Skip to main content

Technology at SCU

2FA Quickstart Guide

Overview of Duo installation and setup

Step-By-Step Guides:

We’ve made it easy to set yourself up in Duo, by providing a Tile in the MySCU portal.

 

Step 1. Log into the MySCU Portal and click on the Manage Duo 2FA tile:

Step 2. If you have not yet registered for Multifactor Authentication, you will be prompted to do so with the following screen. (If you hare already set up, see the section Managing your Registered 2-Factor Devices below)

Step 3. Install the Duo Security app on your device. Mobile phones are the recommended device, but tablets and Apple Watches are also supported. Links are provided for the App Store (for iOS) and Google Play (for Android).

Note: There may be several apps in the app store with names similar to Duo. Make sure the one you install is from Duo Security with this Duo icon:

Step 4. After installing on your mobile device, return to the Setup Multifactor Authentication screen and click "Step 2: Set yourself up in Duo" to register yourself with Duo. This link is uniquely generated for you and has a time limit. If you click and it has expired, no problem - just go back to the MySCU Portal and click on the Setup Multifactor Authentication tile again to generate a new one.

The next screen you see is generated out of Duo Security, and will walk you through the process of linking your mobile device and Duo Security together. 

 

Step 5. When asked what device to set up, the best option is to go with the recommended option of a Mobile Phone.

 

Mobile phones are the most versatile device. They can be used with most of the different types of challenges Duo can use to confirm your identity, such as Duo Push (via the Duo Mobile app), passcodes, and callbacks. When selecting a Mobile phone, Duo will send you a text or call the phone to confirm it is yours during the setup process.

Duo will display a barcode on the screen that you scan using the Duo Mobile app on your phone, which will connect the app and your account. For this reason, you should use a computer to set up Duo, to allow you to scan the computer screen with your smartphone app.

 

Step 6. Please register a second device so you can still access systems if your primary device is unavailable (such as your mobile phone being out of battery). You will need to return to MySCU and click the Manage Duo 2FA Tile. See the section Managing your Registered 2-Factor Devices below for more information.

When you try to access a secure SCU digital service, you will first be prompted to enter your SCU Username and password into MySCU as normal. Before you can proceed further, a Duo Challenge Screen will appear.

You can choose to be challenged by any of the devices you have previously configured. If you have more than one device configured, select the one you want to use in the top dropdown bar before selecting an authentication method.

 

For just about every situation, the best challenge choice is a Duo Push. Select “Send Me a Push”, and the Duo Security app on your phone will open and ask if you should allow this logon.

Tap APPROVE on your phone, and the login will proceed automatically.

If you ever receive this screen unexpectedly, click DENY. Unless you click APPROVE, whoever is trying to log in as you will not be able to. This may indicate a security issue, and you should change your SCU Username's password as soon as possible!

 

 

If your selected device has been configured with a phone number, you can elect to receive a call. You will confirm the logon via the phone’s keypad in response to the voice prompt.

This option is not recommended as your primary challenge due to the cost it will incur SCU, but it is useful as a backup mechanism to, say, call a landline in case your mobile phone is out of charge.

 

There are several types of passcodes that can be entered to gain access. They are listed below.

 

 

  • The Technology Help Desk may issue you a Bypass Code. This is a single-use code that will get you authenticated to Duo in an emergency, such as if you have lost your phone. You will need to prove your identity to the Help Desk in the same way as requesting a forgotten password change. Call the Technology Help Desk on 408 554 5700.

  • From inside the Duo Mobile app, you can generate a single-use passcode by tapping on the Key icon. This code is useful for times when your phone might not have an Internet connection.

  • You can have 10 single-use passcodes sent to you over SMS. The codes must be used in the order sent - Duo will give you a hint by providing the first digit of the code it expects you to use next. You can have 10 new codes sent to you from the Challenge Screen when you select the Passcode option.

You can add, modify or delete your devices in Duo via a Tile in the MySCU portal.

We recommend having multiple devices enrolled. This will let you still get in even if you have left your mobile phone at home, or it runs out of battery. For most people, setting your office phone as a Landline is a good option as a backup, but avoid using a Landline as your primary method as SCU incurs a financial cost for each phone call.

 

Step 1: Log into the MySCU Portal and click on the tile Manage Duo 2FA.

 

 

Step 2: If you are already registered for 2-Factor Authentication, you will be challenged to prove who you are using a device you've already enrolled - and then presented with the My Settings and Devices screen. This is where you can change your device settings, delete old devices, and add new ones. (If you are not yet registered, you will see the initial setup screen; see the section on Preparing for 2-Factor Authentication above for a screenshot.)

This My Settings & Devices screen (above) provides you the opportunity to configure various options.

The blue Device Options buttons next to each device will allow you to rename, modify or delete devices you have previously configured (Not all device types can be renamed). A key use of this button is to re-link the Duo Mobile app after upgrading your smartphone, for example.

