Frequently Asked Questions about Duo 2FA
Click to expand each topic.
Duo App (Push) on a Smartphone or Tablet
Why should I use my smartphone? We find that most people carry their smartphones everywhere, so they are a convenient way to verify your identity if you log into SCU application from multiple locations. They are less likely to be forgotten or misplaced than a small hardware token. In addition, it's the fastest 2FA method. And you can still authenticate to Duo with a smartphone even when you're out of service or in airplane mode. This can be beneficial if you're traveling and won't have access to your landline and don't want to bring a hardware token.
Do I have to use a smartphone as the second factor? No. You can use a hardware token as well. However, we recommend that you set up multiple authentication options, just in case you lose or forget your primary device.
What happens if I don't have my smartphone? We recommend that everyone enrolls at least two authentication methods such as smartphone app, office phone, or hardware token. However, if you don’t have another option available and need to log in, you can contact the help desk for a bypass code.
What if I'm traveling or in a location without service? If you've enrolled your smartphone, you can still use the Duo app to authenticate even if you don't have service. To use this feature, click the Use a Passcode option instead of the push option when prompted by the Duo verification screen after logging into your account. Then, on your device, open the Duo app and tap on the Santa Clara University entry to generate a single use code you can type into the browser prompt.
What does the Duo app cost me? There is no cost to use Duo for employees. You can download the Duo app and use it for free, even for your personal accounts. We strongly recommend everyone enable 2FA on personal email, banking, financial, and other online accounts to reduce the risk of identify theft, financial fraud, and other problems associated with stolen passwords.
How will my data plan be impacted? Duo Push authentication requests require a minimal amount of mobile data – less than 2 KB per authentication. 500 pushes to your device will use 1 MB of data in total, which is roughly equivalent to loading one webpage on your smartphone.
Will I be compensated for data use if I enroll my personal smartphone? No. We recommend using a smartphone push because it is easy and convenient, but it is not required.
I have a new phone. What do I do? Please see the "I Have A New Phone" Quickstart Guide
Does the Duo app on my smartphone track me or have control of my phone? No. Duo Mobile has no access to change settings on your phone. Duo Mobile cannot read your emails, it cannot see your browser history, and it requires your permission to send you notifications. Lastly, Duo Mobile cannot remotely wipe your phone. The visibility Duo Mobile requires is to verify the security of your device, such as OS version, device encryption status, screen lock, etc. Duo uses this to help recommend security improvements to your device and you always are in control of whether or not you take action on these recommendations.
What can SCU Information Services see about my mobile phone? When you enroll a phone in Duo, regardless if it's a landline, a smartphone, or other mobile phone, we can see the phone number. Additionally, we can see the custom name, if any, that you've assigned the device within the Duo "My Settings & Devices" portal, accessed via the Manage Duo 2FA tile on MySCU. For smartphones we can also see the device type, such as iOS or Android. We cannot see what other apps you've installed or any data on the device.
What if I get a Duo Push that I did not generate? This may be a sign of someone attempting unauthorized access to your account, and your password is likely compromised. Deny the push notification, and then confirm that it’s a fraudulent attempt. You should change your SCU password if this occurs.
Can I see how it works before I enroll my smartphone? You bet!
Hardware Tokens and Duo (Chrome or Firefox ONLY)
What is a hardware token? Usually it's a small USB device you plug into your computer. The ones we typically see are a similar size to a USB drive, but flat. There are also micro versions that barely stick out of a USB port. The most common tokens found at SCU are USB tokens that look like this. When prompted by Duo to authenticate, you plug it in and tap on the round key area.
Some Macintosh users with USB-C/Thunderbolt 3 ports on their laptops may use tokens that look like this:
What hardware tokens can I use? Any UTF or FIDO-compatible hardware token will work with Duo. Common ones are manufactured by Feitian and YubiKey.
What browsers do they work with? Currently, you can only use a hardware token with Chrome or Firefox. If you use Safari or Internet Explorer to access SCU applications, you will not be able to authenticate to Duo with a hardware token; instead, you'll have to use another device such as a smartphone or landline. We expect Safari to add support for tokens in the next release of MacOS.
How can I get a hardware token? If you are an SCU faculty or staff employee, and you do not have a smartphone or do not wish to use it for 2FA, Information Services will provide you with a hardware token. Pick one up in the Information Services office (2nd floor Learning Commons) between 8am-4:30pm, M-F. You can also call 408-554-4581 to request one.
Why use a hardware token instead of my smartphone? We recommend using a smartphone because of the convenience and ease of use. However, a hardware token is a better choice if you do not have a mobile phone or do not want to enroll it. However, if you do decide to use a hardware token, we strongly recommend you enroll backup devices, such as your office and home phones, so you can continue to verify Duo prompts even if you've forgotten your token.
Can I see how a hardware token works? Here you go!
Text Messages and Mobile Phones
Why should I use my mobile phone? We find that most people carry their phones everywhere, so they are a convenient way to verify your identity if you log into SCU application from multiple locations. They are less likely to be forgotten or misplaced than a small hardware token. And you can still authenticate to Duo with a mobile phone even when you're out of service. This can be beneficial if you're traveling and won't have access to your landline and don't want to bring a hardware token.
