MFA Installation and Troubleshooting FAQ — Duo

Full-featured Duo authentication requires a modern web browser with JavaScript enabled and a mobile device (a smartphone or tablet) with the Duo Mobile app. Supported browsers are: Chrome, Firefox, Safari, Edge, Opera, and Internet Explorer 8 or later. Some browsers do not support all of Duo's authentication devices (for example, Security Keys won't work with Internet Explorer). For the widest compatibility with Duo's authentication methods, we recommend recent versions of Chrome and Firefox.

Mobile devices with the following mobile OS versions are fully-supported: iPhone/iPad iOS 16.0 and greater (as of February 17, 2025) and Android 11.0 and greater (as of February 24, 2024.)  Visit the following sites for details and limitations on Duo Mobile support for iOS and for Android.  Minimal versions of Duo authentication based on voice calls ("Call Me") are also available. These versions require a modern web browser but will work with any voice phone.

Android: launch the Play Store app. Tap the magnifying glass icon in the upper right and enter Duo Mobile. Choose the Duo Mobile app from Duo Security, Inc., (not Google Duo), download the app, install and accept app permissions.

Apple: launch the App Store app. Enter Duo Mobile and choose the Duo Mobile app from Duo Security, Inc. (not Google Duo.) If you have not previously downloaded an app from the App Store, you will be required to enter your Apple ID and a credit card number, although you will not be charged for the Duo app. (This requirement comes from Apple, not Duo or Columbia University.) Download the app, install and accept app permissions.

Duo Verified Push is an improved form of Duo Push.  When using Duo Verified Push at Columbia, you will be asked to enter a 4-digit code on your Duo Mobile app.  Duo Verified Push is designed to help stop phishing and MFA fatigue attacks.  Below, you will see an image of what the Verified Push looks like when signing into a CU-managed web application.  Starting April 2026, Verified Push is the default Duo Mobile authentication method.

The first time you log into CAS with your username and password, you will be asked to create a Duo account.

Press Get started and follow the online instructions.  You will be asked to add a device that Duo can use to confirm your identity.  The device is the phone, computer, authentication key, biometric sensor or mobile app used in the authentication. The most commonly used device for Duo logins is the Duo Mobile app.  If you want to use Duo Mobile, choose Duo Mobile as your device.

Enter the phone number of the phone where you'll install Duo Mobile, press Continue, and then confirm you've entered the number correctly.

If you haven't already, download and install the Duo Mobile app on your phone.  Open the Duo Mobile app, tap the "+" button in the upper right, and hold the phone so that the black and white QR code on your computer appears on the phone's screen.

Scanning the QR code activates your device (registers it with Duo.)  Answer Yes when you are asked to give permission for Duo Mobile to use your phone's camera since this is required for activation.

After activating Duo Mobile, click Continue. 

You may add additional devices now or at any time in the future when you log in with Duo.  Click the I don't want to add more devices link to continue.

Enrolling in Duo and activating a device usually takes about 3 minutes.

Once you have activated your phone and see the Setup completed! message, select Log in with Duo. The Duo Mobile app will present you with an Authentication Request with 2 buttons, Approve and Deny.

Tap Approve to let the authentication proceed and continue to your destination. Tap Deny to halt the request.

After successfully logging in with Duo, you'll briefly see the Success! message before your browser is sent to your original destination.

In some cases, the length of the enrollment process may cause your CAS login to time out, and you'll have to log in a second time to proceed to your original destination.

Each time you log into a CAS-protected application with your username and password, you may also be prompted by Duo to Approve or Deny the authentication. If you are using the Duo Mobile app, tap Approve to let the authentication proceed and continue to your destination. Tap Deny to halt the request. To minimize the number of Push requests, see these instructions for using Duo's Yes, this is my device feature.

If you are already using Duo, you can wait until your first CAS login and you'll be prompted to enroll in Duo for Columbia at that time. If you're using the Duo Mobile app, the enrollment process involves entering information about your phone and then scanning a QR code and/or verifying that the phone is in your possession by entering an activation code that is sent to your phone at enrollment time.

Click the Other options link on the Duo authentication view.

Choose Manage devices on the Other options to log in view.

Authenticate with Duo, choose Add a device, and follow the same steps described in How do I use Duo for the First Time? for adding a device.

Click the Other options link on the Duo authentication view.

Choose Manage devices on the Other options to log in view.

Choose Phone call and answer the call from Duo.  Wait until the recording finishes before pressing "7" on your phone keypad. Then follow the on-screen prompts to reactivate Duo Mobile.

Yes. Different services can share the same Duo device. If you're using the Duo Mobile app, each service you enroll in will appear as a stripe labelled with the name of the service owner ("Columbia University", "New York Presbyterian", "Acme Industries," etc.)  Note that passcodes are service-specific. To generate a passcode for a given service, open the Duo Mobile app and tap the stripe with the service name.

The first time you log into CAS with your username and password, you will be asked to create a Duo account.

Press Get started and follow the online instructions.

