MFA Installation and Troubleshooting FAQ — Duo

Common questions regarding Columbia's multi-factor authentication requirement (Duo MFA) to protect systems with sensitive data.

Installing and Using Duo

Troubleshooting the Duo app

Duo for Windows RDP

Duo for Unix logins

FAQ: Installing and Using Duo

Your Columbia account and the services that you log into are valuable assets, both to you and to Columbia University.  Unfortunately, passwords have become vulnerable to theft, and by themselves, are no longer considered good enough to protect these assets.  A stolen password can result in personal loss, for example through paycheck redirection. It can also result in institutional loss, as when a compromised password provides an entry point for a hacker to launch a ransomware attack.  A password plus an additional authentication method like Duo MFA is much harder to steal and provides a much higher level of protection.  As a result, Columbia, along with many financial, research, and governmental organizations, now requires MFA for access to valuable organizational assets.

Full-featured Duo authentication requires a modern web browser with JavaScript enabled and a mobile device (a smartphone or tablet) with the Duo Mobile app. Supported browsers are: Chrome, Firefox, Safari, Edge, Opera, and Internet Explorer 8 or later. Some browsers do not support all of Duo's authentication devices (for example, Security Keys won't work with Internet Explorer). For the widest compatibility with Duo's authentication methods, we recommend recent versions of Chrome and Firefox.

Mobile devices with the following mobile OS versions are fully-supported: iPhone/iPad (iOS 13.0 and greater) and Android (8.0 and greater). Visit the following sites for details and limitations on Duo Mobile support for iOS and for Android.  Minimal versions of Duo authentication based on voice calls ("Call Me") are also available. These versions require a modern web browser but will work with any voice phone.

Android: launch the Play Store app. Tap the magnifying glass icon in the upper right and enter Duo Mobile. Choose the Duo Mobile app from Duo Security, Inc., (not Google Duo), download the app, install and accept app permissions.

Apple: launch the App Store app. Enter Duo Mobile and choose the Duo Mobile app from Duo Security, Inc. (not Google Duo.) If you have not previously downloaded an app from the App Store, you will be required to enter your Apple ID and a credit card number, although you will not be charged for the Duo app. (This requirement comes from Apple, not Duo or Columbia University.) Download the app, install and accept app permissions.

 

The first time you log into an MFA-protected resource via CAS, after entering your username and password, you will be presented with a screen asking you to enroll in Duo multifactor authentication.

Invitation to enroll in Duo MFA

Press the green Start setup button and follow the online instructions.  You will be asked to enter your phone number and device type.  If you want to use the mobile app, you'll need to download and install Duo Mobile on your device and scan a QR code by opening the Duo Mobile app, tapping the "+" button in the upper right, and holding the device so that the black and white QR code appears on the device screen.

Duo enrollment, scan QR code.

(Scanning the QR code activates your device.  Be sure to answer Yes when you are asked to permit Duo Mobile to use your phone's camera since this is required for activation.)  If you want to authenticate via text message or landline call, you will have to confirm ownership of your device by entering a verification code that is delivered to you via phone call or text message. The whole process of enrolling in Duo and activating your device takes about 3 minutes.

Once you have activated your phone, the Duo Mobile app will present you with an Authentication Request, with 2 buttons, Approve and Deny.

Duo Mobile approve or deny

Tap Approve to let the authentication proceed and continue to your destination. Tap Deny to halt the request. In some cases, the length of the enrollment process may cause your CAS login to time out, and you'll have to log in a second time.

Each time you log into an MFA-protected application or computer with your username and password, you may also be prompted by Duo to Approve or Deny the authentication request. If you are using the Duo Mobile app, tap Approve to let the authentication proceed and continue to your destination. Tap Deny to halt the request. To minimize the number of Push requests, see the instructions for using the Duo Remember me for 24 hours feature.

If you are already using Duo, you can wait until you actually need to access a Columbia MFA-protected resource and you'll be prompted to enroll in Duo for Columbia at that time.  The enrollment process involves entering information about your phone in a web browser form and then verifying that the phone is in your possession with an activation code, which is delivered to your phone at enrollment time.

When you're authenticating to an MFA-protected service with CAS, click the Add a new device link in your web browser on the left hand side of the Duo authentication page.

Add a new device to your Duo account

(If you have set up Duo to automatically send you a Duo Push, you will first have to click the Cancel button to halt the Duo Push request.)  After authenticating with Duo using your first device, follow the online instructions to enter information about your second (or additional) device. Press Done to save your information and continue to your original destination.

