Skip to main content

Technology at SCU

Duo Help Guide

Need a Bypass Code?

Need a Duo Bypass Code? You can use the Bypass Code Generator to get an emergency bypass code. Note: you must have previously set up an alternative (non-SCU) contact information to use the Bypass Code Generator.


Getting Started with Duo:

We’ve made it easy to set yourself up in Duo, by providing a Tile in the MySCU portal.

 

Step 1. Log into the MySCU Portal and click on the Manage Duo 2FA tile:

Step 2. If you have not yet registered for Multifactor Authentication, you will be prompted to do so with the following screen. (If you hare already set up, see the section Managing your Registered 2-Factor Devices below)

Step 3. Install the Duo Security app on your device. Mobile phones are the recommended device, but tablets and Apple Watches are also supported. Links are provided for the App Store (for iOS) and Google Play (for Android).

Note: There may be several apps in the app store with names similar to Duo. Make sure the one you install is from Duo Security with this Duo icon:

Step 4. After installing on your mobile device, return to the Setup Multifactor Authentication screen and click "Step 2: Set yourself up in Duo" to register yourself with Duo. This link is uniquely generated for you and has a time limit. If you click and it has expired, no problem - just go back to the MySCU Portal and click on the Setup Multifactor Authentication tile again to generate a new one.

The next screen you see is generated out of Duo Security, and will walk you through the process of linking your mobile device and Duo Security together. 

 

Step 5. When asked what device to set up, the best option is to go with the recommended option of a Mobile Phone.

 

Mobile phones are the most versatile device. They can be used with most of the different types of challenges Duo can use to confirm your identity, such as Duo Push (via the Duo Mobile app), passcodes, and callbacks. When selecting a Mobile phone, Duo will send you a text or call the phone to confirm it is yours during the setup process.

Duo will display a barcode on the screen that you scan using the Duo Mobile app on your phone, which will connect the app and your account. For this reason, you should use a computer to set up Duo, to allow you to scan the computer screen with your smartphone app.

 

Step 6. Please register a second device so you can still access systems if your primary device is unavailable (such as your mobile phone being out of battery). You will need to return to MySCU and click the Manage Duo 2FA Tile. See the section Managing your Registered 2-Factor Devices below for more information.

When you try to access a secure SCU digital service, you will first be prompted to enter your SCU Username and password into MySCU as normal. Before you can proceed further, a Duo Challenge Screen will appear.

You can choose to be challenged by any of the devices you have previously configured. If you have more than one device configured, select the one you want to use in the top dropdown bar before selecting an authentication method.

 

For just about every situation, the best challenge choice is a Duo Push. Select “Send Me a Push”, and the Duo Security app on your phone will open and ask if you should allow this logon.

Tap APPROVE on your phone, and the login will proceed automatically.

If you ever receive this screen unexpectedly, click DENY. Unless you click APPROVE, whoever is trying to log in as you will not be able to. This may indicate a security issue, and you should change your SCU password as soon as possible!

Duo Push Notification transaction 

 

If your selected device has been configured with a phone number, you can elect to receive a call. You will confirm the logon via the phone’s keypad in response to the voice prompt.

This option is not recommended as your primary challenge due to the cost it will incur SCU, but it is useful as a backup mechanism to, say, call a landline in case your mobile phone is out of charge.

 

There are several types of passcodes that can be entered to gain access. They are listed below.

 

 

  • The Technology Help Desk may issue you a Bypass Code. This is a single-use code that will get you authenticated to Duo in an emergency, such as if you have lost your phone. You will need to prove your identity to the Help Desk in the same way as requesting a forgotten password change. Call the Technology Help Desk on 408 554 5700.

  • From inside the Duo Mobile app, you can generate a single-use passcode by tapping on the Key icon. This code is useful for times when your phone might not have an Internet connection.

  • You can have 10 single-use passcodes sent to you over SMS. The codes must be used in the order sent - Duo will give you a hint by providing the first digit of the code it expects you to use next. You can have 10 new codes sent to you from the Challenge Screen when you select the Passcode option.

You can add, modify or delete your devices in Duo via a Tile in the MySCU portal.