You can also set a Default Device and configure a default action under When I Log In. For example, you could make your smartphone the default device and have it Automatically send you a Push when you log in instead of waiting for you to choose an option. 

You can add additional devices by clicking +Add another device.

When adding a device, there are pre-set categories you can choose. These are:

  • Mobile phone
    Mobile phones are the most versatile device. They are able to be used with Duo Push (via the Duo Mobile app), passcodes, and callbacks. Duo will send you a text or call the phone to confirm it is yours during the setup process. Duo will then display a barcode on the screen that you can scan using the Duo Mobile app to connect the app and your account.
    Pro Tip: If you have a new phone but are keeping the same phone number, you only need to link to the new device's Duo Mobile app. Select the phone's Device Options and tap on Reactivate Duo Mobile, instead of adding the new phone as a completely new device.
  • Tablet
    A Tablet can be selected. It will not be able to receive calls or SMS passcodes, but will be able to use the Duo Mobile app to generate passcodes or use Push notifications. Duo will display a barcode on the screen that you can scan using the Duo Mobile app.
    Pro Tip: if you want to use your phone but only want to use the Duo Mobile app while keeping your phone number private, just set it up as a Tablet. This is fully supported. You will be able to recieve Duo Push notifications and generate one-time passcodes inside the Duo app when your device is in airplane mode or not connected to WiFi.
  • Security Key (Chrome or Firefox only)
    A U2F (Universal Two Factor) Token is a hardware token that can be inserted into a USB port. You tap on it to authenticate when prompted by Duo.
  • Landline
    An option that will only be able to authenticate by receiving a confirmation phone call.
    You will receive a call during setup to confirm it is your device. Because of the cost it will incur SCU every time you log in, this option should not be your only or your primary 2FA device. However, a landline is suitable for a backup authentication method in case you cannot access your mobile phone.
  • TouchID (Chrome or Firefox only)
    If you have an Apple device that supports TouchID, you can enroll this into Duo. This allows you to use Apple's fingerprint biometric feature to authenticate past the Duo prompt.

 

You can give each of your devices a short, memorable name when configuring it by clicking the Device Options button and renaming it (some device types cannot be renamed).

Need a token? Employees can contact Information Services at 408-554-4581 to request one.

Note: This option works with Chrome or Firefox browsers only.

To Enroll a new UTF-compatible hardware token (called a "Security Key" in Duo): 

Log in through the SSO Portal (login.scu.edu) and click on the Manage Duo 2FA tile (Note: if you are already signed up in Duo, you will need to authenticate past the Duo prompt with an existing device, such as your phone).

Once in My Settings & Devices, click on "add another device":

Select the "Security Key" option, click continue, and then continue again through the next screen:

When prompted, insert the token into your computer. It will start flashing. If your token has a circle with a key symbol, tap there. If your token is low profile with a silver side, tap on the silver side. Note for Macintosh users: If a "keyboard is not recognized" window pops up when you plug in your token, you must close that window by clicking on the top right red button before proceeding. You may need to unplug the token and plug it back in. If the token does not flash, you may need to re-plug it in, or try another USB port. If the token flashes but then stops before you can complete the enrollment, start over.

Depending on your browser settings, you may also get additional screens asking you to confirm and/or allow the new security key.

From now on, if the Security Key is plugged into your computer and you get a Duo prompt, the Key will start flashing. With your finger, tap on the flashing round key symbol (or on the silver side if you have a low-profile, USB-C style Security Key) to authenticate past the Duo prompt. 

To enroll your Apple TouchID device in Duo (Chrome browser only):

Log in through the SSO Portal (login.scu.edu) and click on the Manage Duo 2FA tile (Note: if you are already signed up in Duo, you will need to authenticate past the Duo prompt with an existing device, such as your phone).

Once in My Settings & Devices, click on "add another device":

Select the TouchID option and click continue, then continue again past the Enroll with TouchID screen:

Use TouchID on your device to verify:

 

When prompted, Allow Duo to use TouchID:

When finished, you'll return to the My Settings & Devices screen. Here you can rename the devices you've added. For example, if you have more than one TouchID enabled device, you can rename them by clicking on the blue Device Options button next to the device in the list. Then click on the Change Device Name button and change the name as desired. Click Save when you're finished.

 

 

Use the Duo Mobile app on a smartphone or feature phone! Smartphone users can use Duo Push, which is the fastest and most secure method of authenticating past the Duo prompt. And if you're in a location without connectivity, you can open the Duo app to generate a one-time passcode. Non-smart mobile phones can get text messages (SMS) with 10 passcodes at a time to use when you need them.

Note: Smartphone users need to use a computer to enroll their smartphone. 

To enroll, log into the MySCU SSO portal and click on the Manage Duo 2FA tile:

Once in My Settings & Devices, click on "add another device":

Select the Mobile Phone option and continue:

Enter and confirm your phone number, then click continue:

Confirm what type of mobile phone you have. To use the Duo Mobile App, you need an iOS, Android, or Windows phone. Feature or flip phone users should choose "other".