Do I have to use my personal phone as the second factor? No. You can use a hardware token instead. However, we recommend that you set up multiple authentication options, just in case you lose or forget your primary device.
How does Duo work with text messaging? If you are familiar with SMS based 2FA for your personal accounts, Duo is a little different. When texting codes to your device, it will send 10 non-expiring codes at a time. When you get a Duo prompt, you can enter a code from a batch you already recieved, or you can request a new batch.
What if I'm traveling or in a location without service? If you've enrolled your mobile phone to get codes via SMS message, you'll get 10 codes per text message. The codes will be valid until you use them or request new codes. Just keep the text message for the next time you need a code.
What happens if I don't have my phone with me? We recommend that everyone enrolls at least two authentication methods such as mobile phone and hardware token. However, if you don’t have another option available and need to log in, you can contact the help desk for a bypass code.
What does the Duo cost me? If you have unlimited text messages, nothing. Otherwise, normal text rates will apply to you.
Will I be compensated for text message use if I enroll my personal phone? No. We recommend using a mobile phone because it is easy and convenient, but it is not required.
I have a new phone. What do I do? If you are keeping the same phone number on your device and use it for text messaging, you do not need to do anything; your new phone will work.
What can SCU Information Services see about my mobile phone? When you enroll a phone in Duo, regardless if it's a landline, a smartphone, or other mobile phone, we can see the phone number. Additionally, we can see the custom name, if any, that you've assigned the device within the Duo tile.
Duo and Voice Calls
What is the callback method? Duo will call your phone, such as your office or home phone. Once you answer, you will be prompted to press a key on the phone in order to authenticate.
Why would I use the callback method? We recommend everyone set up at least two authenticators. If you set up your smartphone to use Duo push, your office phone is a great backup option in the event your smartphone is unavailable.
What are the drawbacks to the callback method? Santa Clara incurs fees with each callback authentication, so we ask that this is limited to a backup method and not used as the default 2FA method. In the future, if the cost of providing this method is too high, we may discontinue the use of voice callbacks with Duo.
Can I see how the callback feature works? Here you go:
What Option Should I Choose?
Confused on what authentication options are best for you? As you review your options, This matrix will help you determine the best option for your situation. We recommend you have at least two options configured!
|Duo Security app on a smartphone||
• Use with any browser
• Use in any location
• Can use even when traveling/out of service with passcode option
|Duo Security app on a tablet||
• Use with any browser
• Use in any location
• Can use even when traveling/out of service with passcode option
• Less likely to always have the tablet with you than a mobile phone
|Text message on a mobile phone||
• Use with any broswer
• Use in any location
• Can use when traveling or out of service by requesting 10 codes in advance and using them as you need them
• Text message rates apply to employee or student
• Incurs a higher cost to Santa Clara University
• Text message notification sound might be disruptive in some environments
|UTF Hardware token (USB based)||
• Use in any location
• Can use even when traveling
• Very quiet/non-disruptive
• Tied to a specific browser (Either Chrome or Firefox for now; Safari support will be available in the future )
• Small device is easier to forget than a mobile phone
• Requires accessible USB port each time you need to authenticate past a Duo prompt
|Voice Call||• Use with any browser||
• Incurs the highest cost to Santa Clara University
• If landline, tied to a specific location
• Can't use method when traveling (landline) or not in service (mobile phone)
• Ring volume might be disruptive in some environments
|TouchID on Apple Computer||
• Can use in any location, even when traveling, if you plan on bringing your Apple laptop with you
• Very quiet/non-disruptive
• Tied to a specific device that supports TouchID (newer Macbook Pro or Macbook Air)
• Tied to a specific browser (Currently Chrome; Safari support available in the future)
Is There a "Remember This Device" Option?
In July 2020, we released the Remember This Device option. When presented with the Duo authentication prompt, you have the option to "Remember This Device for 12 Hours". Once enabled, this will allow you to check a box on the Duo prompt screen to remember that device and browser for 12 hours, as shown in this screenshot:
If you check the box and successfully authenticate to Duo, you will not receive Duo prompts for additional SCU applications for 12 hours, except in certain circumstances described below. For example, if at 8am you get prompted to authenticate to Duo to access Gmail, and you check the box to Remember me for 12 hours, you will be able to open Workday that afternoon on the same computer and browser and not get a Duo prompt.
So what are these certain circumstances you referred to above?
The VPN will always prompt you to authenticate with Duo.
It is device and browser specific, not account specific. This means if you access Workday on your tablet and use the Remember This Device feature, if you then use your computer to access Workday later the same day, you will be prompted with Duo again. Similarly, if you use Firefox on your computer to access Workday in the morning, you will be prompted by Duo again if you switch to Chrome later in the day.