We recommend having multiple devices enrolled. This will let you still get in even if you have left your mobile phone at home, or it runs out of battery. For most people, setting your office phone as a Landline is a good option as a backup, but avoid using a Landline as your primary method as SCU incurs a financial cost for each phone call.

 

Step 1: Log into the MySCU Portal and click on the tile Manage Duo 2FA.

 

 

Step 2: If you are already registered for 2-Factor Authentication, you will be challenged to prove who you are using a device you've already enrolled - and then presented with the My Settings and Devices screen. This is where you can change your device settings, delete old devices, and add new ones. (If you are not yet registered, you will see the initial setup screen; see the section on Preparing for 2-Factor Authentication above for a screenshot.)

This My Settings & Devices screen (above) provides you the opportunity to configure various options.

The blue Device Options buttons next to each device will allow you to rename, modify or delete devices you have previously configured (Not all device types can be renamed). A key use of this button is to re-link the Duo Mobile app after upgrading your smartphone, for example.

You can also set a Default Device and configure a default action under When I Log In. For example, you could make your smartphone the default device and have it Automatically send you a Push when you log in instead of waiting for you to choose an option. 

You can add additional devices by clicking +Add another device.

When adding a device, there are pre-set categories you can choose. These are:

  • Mobile phone
    Mobile phones are the most versatile device. They are able to be used with Duo Push (via the Duo Mobile app), passcodes, and callbacks. Duo will send you a text or call the phone to confirm it is yours during the setup process. Duo will then display a barcode on the screen that you can scan using the Duo Mobile app to connect the app and your account.
    Pro Tip: If you have a new phone but are keeping the same phone number, you only need to link to the new device's Duo Mobile app. Select the phone's Device Options and tap on Reactivate Duo Mobile, instead of adding the new phone as a completely new device.
  • Tablet
    A Tablet can be selected. It will not be able to receive calls or SMS passcodes, but will be able to use the Duo Mobile app to generate passcodes or use Push notifications. Duo will display a barcode on the screen that you can scan using the Duo Mobile app.
    Pro Tip: if you want to use your phone but only want to use the Duo Mobile app while keeping your phone number private, just set it up as a Tablet. This is fully supported. You will be able to recieve Duo Push notifications and generate one-time passcodes inside the Duo app when your device is in airplane mode or not connected to WiFi.
  • Security Key
    A Security Key is a hardware token that can be inserted into a USB port. You tap on it to authenticate when prompted by Duo.
  • Landline
    An option that will only be able to authenticate by receiving a confirmation phone call.
    You will receive a call during setup to confirm it is your device. Because of the cost it will incur SCU every time you log in, this option should not be your only or your primary 2FA device. However, a landline is suitable for a backup authentication method in case you cannot access your mobile phone.
  • TouchID (Chrome or Firefox only)
    If you have an Apple device that supports TouchID, you can enroll this into Duo. This allows you to use Apple's fingerprint biometric feature to authenticate past the Duo prompt.

 

You can give each of your devices a short, memorable name when configuring it by clicking the Device Options button and renaming it (some device types cannot be renamed).

The most convenient and easy way to authenticate is by tapping the query that pops up in the Duo Security mobile application. However, the app is currently only available for Apple and Android smartphones. If you have a different phone - such as a Blackberry or a feature phone - you will not be able to take advantage of the Duo Mobile app.

There are several options available for people in this situation - use Security Keys, SMS passcodes, or receive a voice call confirmation. Receiving a phone call is not recommended (except as a backup-of-last resort) as the cost to the University is significant. 

Security Keys

Security Keys are USB dongles you plug into your computer and tap on in order to authenticate. They can come in different styles and USB types, such as USB-A for most computers and USB-C for newer Mac laptops. Depending on the size and style, you could leave it plugged into your computer at all times, or can have it on your keychain. To enroll one, choose "Security Key" under the Add a New Device option, then continue:

 

A pop up window will appear. Plug in your hardware token and tap it to enroll it.

You may get additional screens prompting you to allow the new security key.

