Frequently Asked Questions about Duo 2FA
Click to expand each topic.
Why should I use my smartphone? We find that most people carry their smartphones everywhere, so they are a convenient way to verify your identity if you log into SCU application from multiple locations. They are less likely to be forgotten or misplaced than a small hardware token. In addition, it's the fastest 2FA method. And you can still authenticate to Duo with a smartphone even when you're out of service or in airplane mode. This can be beneficial if you're traveling and won't have access to your landline and don't want to bring a hardware token.
Do I have to use a smartphone as the second factor? No. You can use a hardware token as well. However, we recommend that you set up multiple authentication options, just in case you lose or forget your primary device.
What happens if I don't have my smartphone? We recommend that everyone enrolls at least two authentication methods such as smartphone app, office phone, or Security Key. However, if you don’t have another option available and need to log in, you can contact the help desk for a bypass code.
What if I'm traveling or in a location without service? If you've enrolled your smartphone, you can still use the Duo app to authenticate even if you don't have service. To use this feature, click the Use a Passcode option instead of the push option when prompted by the Duo verification screen after logging into your account. Then, on your device, open the Duo app and tap on the Santa Clara University entry to generate a single use code you can type into the browser prompt.
What does the Duo app cost me? There is no cost to use Duo for employees. You can download the Duo app and use it for free, even for your personal accounts. We strongly recommend everyone enable 2FA on personal email, banking, financial, and other online accounts to reduce the risk of identify theft, financial fraud, and other problems associated with stolen passwords.
How will my data plan be impacted? Duo Push authentication requests require a minimal amount of mobile data – less than 2 KB per authentication. 500 pushes to your device will use 1 MB of data in total, which is roughly equivalent to loading one webpage on your smartphone.
Will I be compensated for data use if I enroll my personal smartphone? No. We recommend using a smartphone push because it is easy and convenient, but it is not required.
I have a new phone. What do I do? Please see the "Replacing a Phone" Help Guide.
Does the Duo app on my smartphone track me or have control of my phone? No. Duo Mobile has no access to change settings on your phone. Duo Mobile cannot read your emails, it cannot see your browser history, and it requires your permission to send you notifications. Lastly, Duo Mobile cannot remotely wipe your phone. The visibility Duo Mobile requires is to verify the security of your device, such as OS version, device encryption status, screen lock, etc. Duo uses this to help recommend security improvements to your device and you always are in control of whether or not you take action on these recommendations.
What can SCU Information Services see about my mobile phone? When you enroll a phone in Duo, regardless if it's a landline, a smartphone, or other mobile phone, we can see the phone number. Additionally, we can see the custom name, if any, that you've assigned the device within the Duo "My Settings & Devices" portal, accessed via the Manage Duo 2FA tile on MySCU. For smartphones we can also see the device type, such as iOS or Android. We cannot see what other apps you've installed or any data on the device.
What if I get a Duo Push that I did not generate? This may be a sign of someone attempting unauthorized access to your account, and your password is likely compromised. Deny the push notification, and then confirm that it’s a fraudulent attempt. You should change your SCU password if this occurs.
Can I see how it works before I enroll my smartphone? You bet!
What is a Security Key? Usually it's a small USB device you plug into your computer. The ones we typically see are a similar size to a USB drive, but flat. There are also micro versions that barely stick out of a USB port. The most common tokens found at SCU are USB tokens that look like this. When prompted by Duo to authenticate, you plug it in and tap on the round key area.
Some Macintosh users with USB-C/Thunderbolt 3 ports on their laptops may use tokens that look like this:
What hardware tokens can I use? Any U2F or FIDO-compatible Security Key will work with Duo. Common ones are manufactured by Feitian and YubiKey.
What browsers do they work with? We recommend using a Security Key with Chrome or Firefox. Some versions of Safari also work.
How can I get a Security Key? If you are an SCU faculty or staff employee, and you do not have a smartphone or do not wish to use it for 2FA, Information Services will provide you with a free Security Key. Pick one up at the Technology Help Desk.
Why use a Security Key instead of my smartphone? We recommend using a smartphone because of the convenience and ease of use. However, a Security Key is a better choice if you do not have a mobile phone or do not want to enroll it. However, if you do decide to use a Security Key, we strongly recommend you enroll backup devices, such as your office and home phones, so you can continue to verify Duo prompts even if you've forgotten your token.
Can I see how a Security Key works? Here you go!
Why should I use my mobile phone? We find that most people carry their phones everywhere, so they are a convenient way to verify your identity if you log into SCU application from multiple locations. They are less likely to be forgotten or misplaced than a small hardware token. And you can still authenticate to Duo with a mobile phone even when you're out of service. This can be beneficial if you're traveling and won't have access to your landline and don't want to bring a hardware token.