Yes. Different services can share the same Duo mobile app or landline phone.  If you're using the Duo Mobile app, each service you enroll in appears as a stripe labelled with the name of the service owner ("Columbia University", "New York Presbyterian", "Acme Industries," etc.)  Note that passcodes are service-specific. To generate a passcode for a specific service, open the Duo Mobile app and tap the key icon to the right of the service name.

When you see the enrollment invitation asking you to "Protect Your Columbia University Account," click the Start setup button.

image shows: click the Start setup button

Next, select the Landline radio button on the "What type of device are you adding?" screen.

image: select the Landline radio button on the "What type of device are you adding?" screen

Enter the number of your landline or sms-capable phone on the "Enter your phone number" screen, click the box labelled This is the correct number when you're done, and then click Continue.

image shows: Enter the number of your landline or sms-capable phone on the "Enter your phone number" screen, click the box labelled This is the correct number when you're done, and then click Continue.

Confirm your choices on the "My Settings and Devices" screen and ensure that Ask me to choose an authentication method is selected in the the drop down box labelled When I log in. This will allow you to use a passcode when your phone is not available. Depending on your screen, you may have to scroll down to see the drop down box. Now click Continue to Login.

image shows: "My Settings and Devices" screen

Choose Call Me and follow the instructions from Duo in your call to press a key on your phone to complete your login.

image shows: Choose Call Me and follow the instructions from Duo in your call to press a key on your phone to complete your login.

In most cases, no.  Duo authentication is required each time you log into CUIT-managed linux and Windows servers but for CAS logins, you can set Duo to "remember" your authentication for 24 hours by checking the Remember me checkbox. If Remember me is checked, you will not be prompted to approve a Duo authentication for 24 hours after your first approval. If Remember me is not checked, your Duo authentication will remain valid for the duration of the CAS single sign-on session, which lasts for up to 60 minutes.

image shows: Duo authentication

When you click on the Remember me for 24 hours box, Duo sets a cookie in your browser that tells Duo not to prompt you on authentications during the 24 hour period.  There are a few limitations.  Since the bypass is cookie-based, it is confined to a specific browser instance.  It is also confined to a single user account.  (If the same browser is used to log in with a different UNI, you will be prompted.)  If you use private windows and exit the browser or in some other way delete cookies, the Remember me setting will not be saved.

If you tap Deny to halt the authentication request, the Duo Mobile app will ask Why are you denying this request?  If you did not initiate the login, you can report a fraudulent login request by choosing It seems fraudulent. Otherwise, choose It was a mistake. If you accidentally Deny a Duo authentication request on a CAS login, you can return to the CAS login page by clicking click here to QUIT near the top of the page.

If you've changed your phone number, you will need to reset your Duo account.

If your phone number hasn't changed, you can reactivate your Duo account on your new phone using these steps: 

  1. Download the Duo app on your new phone.
  2. Log in to your Duo account (this can be via any computer or tablet device, but it must be separate from your new phone).
  3. Select Setup under Manage Your Enrollment and log in with your UNI and password.
  4. Select Duo MFA Setup and log in (again) with your UNI and password.
  5. On the left side of the Duo window, select My Settings and Devices.
    1. If "auto-push" or "auto-call me" is enabled, select Cancel in the blue bar at the bottom of the window first.
  6. After selecting My Settings and Devices, complete a Duo authentication by selecting Call Me.  Answer the call from Duo and wait until the recording finishes before tapping the number 7.
  7. After authenticating with Duo, you will be brought to the My Settings and Devices screen again. Select Device Options next to your new device.
  8. Select the blue Reactivate Duo Mobile button.
  9. Follow the on-screen prompts to reactivate the Duo Mobile application.
  10. If the mobile device asks for permission for Duo Mobile to access the camera, tap Allow on the device in order to scan the on-screen QR code.
  11. After scanning the QR code, Duo mobile will reactivate and send authentication requests to your new phone.

A passcode is a numeric code that can be used to authenticate to Duo.  Passcodes are good for a single use. You can pre-generate a list of 10 passcodes by logging into MFA Self-Service and choosing GENERATE PASSCODES. You can also get a single passcode by opening the Duo Mobile app and tapping the key icon in the bar labeled "Columbia University."  The mobile app-generated passcode is good for 30 seconds. To use a passcode to authenticate in your web browser, type the numeric code in the box on the Duo authentication page labeled Enter a Passcode. (If you have set up Duo to automatically send you a Duo Push, you will first have to hit the Cancel button to halt the Duo Push request.)