SMS passcodes

This is an option if you have a flip phone and not a smartphone. If you are familiar with SMS based 2FA, Duo is slightly different. Rather than sending a single code per text each time you need to authenticate, Duo sends 10 codes at a time, then prompts you on which code to enter (Or you can generate new codes).

To set this us, enroll your device as a Mobile Phone, and when asked what type of phone it is, choose "Other".

 

Later, when you are logging in to a digital service and are challenged to authenticate,  you can use an existing code you previously generated or request a new batch of SMS codes. Start from the Duo Challenge screen that appears on your computer when you are trying to access a protected digital service, that looks like the screen below. Click on the button that says "Enter a Passcode".

 

If you have passcodes, you can enter one to gain access now. Duo will tell you which one it expects next by giving the first digit (e.g., "Your next SMS passcode starts with 1"). Each SMS passcode can only be used once. Enter the passcode in the box and click "Log in" to complete authentication. 

To receive 10 new passcodes, first click on "Enter a passcode" from the Challenge screen. Note the blue banner that appears at the bottom of the screen. Click on the box in the banner that says "Text me new codes". Your phone will be sent 10 SMS codes (each 7 digits long), to be used in order the next 10 times you are challenged by Duo.

If you know you will be traveling to an area you will incur data roaming charges, you can request a batch of codes in advance. You can only generate 10 valid codes at a time; when you generate a new batch of 10 codes, any unused codes from the previous batch will expire.

 

 

 

 

Receive a Phone Call

If you have no mobile phone at all, or it cannot receive SMS, then register your device as a mobile (as above), or a landline. From the Duo Challenge screen that appears on your computer when you are trying to access a protected digital service, click the button Duo will call you on your registered phone number, and seek confirmation to allow you to log in.

This option is significantly more expensive than using Duo Mobile (free) or using SMS codes (20 times less than Call Me). Because of the cost incurred to the university, using Call Me should only be considered as an option of last resort. 

 

In July 2020, we released the Remember This Device option. When presented with the Duo authentication prompt, you have the option to "Remember This Device for 12 Hours". Once enabled, this will allow you to check a box on the Duo prompt screen to remember that device and browser for 12 hours, as shown in this screenshot: 

Screenshot of Remember This Device option

If you check the box and successfully authenticate to Duo, you will not receive Duo prompts for additional SCU applications for 12 hours, except in certain circumstances described below. For example, if at 8am you get prompted to authenticate to Duo to access Gmail, and you check the box to Remember me for 12 hours, you will be able to open Workday that afternoon on the same computer and browser and not get a Duo prompt.

So what are these certain circumstances you referred to above?

  1. The VPN will always prompt you to authenticate with Duo.

  1. It is device and browser specific, not account specific. This means if you access Workday on your tablet and use the Remember This Device feature, if you then use your computer to access Workday later the same day, you will be prompted with Duo again. Similarly, if you use Firefox on your computer to access Workday in the morning, you will be prompted by Duo again if you switch to Chrome later in the day.

  1. If you have configured Duo to automatically send you a Push or call your phone (without you having to click on the button for that action), or if you use a Security Key, the Remember me for 12 hours checkbox will be grayed out. If you desire, you can cancel the Duo Push or Security Key prompt, check the box, and send yourself a new push or Security Key prompt by clicking on the corresponding button. (To turn off automatic pushes or calls, use the instructions under “Manage Your Registered 2-Factor Devices” at https://www.scu.edu/technology/get-connected/duo/2fa-quickstart-guide/ to navigate to Device Options and then the Default Device settings.)

  1. If you have configured your browser to deny 3rd party cookies or to prevent cross-site tracking, the Remember This Device feature will not work. Please see this page for instructions on how to add an exception for Duo cookies to your browser: https://help.duo.com/s/article/2189?language=en_US 

 

 

 

Enrolling and Replacing Devices:

Use the Duo Mobile app on a smartphone or feature phone! Smartphone users can use Duo Push, which is the fastest and most secure method of authenticating past the Duo prompt. And if you're in a location without connectivity, you can open the Duo app to generate a one-time passcode. Non-smart mobile phones can get text messages (SMS) with 10 passcodes at a time to use when you need them.