Do I have to use my personal mobile phone as the second factor? No. You can use a Security Key, TouchID, or your office phone instead. However, we recommend that you set up multiple authentication options, just in case you lose or forget your primary device, or, if using a landline, in a different location.
How does Duo work with text messaging? If you are familiar with SMS based 2FA for your personal accounts, Duo is a little different. When texting codes to your device, it will send 10 non-expiring codes at a time. When you get a Duo prompt, you can enter a code from a batch you already recieved, or you can request a new batch.
What if I'm traveling or in a location without service? If you've enrolled your mobile phone to get codes via SMS message, you'll get 10 codes per text message. The codes will be valid until you use them or request new codes. Just keep the text message for the next time you need a code.
What happens if I don't have my phone with me? We recommend that everyone enrolls at least two authentication methods such as mobile phone and Security Key. However, if you don’t have another option available and need to log in, you can contact the help desk for a bypass code.
What does the Duo cost me? If you have unlimited text messages, nothing. Otherwise, normal text rates will apply to you.
Will I be compensated for text message use if I enroll my personal phone? No. We recommend using a mobile phone because it is easy and convenient, but it is not required.
I have a new phone. What do I do? If you are keeping the same phone number on your device and use it for text messaging, you do not need to do anything; your new phone will work.
What can SCU Information Services see about my mobile phone? When you enroll a phone in Duo, regardless if it's a landline, a smartphone, or other mobile phone, we can see the phone number. Additionally, we can see the custom name, if any, that you've assigned the device within the Duo tile, as well as the phone type and version (iOS and Android).
What is the callback method? Duo will call your phone, such as your office or home phone. Once you answer, you will be prompted to press a key on the phone in order to authenticate.
Why would I use the callback method? We recommend everyone set up at least two authenticators. If you set up your smartphone to use Duo push, your office phone is a great backup option in the event your smartphone is unavailable.
What are the drawbacks to the callback method? Santa Clara incurs fees with each callback authentication, so we ask that this is limited to a backup method and not used as the default 2FA method. In the future, if the cost of providing this method is too high, we may discontinue the use of voice callbacks with Duo.
Can I see how the callback feature works? Here you go:
Confused on what authentication options are best for you? As you review your options, This matrix will help you determine the best option for your situation. We recommend you have at least two options configured!
|Duo Security app on a smartphone||
• Use with any browser
• Use in any location
• Can use even when traveling or out of service with the mobile app's passcode option
|Duo Security app on a tablet||
• Use with any browser
• Use in any location
• Can use even when traveling/out of service with the mobile app's passcode option
• Less likely to always have the tablet with you than a mobile phone
|Text message on a mobile phone||
• Use with any broswer
• Use in any location
• Can use when traveling or out of service by requesting 10 codes in advance and using them as you need them
• Text message rates apply to employee or student
• Incurs a higher cost to Santa Clara University
• Text message notification sound might be disruptive in some environments
|UTF Security Key (USB based)||
• Use in any location
• Can use even when traveling
• Very quiet/non-disruptive
• Tied to a specific browser (Either Chrome or Firefox for now; Safari support will be available in the future )
• Small device is easier to forget than a mobile phone
• Requires accessible USB port each time you need to authenticate past a Duo prompt
|Voice Call||• Use with any browser||
• Incurs the highest cost to Santa Clara University
• If landline, tied to a specific location
• Can't use method when traveling (landline) or not in service (mobile phone)
• Ring volume might be disruptive in some environments
|TouchID on Apple Computer||
• Can use in any location, even when traveling, if you plan on bringing your Apple laptop with you
• Very quiet/non-disruptive
• Tied to a specific device that supports TouchID (newer Macbook Pro or Macbook Air)
• Tied to a specific browser (Currently Chrome; Safari support available in the future)
Duo is required for all SCU employees as of January 31, 2020. New employees are automatically enrolled at hire.
Duo is available for all SCU students now, and will be required for all students beginning November 9, 2021.
Duo 2FA is required for all employees as of January 31, 2020. New employees hired after this date cannot access SCU Email, Workday, or other Duo-protected apps until they enroll in Duo.
Students can enroll in Duo 2FA now, which will protect Google Apps, Microsoft 365, eAccounts for mobile credential users (if enrolled in the mobile credential program), and the VPN (if enrolled in a class or employed on a project that requires VPN use). Other applications such as Camino may be protected by Duo at a future date, still to be determined.
To enroll in Duo, use the MySCU portal to access the "Manage Duo 2FA" tile. Instructions are on our Enrollment Guide:
For up-to-date information on the Duo Mobile App's permissions and use of your data, please refer to Duo Security's Mobile Privacy Information page.
Ready to get started? Find instructions in our Quickstart Guide and then go to Enroll Now.