If you selected "Other" above, your set up is complete. You'll be returned to the My Settings and Devices Screen.

If you selected "iPhone", "Android", or "Windows Phone" above, will be prompted to confirm you have the Duo Mobile App installed. The Duo App requires permission to access your smartphone camera to complete the setup. No additional use of your camera is required.

You need to link the Duo mobile app on your smartphone to your Duo account. A new screen will open on your computer showing you a barcode. 

On your smartphone, open the Duo app. In the top right corner, click the + symbol. The camera opens. Move your smartphone so it has the barcode in your computer browser in view. Duo will automatically link your smartphone to your account. When successful, you'll get a big check mark and a continue button:

You'll be returned to the My Settings & Devices window. If desired, you can configure options for your new device, such as changing the device name or registering it as the default device and sending you a push automatically.

 

 

New Phone and Voice Calls & SMS: If you used the old phone to recieve Duo voice calls or text messages and you are keeping the same number, you don't have to do anything; Duo will still work.

New Phone and Duo App (Push or Passcodes): If you replaced an old phone that had the Duo mobile app installed, download the Duo Mobile app to the new phone. Ignore any offers from the app to restore old settings or recover backups - SCU does not use these functions. On a computer, log into the MySCU Portal and click on the Manage Duo 2FA tile to access the My Settings & Devices screen. (If you cannot log in because you do not have access to any Duo-registered device, contact the Technology Help Desk for a Bypass Passcode to enable you to log in one time.)

Once in My Settings & Devices, select the Device Options button next to the device you need to modify.

 

 

Next, click on Reactivate Duo Mobile.

 

Duo will display a barcode on the screen that you scan using the Duo Mobile app on your phone, which will connect the app and your account. Tap on the New Account symbol  (the key symbol with a + next to it) in the app to start the camera scanner, and in a few seconds your new device and Duo will be linked.

 

The most convenient and easy way to authenticate is by tapping the query that pops up in the Duo Security mobile application. However, the app is currently only available for Apple devices (iPhone, iPad, Apple Watch),  Android devices (phone, tablet), and Windows phones.

If you have a different phone - such as a Blackberry or a feature phone - you will not be able to take advantage of the Duo Mobile app.

There are several options available for people in this situation - use UTF hardware tokens, SMS passcodes, or receive a voice call confirmation. Receiving a phone call is not recommended (except as a backup-of-last resort) as the cost to the University is significant. 

UTF Hardware tokens

Hardware tokens are USB dongles you plug into your computer and tap on in order to authenticate. They can come in different styles and USB types, such as USB-A for most computers and USB-C for newer Mac laptops. Depending on the size and style, you could leave it plugged into your computer at all times, or can have it on your keychain. To enroll a token, choose "Security Key" under the Add a New Device option, then continue:

 

A pop up window will appear. Plug in your hardware token and tap it to enroll it.

You may get additional screens prompting you to allow the new security key.

SMS passcodes

This is an option if you have a flip phone and not a smartphone. If you are familiar with SMS based 2FA, Duo is slightly different. Rather than sending a single code per text each time you need to authenticate, Duo sends 10 codes at a time, then prompts you on which code to enter (Or you can generate new codes).

To set this us, enroll your device as a Mobile Phone, and when asked what type of phone it is, choose "Other".

 

Later, when you are logging in to a digital service and are challenged to authenticate,  you can use an existing code you previously generated or request a new batch of SMS codes. Start from the Duo Challenge screen that appears on your computer when you are trying to access a protected digital service, that looks like the screen below. Click on the button that says "Enter a Passcode".

 

If you have passcodes, you can enter one to gain access now. Duo will tell you which one it expects next by giving the first digit (e.g., "Your next SMS passcode starts with 1"). Each SMS passcode can only be used once. Enter the passcode in the box and click "Log in" to complete authentication. 

To receive 10 new passcodes, first click on "Enter a passcode" from the Challenge screen. Note the blue banner that appears at the bottom of the screen. Click on the box in the banner that says "Text me new codes". Your phone will be sent 10 SMS codes (each 7 digits long), to be used in order the next 10 times you are challenged by Duo.

If you know you will be traveling to an area you will incur data roaming charges, you can request a batch of codes in advance. You can only generate 10 valid codes at a time; when you generate a new batch of 10 codes, any unused codes from the previous batch will expire.

 

 

 

 

Receive a Phone Call

If you have no mobile phone at all, or it cannot receive SMS, then register your device as a mobile (as above), or a landline. From the Duo Challenge screen that appears on your computer when you are trying to access a protected digital service, click the button Duo will call you on your registered phone number, and seek confirmation to allow you to log in.

This option is significantly more expensive than using Duo Mobile (free) or using SMS codes (20 times less than Call Me). Because of the cost incurred to the university, using Call Me should only be considered as an option of last resort.