Jump to: Getting started | Using Duo | Troubleshooting

Note: this FAQ is for Duo 2FA. If you are an employee using RSA SecurID for 2FA, please visit this FAQ page.

Starting December 28, 2016, all current University of Utah employees (including student employees) are required to use two-factor authentication (2FA) for certain IT systems and services.

Getting started

Duo two-factor authentication enhances the security of your user credentials (e.g. uNID and CIS password) by using a secondary device to verify your identity when you access University applications. This service provides enhanced security and protects you in the event that someone manages to obtain your login credentials. Visit this Knowledge Base article for an overview on Duo 2FA.

According to the FBI and U.S. Department of Homeland Security, healthcare and higher education institutions are increasingly becoming a target for cyber criminals. Two-factor authentication decreases the chances of a security attack because the hacker cannot access data with your login credentials alone. Duo 2FA is used by multiple large universities and corporations to provide additional assurance that data is only accessed by authorized users. Visit this page for more information.

Duo's mobile app (the preferred method of authentication) works on smartphones, including Windows mobile devices, and tablets (e.g. iPad and Android tablets). You may also purchase a hardware token for $23 through the University Campus Store, as inventory permits. The hardware token will generate a series of unique letters or numbers, which you will enter into the passcode field on your device. Read more about Duo tokens

Users are advised to enroll at least two devices to avoid being locked out.

Users who would like to make their landline phone a secondary Duo token may open a help ticket and the request will be reviewed. The U’s policy is that landlines cannot be used as the primary 2FA authentication method. This policy is in place due to the cost incurred by the U each time a landline is used to authenticate. To activate the ability to use a landline as a secondary method, users must contact the UIT Help Desk 801-581-4000 option 1 or helpdesk@utah.edu. There is no self-service way for users to add a landline.

Exceptions to this policy: In rare circumstances, an exception may be granted by U administration. Users who feel they must use a landline as their primary method may submit an exception request by contacting the UIT Help Desk 801-581-4000 option 1 or helpdesk@utah.edu. The request must include a justification for the exception.

Exception requests will be reviewed by U administration. The review process may take several days, possibly weeks, depending on the request queue.

To register or add a new device, visit this page or watch the how-to video here:

Using Duo

Starting December 28, 2016, all employees (including student employees) are required to use 2FA via Duo for CAS-authenticated websites and applications (e.g. Canvas, CIS, Box), high-risk servers, Citrix Application Portal, and VPN. Students won't be required to use Duo 2FA unless they are also U employees. Not all applications will require 2FA.

(Note: some employees will be required to use RSA SecurID instead of Duo.)

There are two forms of tokens: software and hardware. Software tokens are provided when using the phone or tablet, and are the preferred method of authentication. Duo hardware, or physical tokens, may also be purchased for $23 through the University Campus Store, as inventory permits. The Duo hard token will generate a series of unique letters or numbers, which you will enter into the passcode field on your device. Read more about DUO tokens.

Note: Yubikeys are not currently supported by the university.

No. Duo offers a mobile app for smartphones, including Windows mobile devices, and tablets (e.g. iPad and Android tablets) that is very user-friendly and provides the greatest level of security. This app can receive push notifications and provides authentication with one tap. Consequently, smartphones and tablets are highly recommended and preferred. Physical tokens can also be purchased and used in lieu of a smartphone or tablet. Central U administration does not reimburse employees for any cell phone charges or fund Duo hard tokens. Contact your department head for questions about possible compensation for your area.

If you lose your device and have multiple devices enrolled, you can simply remove the lost device via the Duo Management Portal. If only one device is enrolled, please contact the Help Desk (801-581-4000, option 1) as soon as possible. Visit this page for more information.

By selecting "Activate My Account," you agree to enable Duo two-factor authentication (2FA) enforcement for all University sites that use Central Authentication Service (CAS) for authentication, including BoxCISCanvas, and others, as well as high-risk servers, Citrix Application Portal, and VPN. All employees are required to use 2FA for CAS starting December 28, 2016.

Starting December 28, 2016, 2FA is required for all current employees, and is a requirement supported by Information Security Policy 4-004. If you have questions or concerns about this policy, please contact your manager or director. Find out more at it.utah.edu/2fa.

(Note: some employees will be required to use RSA SecurID instead of Duo.)

Yes. We recommend that you enroll a minimum of two devices.

New devices, such as a smartphone or tablet, can be added or removed via the Duo Management Portal, even after you have enrolled in the service. If you are using the Duo app, you will also need to install the app on your new device. Visit this page for more information.

Duo only stores your University ID (uNID), name, email address, and authentication device information.

Yes, if you have the smartphone or tablet app. Open the app and select the key icon to the right of the screen to generate a passcode. This process does not use data and does not incur any charges.

Yes. Open the smartphone/tablet app and select the key icon to the right of the screen to generate a passcode. This process does not use data and does not incur any charges, so it does not require a network connection.

Duo's authentication prompt is compatible with popular screen readers and voiceover options like NVDA and VoiceOver for Apple and Android phones. It is most accessible on up-to-date versions of popular browsers: Chrome, Safari, Firefox, and Edge. The Duo mobile application for iOS and Android is also compatible with platform native Text-to-Speech (TTS). Visit the vendor's webpage on accessibility for more information.


Duo 2FA devices cannot be registered to more than one person. If you are trying to add a device (such as a home phone) that is shared with someone else, and that device has already been registered to another person, you will receive an error message. If you have a compelling need to add a shared device, please contact the Help Desk for assistance 801-581-4000 option 1.

If you are not receiving the mobile push, this could mean that the Duo app on your smartphone/tablet is no longer correctly registered. Registration is per-device and can become invalid if the operating system (OS) changes or is updated. If you have upgraded the OS on your device, or if you are using a new smartphone, re-register the Duo application through the Duo Management Portal. The user will need to click on the “reactivate” button to complete this process.

If the mobile push is timing out, your device’s data connection may not be working properly. Internet connectivity is required for push notifications. Check that the device is successfully connected to UConnect or another secure network. Depending on the strength of your Wi-Fi signal, the mobile push may not come through and the request will time out. If this happens, simply open the app and select the key icon to the right of the screen to generate a passcode.

Visit this page for more information.

Hardware tokens can get out of sync if the passcode button is pushed numerous times and the passcodes are not used for authentication. In the Duo Management Portal, you should see a "Resync" button next to your registered hardware device information. Click this button and follow the screen prompts to resync the device. You will be asked to generate several passcodes on the device and enter these passcodes within the fields on the computer screen. Wait for each passcode to disappear from the hardware device before generating the next one. Once this process is complete, your hardware token can be used for authentication again.

Visit this page for more information.

UIT Help Desk: 801-581-4000, option 1 or helpdesk@utah.edu

Hospital Help Desk: 801-587-6000 or helpdesk@hsc.utah.edu

Contact your designated help desk:

UIT Help Desk: 801-581-4000, option 1 or helpdesk@utah.edu

Hospital Help Desk: 801-587-6000 or helpdesk@hsc.utah.edu

Please contact the Campus Help Desk at 801-581-4000, option 1 or helpdesk@utah.edu. The Help Desk is authorized to generate temporary passcodes for users who do not have access to a registered device, such as a smartphone or tablet.

In order to generate a temporary passcode, the user must verify his or her identity by answering personal CIS security questions. The temporary code is only valid for a short time. Once a user has authenticated a session, he or she should remain active for the normal CAS time.

Visit this page for more information.


Last Updated: 1/6/17