You can use Duo with a landline phone. See How do I enroll in Duo with a landline? for instructions. If you can't use a landline phone, you can also use pre-generated passcodes without a registered phone, or passcodes generated by a hardware token.  Please call the CUIT Service Desk at 212-854-1919 for details about requesting either of these two options.

Yes. You can specify an international country code when enrolling in Duo. When you enter your device's phone number, you can change the country code with the drop-down menu directly above the box. If you are enrolling with a US phone number, you will not need to change anything because the US country code (+1) is selected by default.

Beginning May 5, 2022, users attempting to authenticate to a Duo-protected application from a device with an IP address originating in an OFAC-regulated country or region will be blocked from completing their login and receive an error message. This change will roll out between May 5 and May 12.  Web-based applications will display the following error message: “Access denied. Duo Security does not provide services in your current location.” Non-web-based applications may display a generic failed login message.

OFAC restrictions relevant to Duo currently apply to the following countries or regions: Cuba, North Korea, Iran, Sudan, Syria, Crimea region, Sevastopol region, Donetsk region, Luhansk region.

Some users in China have reported difficulty with downloading and installing Duo. If you have an Android device and are installing Duo from a location in China, we recommend that you:

1. Download the Duo Mobile app directly from Duo's website (clicking this link will automatically download the APK).

2. If you receive a warning about installing "harmful" apps, navigate to your Security settings and select the Verify Apps option to enable installation of the APK. (The warning appears because you are not downloading directly from the Google Play store.)

FAQ: Troubleshooting the Duo App

Log into MFA Self-Service and choose DUO RESET. You will be prompted to enter your University ID Card Number (UCN). Once your Duo account has been reset, you will be able to re-enroll with a new device. But first, de-activate any phone(s) you have activated for Duo by removing your Columbia University account from the Duo Mobile app:

Android: open the Duo Mobile app and press the bar titled "Columbia University" for a few seconds. In the window that pops up, choose Remove Account.

Apple: open the Duo Mobile app, choose Edit and tap the minus sign, then tap Delete.

You can set up a backup MFA device during enrollment or afterwards by clicking the Add a new device link on the Duo web authentication page and configuring your authentication options. Then, if your primary device is unavailable or temporarily unusable, you can authenticate with your second, non-default device until you have your primary device back. You can also use pre-generated Passcodes.  If you don't already have a list of Passcodes, log into MFA Self-Service and choose GENERATE PASSCODES. You will be prompted to enter your University ID Card Number (UCN). Print out your Passcode list and keep it in a safe place.

See How do I reset my Duo Account?  Once your Duo account has been reset, you will be able to re-enroll with a new device.

You can still authenticate with Duo. You can use a pre-generated Passcode or open the Duo Mobile app and generate a single Passcode by tapping the key icon in the bar labeled "Columbia University." See What is a Passcode and how do I use one? for more information.

This happens on some older browser versions and on Internet Explorer with compatibility view turned on. The Duo webpage requires a recent version of Chrome, Mozilla Firefox, Opera, Safari or Internet Explorer (IE). For IE, version 8 or later is required and compatibility view must be off.

This option is only available when you select Ask me to choose an authentication method, either during enrollment or afterwards, or if you Cancel the authentication request. To choose this option after you've already enrolled, click the blue Cancel button that appears in the lower right in your browser before you respond to the authentication request. You should now be able to select the Remember me for 24 hours checkbox. Now select an authentication method and continue with your request.

The behavior of the app is device-dependent and differs between Android and Apple (iOS) phones.

Android: Under most circumstances, if the phone is on, is able to receive messages, and the screen is active, the app will pop open for a Duo Push request. On the other hand, if the phone is on, able to receive messages, and the screen is inactive (dark), you should get an alert (a sound or vibration) and a message that you have received a Duo Login Request. Open the Duo app and Approve or Deny the request. See these detailed instructions from Duo for resolving this issue.

Apple: Apple phones don't allow this. If the phone is on and is able to receive messages, you should receive a message saying that a Duo authentication request is pending. You can tap the message or open the Duo app to Approve or Deny  the request.  Under some circumstances, some Apple devices do not display a message indicating that you have received a Duo Push Request. If this happens, open the Duo app and Approve or Deny the request. See these detailed instructions from Duo for resolving this issue.

