technology helpdesk.

The second factor available depends on your enrolled devices. You can do Duo Push (Internet-connected smartphone or tablet), text message passcode (basic cell phone), or passcode (Duo hardware token or Duo Mobile app on an offline/online smartphone or tablet).

When you are logging on to a standard web resource, you are able to choose your authentication method such as "Send Me a Push" or "Enter a Passcode". In order to get a text message passcode, click "Enter a Passcode", and then click "Text me new codes". More recently, an upgrade to the duo prompt will choose the default method for you, but will give you the opportunity to change to another option.

When you are accessing a non-standard resource, such as the Remote Access Service (VPN) through WebVPN or Cisco AnyConnect client, it works a little differently. There is a second password field that we labeled "Duo Passcode (Optional)". If you leave the field blank, it will attempt an automatic authentication method based on your enrolled devices, so check your primary device for either a Duo Push notification (if your Duo Mobile app is activated) or a voice call (if your Duo Mobile app is not activated or you only have a basic cell phone enrolled) to approve the logon. To override the automatic method, you are able to enter the words "push" (duo push), "phone" (voice call), or "sms" (text message) in the second password field to tell Duo how you would like to authenticate. Alternatively, you may obtain a passcode from the Duo Mobile app, Duo hardware token, or from the "sms" option and enter the passcode directly into the second password field ("Duo Passcode") when logging on. If you have multiple devices enrolled, you may specify a different enrolled device by including the number of the device, i.e. for your second device, you would use "push2", "phone2", or "sms2".

When accessing a standard web-based resource with typical browser settings, you should be able to choose a "Remember me for 30 days" option during logon to prevent future second-factor challenges in that browser during the time period. An upgrade to the duo prompt will ask if you are on a shared computer or not to help determine if it should remember you. If you go in to your "My settings & devices" option to configure a default action, this will prevent you from being able to check the "Remember me" box every 30 days, so setting a default option does not necessarily give you the most convenient experience.

Troubleshooting

If you do not have the convenient Duo Push option or it stopped working, it is because you do not currently have the Duo Mobile app activated. You should [Re]activate Duo Mobile if you did not fully complete the enrollment process, you wiped your mobile device, you fully uninstalled the Duo Mobile app, or you replaced your smartphone and have the same phone number. Log in to the Duo Management Portal (which in this case would require you to request a text message passcode to pass 2FA) and look for the "[Re]activate Duo Mobile" button to activate the app. If you don’t have the option, be sure your phone number is configured correctly as either Apple or Android and look for the link to the app store and download and install the "Duo Mobile" app.  If the phone number and platform is correct and you have Duo Mobile installed, choosing "[Re]activate Duo Mobile" should give you the steps to enable the Duo Push option for future authentications.