Note: Smartphone users need to use a computer to enroll their smartphone. 

To enroll, log into the MySCU SSO portal and click on the Manage Duo 2FA tile:

Once in My Settings & Devices, click on "add another device":

Select the Mobile Phone option and continue:

Enter and confirm your phone number, then click continue:

Confirm what type of mobile phone you have. To use the Duo Mobile App, you need an iOS or Android phone. Feature or flip phone users should choose "other".

If you selected "Other" above, your set up is complete. You'll be returned to the My Settings and Devices Screen.

If you selected "iPhone" or "Android" above, will be prompted to confirm you have the Duo Mobile App installed. The Duo App requires permission to access your smartphone camera to complete the setup. No additional use of your camera is required.

You need to link the Duo mobile app on your smartphone to your Duo account. A new screen will open on your computer showing you a barcode. 

On your smartphone, open the Duo app. In the top right corner, click the + symbol. The camera opens. Move your smartphone so it has the barcode in your computer browser in view. Duo will automatically link your smartphone to your account. When successful, you'll get a big check mark and a continue button:

You'll be returned to the My Settings & Devices window. If desired, you can configure options for your new device, such as changing the device name or registering it as the default device and sending you a push automatically.

 

 

Need a Security Key? Employees can contact Information Services at 408-554-4581 to request one.

Note: This option works with Chrome or Firefox browsers only.

To Enroll a WebAuthn-compatible hardware token (called a "Security Key" in Duo): 

Log in through the SSO Portal (login.scu.edu) and click on the Manage Duo 2FA tile (Note: if you are already signed up in Duo, you will need to authenticate past the Duo prompt with an existing device, such as your phone).

Once in My Settings & Devices, click on "add another device":

Select the "Security Key" option, click continue, and then continue again through the next screen:

When prompted, insert the token into your computer. It will start flashing. If your token has a circle with a key symbol, tap there. If your token is low profile with a silver side, tap on the silver side. Note for Macintosh users: If a "keyboard is not recognized" window pops up when you plug in your token, you must close that window by clicking on the top right red button before proceeding. You may need to unplug the token and plug it back in. If the token does not flash, you may need to re-plug it in, or try another USB port. If the token flashes but then stops before you can complete the enrollment, start over.

Depending on your browser settings, you may also get additional screens asking you to confirm and/or allow the new security key.

From now on, if the Security Key is plugged into your computer and you get a Duo prompt, the Key will start flashing. With your finger, tap on the flashing round key symbol (or on the silver side if you have a low-profile, USB-C style Security Key) to authenticate past the Duo prompt. 

To enroll your Apple TouchID device in Duo (Chrome browser only):

Log in through the SSO Portal (login.scu.edu) and click on the Manage Duo 2FA tile (Note: if you are already signed up in Duo, you will need to authenticate past the Duo prompt with an existing device, such as your phone).

Once in My Settings & Devices, click on "add another device":

Select the TouchID option and click continue, then continue again past the Enroll with TouchID screen:

Use TouchID on your device to verify:

 

When prompted, Allow Duo to use TouchID:

When finished, you'll return to the My Settings & Devices screen. Here you can rename the devices you've added. For example, if you have more than one TouchID enabled device, you can rename them by clicking on the blue Device Options button next to the device in the list. Then click on the Change Device Name button and change the name as desired. Click Save when you're finished.

 

 

New Phone and Duo App (Push or Passcodes): If you replaced an old phone that had the Duo mobile app installed, download the Duo Mobile app to the new phone. Ignore any offers from the app to restore old settings or recover backups - SCU does not use these functions.

On a computer, log into the MySCU Portal and click on the Manage Duo 2FA tile to access the My Settings & Devices screen. 

If you cannot log in because you do not have access to any Duo-registered device, request a one-time bypass code. Note that you need to provide an alternate, non-SCU email address at least 24 hours before you can use this page to generate a one-time bypass code for you. 

Once in My Settings & Devices, select the Device Options button next to the device you need to modify.

 

 

Next, click on Reactivate Duo Mobile.