If you have configured Duo to automatically send you a Push or call your phone (without you having to click on the button for that action), or if you use a Security Key, the Remember me for 12 hours checkbox will be grayed out. If you desire, you can cancel the Duo Push or Security Key prompt, check the box, and send yourself a new push or Security Key prompt by clicking on the corresponding button. (To turn off automatic pushes or calls, use the instructions under “Manage Your Registered 2-Factor Devices” at https://www.scu.edu/
technology/get-connected/duo/to navigate to Device Options and then the Default Device settings.) 2fa-quickstart-guide/
If you have configured your browser to deny 3rd party cookies or to prevent cross-site tracking, the Remember This Device feature will not work. Please see this page for instructions on how to add an exception for Duo cookies to your browser: https://help.duo.com/s/
Using Duo When Traveling
Using Duo When Your Smartphone Doesn't Have Service
If you've enrolled your smartphone, you can still use the Duo app to authenticate even if you don't have service. This assumes you are bringing your smartphone with you.
To use this feature, click the Enter a Passcode option instead of the push option when prompted by the Duo verification screen after logging into the protected resource.
Then, on your device, open the Duo app and tap on the Santa Clara University entry to generate a single use code you can type into the browser prompt.
Back at the Duo prompt on your computer, enter this code and click Log In:
You can test this option in advance of your travels any time. If you don't want to bring your smartphone with you, consider the mobile phone text option below. You can generate texts in advance and print them out or copy them down to bring with you.
Getting Advance Codes Via SMS Before You Travel
If you've enrolled an SMS-capable mobile phone, you can generate 10 codes in advance and use them as you need them. If you won't have service while you are traveling, you need to request codes before you leave while you still have service. If you don't plan on taking your phone with you for reference, you'll need to copy the codes down to take with you. You can only request 10 codes in advance; every new batch of 10 codes will invalidate the previous batch.
Tip: Smartphone users can also use this method!
To use this feature, click the Enter a Passcode option when prompted by the Duo verification screen after logging into the protected resource.
From there you can request new codes (Look for the blue bar at the bottom of the prompt):
You will recieve a text containing 10 codes. Each code will start with a new number in succession, starting with 1. For example, your ten codes could be 1123456, 2123456, 3123456, etc. ending with 0123456. The codes you recieve will be random, but each code will start with a different digit. Once you recieve them, Duo tells you which one to use. In the screen above, codes have previously been sent, so Duo prompts for an existing code that starts with 2. In this scenario, open the text message, find the code Duo is requesting, enter it in the field, and click Log In. If you have previoulsy recieved SMS codes but choose Text me new codes, any codes you've previously recieved expire.
We've noticed a small bug where sometimes when you request new codes, Duo doesn't tell you which one to use right away. Enter the first code in the new text you received. If it's the wrong code, the Duo prompt will refresh and then tell you which one to use.
Remember, if you won't have service during your travels, request codes in advance!
Other Options When Traveling
If you don't have a mobile phone or don't want to enroll one, you can enroll a UTF-capable hardware token, sometimes called a YubiKey. Bring your hardware token with you to authenticate when traveling. Employees can request one free hardware token by calling x4581.
Or, If you're already in a location without your enrolled devices, you can contact the Technology Help Desk at (408) 554-5700 for a single use bypass code.
When Do I Have To Use Duo?
Duo is required for all SCU employees as of January 31, 2020. The timeline for deploying Duo to SCU faculty and staff is below and may be adjusted. After January 2020, additional applications will be secured with Duo 2FA, but that schedule is pending.
|Fall 2018||Peoplesoft Financials||Duo Required for all Financials users|
|Fall 2018||Concur||Duo Required for all Concur users|
|July 2019||Google apps (Email, Calendar, Drive)||Duo Required for existing Duo users; optional for other employees|
|Sept 2019||Workday||Duo Required for existing Duo users; optional for other employees|
|Nov 2019||VPN||Duo Required for all VPN users|
|Jan 2020||Google apps, Workday||Duo Required for all employees|
|Jan 2020||eAccounts/Mobile Credential||Duo Required for students and employees using mobile credentials|
Duo is available for all SCU students now, which will protect G Suite apps. Information about additional applications is pending.
Can I Opt Out? What Happens If I Don't Sign Up For Duo?
Duo 2FA is required for all employees as of January 31, 2020. New employees hired after this date cannot access SCU Email, Workday, or other Duo-protected apps until they enroll in Duo.
I'm A Student. How Do I Get Duo 2FA?
Students can enroll in Duo 2FA now, which will protect Google Apps, eAccounts for mobile credential users (if enrolled in the mobile credential program), and the VPN (if enrolled in a class or employed on a project that requires VPN use). Other applications such as Camino will be protected by Duo at a future date, still to be determined. To enroll in Duo, use the MySCU portal to access the "Manage Duo 2FA" tile. Instructions are on our Quickstart Gude.
How Does The Duo Mobile App Use My Personal Information?
For up-to-date information on the Duo Mobile App's permissions and use of your data, please refer to Duo Security's Mobile Privacy Information page.
Ready to get started? Find instructions in our Quickstart Guide and then go to Enroll Now.