Multifactor Authentication — Duo
Use multifactor authentication to protect systems with valuable data...as well as your account.
Also known as MFA, two-factor authentication, TFA, Duo and two-step verification.
Multifactor authentication (MFA) uses multiple proofs of identity to ensure you are authorized to access the service or resource that you are requesting.
These proofs include more than one of:
- something you know (a secret piece of information, such as a password)
- something you have (a token, card or device)
- something you are (a biometric measurement or representation)
CUIT uses Duo as the MFA service to verify your identity for Columbia’s centralized applications. With Duo, you can use a mobile app, or a phone call to authenticate. Duo can be combined with other authentication factors like username and password authentication to create multifactor authentication. Most people use Duo via the mobile app, Duo Mobile, which runs on a variety of smartphones and tablets.
Duo multifactor authentication will soon be required for access to all CAS-protected services, including Columbia Health, View Your Paycheck, Courseworks and others.
Duo MFA Setup
Click here to set up or test Duo MFA if:
- You don't have a Duo account and want to set one up now. (It requires a UNI and takes about 3 minutes.)
- You've already set up Duo and want to test it.
Duo MFA Information for Alumni
Starting this Spring, Duo MFA will be required for all CAS logins for Columbia University Alumni who have Lionmail accounts. This includes logins to most Columbia online resources like transcript requests, library access and Lionmail. Duo MFA is also required for logins to CUIT-managed Linux hosts including cunix. See below for answers to some commonly asked questions about this new requirement.
For help with your UNI, go to the Columbia Alumni website.
Your Columbia account and the services you log into are valuable assets to you and Columbia University. Unfortunately, passwords have become vulnerable to theft and are no longer considered good enough to protect these assets. A stolen password can lead to your email being hijacked by an attacker. This in turn could give them access to reset your password on other personal accounts, like a PayPal or bank account. A password plus an additional authentication method like Duo MFA is much harder to steal and provides much better protection. As a result, Columbia, along with many financial, research, and governmental organizations, now requires MFA for access to valuable organizational assets.
Duo uses your phone to verify your identity. When combined with a UNI and password, it becomes a very strong form of identity verification. These instructions describe how to set up Duo on your phone. Here are instructions for using Duo when you log in.
You'll be prompted to sign up for a Duo account when you log into a Columbia University resource that requires it. If you want to get that out of the way in advance, you can set up Duo now by logging in with your UNI and password to the Duo Setup and following the on-screen instructions. For a fuller description of the setup steps, see How do I use Duo for the first time?
No, just continue using Duo MFA as you have in the past. If you haven't used the Duo Mobile app in over 30 days, you may have to reactivate the app. See these instructions for reactivating Duo Mobile.
An Account Recovery Email is a non-Columbia email account that can be used to verify your identity by sending you a one-time code. Once you've set up Duo, we strongly encourage you to set up an Account Recovery Email, which will make it easy to continue using Duo if you change, lose or misplace your phone. Go to Manage My UNI and select Add or Update My Account Recovery Email.
You'll find answers to most of your questions on Columbia's MFA Installation and Troubleshooting website. See the section, "Installing and Using Duo". If you don't find what you're looking for, please submit a ticket to the CUIT Service Desk, email [email protected] or call 212-854-1919.
For operational and technical questions about Duo, please submit a ticket to the CUIT Service Desk, email [email protected] or call 212-854-1919. For policy questions ("Why must I do this?") please contact the Columbia Alumni Center, 212-851-7800 or email [email protected]
You can find detailed FAQs for installation, troubleshoooting, Windows RDP, and Unix on our expanded MFA FAQ page.
Authentication is the process of ensuring that something is genuine. Username and password authentication uses a shared secret (the password) to establish that a user of an application is actually who or what the user claims to be.
Multifactor authentication (MFA) uses multiple forms, or factors, of proof, including:
- Something you know (a secret like a password)
- Something you have (a token, card or device)
- Something you are (a biometric measurement or representation)
The number and independence of the authentication factors add to the degree of confidence we have in the identity of the person or thing. This degree of confidence is sometimes called the level of assurance. A multifactor authentication is said to have a higher level of assurance than an authentication that uses a single factor.
Duo is a service that can use a mobile app, a token, or a phone call to authenticate you. It can be combined with other authentication factors like username and password authentication to create multifactor authentication. Most people use Duo via the mobile app, Duo Mobile, which runs on a variety of smartphones and tablets. Here are descriptions and screenshots of Duo Mobile for Android and Apple iOS.
Duo has been added to Columbia's CAS authentication service to create multifactor authentication for web browser-based applications. It is required for all CAS logins for faculty, staff and students. Duo authentication has also been added to Remote Desktop Protocol (RDP) logins for CUIT-managed Windows servers, logins to CUIT-managed Linux hosts including cunix, VPN logins, and logins to various other services.