 

Duo will display a barcode on the screen that you scan using the Duo Mobile app on your phone, which will connect the app and your account. Tap on the New Account symbol  (the key symbol with a + next to it) in the app to start the camera scanner, and in a few seconds your new device and Duo will be linked.

 

New Non-Smartphone, Voice Calls, and SMS: If you used the old phone just to recieve Duo voice calls or text messages and you are keeping the same number, you don't have to do anything; Duo will still work.

If you are no longer recieving Duo Push nofications on your smartphone, scroll up to the "Replacing a Phone" section and follow those instructions.

If your USB-based Security Key or your Apple TouchID sensor no longer works with Duo, we recommend you try deleting the device and re-adding it.

First, on a computer, log into the MySCU Portal and click on the Manage Duo 2FA tile to access the My Settings & Devices screen. (If you cannot log in because you do not have access to any Duo-registered device, contact the Technology Help Desk for a Bypass Passcode to enable you to log in one time.)

In the My Settings & Devices window, find the device that's not working and click on the Device Options button beside it.

Then click on the trash can icon to remove the device.

screenshot of Duo device configuration 

Finally, re-add your device using the instructions found above on this page.

 

 

 

Using Duo When Traveling

In the event that you've lost or left your phone or hardware token at home, you may have no way of authenticating to Duo. You can get a single use, temporary bypass code from either the Technology Help Desk or by using the Bypass Code Generator on our Security Tools page. To use the Bypass Code Generator, you must have an alternate email address on file in eCampus (students) or Workday (faculty and staff).

Once you have your code, click on the "Enter a Passcode" option in the Duo prompt, type in the code you recieved, and click Log In:

If you've enrolled your smartphone, you can still use the Duo app to authenticate even if you don't have service. This assumes you are bringing your smartphone with you. 

To use this feature, click the Enter a Passcode option instead of the push option when prompted by the Duo verification screen after logging into the protected resource.

Then, on your device, open the Duo app and tap on the Santa Clara University entry to generate a single use code you can type into the browser prompt. 

 Duo Mobile App passcode

Back at the Duo prompt on your computer, enter this code and click Log In:

You can test this option in advance of your travels any time. If you don't want to bring your smartphone with you, consider the mobile phone text option below. You can generate texts in advance and print them out or copy them down to bring with you.

If you've enrolled an SMS-capable mobile phone, you can generate 10 codes in advance and use them as you need them. If you won't have service while you are traveling, you need to request codes before you leave while you still have service. If you don't plan on taking your phone with you for reference, you'll need to copy the codes down to take with you. You can only request 10 codes in advance; every new batch of 10 codes will invalidate the previous batch.

Tip: Smartphone users can also use this method!

To use this feature, click the Enter a Passcode option when prompted by the Duo verification screen after logging into the protected resource.

From there you can request new codes (Look for the blue bar at the bottom of the prompt):

 

You will recieve a text containing 10 codes. Each code will start with a new number in succession, starting with 1. For example, your ten codes could be 1123456, 2123456, 3123456, etc. ending with 0123456. The codes you recieve will be random, but each code will start with a different digit. Once you recieve them, Duo tells you which one to use. In the screen above, codes have previously been sent, so Duo prompts for an existing code that starts with 2. In this scenario, open the text message, find the code Duo is requesting, enter it in the field, and click Log In. If you have previoulsy recieved SMS codes but choose Text me new codes, any codes you've previously recieved expire.

We've noticed a small bug where sometimes when you request new codes, Duo doesn't tell you which one to use right away. Enter the first code in the new text you received. If it's the wrong code, the Duo prompt will refresh and then tell you which one to use.

Remember, if you won't have service during your travels, request codes in advance!

 

If you don't have a mobile phone or don't want to enroll one, you can enroll a WebAuthn-capable Security Key, sometimes called a YubiKey. Bring your Security Key with you to authenticate when traveling. Employees can request one free Security Key by contacting the Technology Help Desk at (408) 554-5700.

If you're already in a location without your enrolled devices, you can contact the Technology Help Desk at  for a single use bypass code, or generate one yourself using the Bypass Code Generator on the Security Tools page.