The display of messages is device-dependent and differs between Android and Apple (iOS) devices. If Duo has sent a Push request to your mobile device but the message is not visible, swiping down on your home screen should display the request. Otherwise, you can tap open Duo Mobile and any pending authentication requests will display as bars near the top of the app. Here are detailed instructions for Android and detailed instructions for iOS for resolving the message display issue.

Try disconnecting from wifi and reconnecting.  If your wifi network cannot connect to the internet, Duo Mobile Push notifications will not reach your device.  This can happen even if your phone can still receive calls while connected to wifi (phone calls and data use different networks.)  If that doesn't help, try restarting your phone.

iOS 10 and the iPhone 6s/7 have introduced a feature called 3D Touch. If you have 3D Touch enabled on your device you will need to perform the hardest press action to make the Approve and Deny options appear. Once they are displayed, you can use TouchID or enter a passcode to approve the Push Authentication request. For additional details, please see the Duo documentation.

If all else fails, reset your Duo account as described. If you're using Duo Mobile, un-install and re-install the app, and restart your phone. The next time you authenticate to an MFA-protected service, you should be prompted to re-enroll in Duo.

FAQ: Duo for Windows RDP

Logins via RDP can be done with both UNI and non-UNI IDs. Use of a shared non-UNI ID with Duo multifactor authentication presents some complications, like ensuring the Duo authentication request is directed at the correct device (yours).

Enter your username and password at the RDP prompt as usual.  Following a successful username and password authentication, you will see the Duo authentication prompt.  In most cases, Duo for RDP has been configured to automatically push an authentication request to your Duo Mobile app. See Duo's RDP documentation for further details.

  • If you are logging in with your UNI and you are already enrolled in Duo thru CAS, you're all set.
  • If you are logging in with your UNI and you are not already enrolled in Duo thru CAS, browse to MFA self-service, click on SETUP in the Duo MFA Setup box, and complete the enrollment process using the web browser-based workflow. You are now ready to authenticate with Duo for RDP.
  • If you are logging in with a non-UNI username, request a Duo enrollment link for the account thru Service Now.

Yes, Duo RDP supports passcodes for authentication, as well as Duo Push and phone callback.

FAQ: Duo for Unix Logins

mfa.cc.columbia.edu

Duo MFA has been installed on a small number of jump hosts. Users are required to first log in to one of these jump hosts before connecting to a protected server.

A jump host or jump server is a computer that provides access to other computers that lie in a separate, less accessible zone. See this Wikipedia article for a summary. Configuring a small group of MFA-enabled jump hosts and forcing all access to go through them is a way to enforce MFA for a large group of hosts while limiting the number of MFA installations and user MFA challenges.

MFA is managed by the PAM authentication stack. On an MFA-protected jump host, PAM authentication is configured to require the use of Duo as well as the entry of a username and password. Authentication to one of the jump hosts hosts using a kerberos Ticket Granting Ticket or SSH key also requires the use of Duo.

  • If you are logging in with your UNI and you are already enrolled in Duo thru CAS, you're all set.
  • If you are logging in with your UNI and you are not already enrolled in Duo thru CAS, browse to MFA self-service, click on SETUP in the Duo MFA Setup box, and complete the enrollment process using the web browser-based workflow.  You are now ready to authenticate with Duo for Unix.
  • If you are logging in with a non-UNI username, request a Duo enrollment link for the account by submitting a ticket in ServiceNow.

After you have enrolled your user account with Duo as described above, authenticate as usual. After logging in with your username and password, you'll receive the Duo prompt which will look approximately like this:

Duo two-factor login for abc123

Enter a passcode or select one of the following options:

  1. Duo Push to XXX-XXX-0123
  2. Phone call to XXX-XXX-0123
  3. Phone call to XXX-XXX-0987

Passcode or option (1-3):

Enter "1" to have a Duo Push authentication sent to your Duo Mobile app, enter "2" to request a phone callback authentication, enter a passcode value (the 6- or 8-digit number), or enter "3" to request a phone callback authentication using your secondary phone.

Duo will use a single user account for all of the CUIT-managed MFA protected Unix jump hosts you log into with your UNI. If you log into Unix with multiple usernames, you’ll have to enroll each username separately.

Yes, Duo supports passcodes, Duo Push and phone callback for Unix authentication.