You will be asked to add a device that Duo can use to confirm your identity.  Select Phone number to register a landline or basic mobile phone.

Enter the phone number. If the phone is a landline, check the box for This is a landline phone.  Then press Continue. Confirm that the number you've entered is correct and click Yes, it’s correct or make any necessary corrections.

After confirming the number, choose Continue.

You can add additional devices now or on future logins. If you don't want to add an additional device now, click the I don’t want to add more devices link to complete your setup. 

Enrolling in Duo and connecting a phone usually takes about 3 minutes. Now click Log in with Duo to return to the Duo authentication view and complete your login.

Choose Call phone to login with your phone.

Answer the phone call from Duo and follow the verbal instructions to enter a specific number on the phone keypad.

After successfully logging in with Duo, you'll briefly see the Success! message before your browser is sent to your original destination.

In many cases, no. Duo authentication is required each time you log into CUIT-managed linux and Windows servers and for logins to the VPN, but for CAS logins, you can tell Duo to "remember" your authentication for 24 hours by choosing Yes, this is my device on the Is this your device? view, which appears after you login with Duo.

If you choose this option, you will not be prompted for Duo authentication for 24 hours after you log in. If you choose No, other people use this device, your Duo login will remain valid for the duration of the CAS single sign-on session, which lasts for up to 60 minutes.

When you click on the Yes, this is my device link, Duo sets a cookie in your browser that tells Duo not to prompt you on authentications during the following 24 hours, with the following limitations. Since the bypass depends on a browser cookie, it is confined to a specific browser instance. It is also confined to a single user account.  (If the same browser is used to log in with a different UNI, you will be prompted.)  If you use private or incognito browser windows and exit the browser, or if you delete Duo browser cookies in some other way, the Yes, this is my device setting will not be saved.

If you tap Deny to halt the authentication request, the Duo Mobile app will ask Why are you denying this request?  If you did not initiate the login, you can report a fraudulent login request by choosing It seems fraudulent. Otherwise, choose It was a mistake. If you accidentally Deny a Duo authentication request on a CAS login, you can repeat the Duo Mobile push request by clicking the Go back link on the Login denied view.

If you've changed your phone number, you will need to reset your Duo account.

If your phone number hasn't changed, set up your Duo account on your new phone by following these steps: 

1. Download the Duo Mobile app on your new phone.
2. Browse to the MFA Self-Service app and log in with your UNI and password.  (Use a browser on a different device from your phone.)
3. Select TEST DUO MFA and login again with your UNI and password.
4. Select the My Settings & Devices link on the left side of the Duo window.  (If you've enabled "auto-push" or "auto-call me", select Cancel in the blue bar at the bottom of the window first.)
5. Complete Duo authentication by selecting Call Me.  Answer the call from Duo and wait until the recording finishes before tapping the number 7.
6. After authenticating with Duo, you will be brought to the My Settings and Devices screen again. Select Device Options next to your new device.
7. Select the blue Reactivate Duo Mobile button.
8. Follow the on-screen prompts to reactivate the Duo Mobile application.
9. If the mobile device asks for permission for Duo Mobile to access the camera, tap Allow on the device in order to scan the on-screen QR code.
10. After scanning the QR code, your new phone should be able to receive Duo authentication requests.

Yes, security keys including Yubikeys can be used with Duo.  See this article for information on supported models. You can add a security key either as a primary or secondary device when you first create your Duo account by choosing the Security Key (Yubikey, Feitian, etc.) option when you are prompted, What type of device are you adding?  If you already have a Columbia Duo account and want to add a security key, see How do I add another device? For more information on Yubikey models and pricing, see the Yubikey site.

A passcode is a numeric code that can be used to authenticate to Duo. Each passcode is good for a single use. You can get a passcode by opening the Duo Mobile app and tapping the bar labeled "Columbia University."  This mobile app-generated passcode is good for 30 seconds. You can also generate a list of 10 passcodes in advance by logging into MFA Self-Service and choosing GENERATE PASSCODES. Pre-generated passcodes are good until you use them or generate a new batch. 

To authenticate with a passcode from Duo Mobile, click Other options (if your Duo authentication started with Duo Push) and choose Duo Mobile passcode.  

Enter the passcode from Duo Mobile in the box labeled Passcode on the Duo Enter your passcode view and choose Verify.

You can use Duo with a landline or basic phone. See How do I enroll in Duo with a landline or basic phone?. If you can't use a landline or basic phone, you can also use pre-generated passcodes without a registered phone, or passcodes generated by a hardware token. Contact the CUIT Service Desk at 212-854-1919 for details about requesting either of these two options.

Yes. You can specify an international country code when enrolling in Duo. When you enter the phone number, select the country code from the drop-down menu to the left of the phone number.  (When you enter a US phone number, the US country code (+1) is selected by default.)

Yes. For alternative methods, see What if I'm in a place without WiFi or cell service? and Can I use an international phone number with Duo?

No. Users who attempt to authenticate to a Duo-protected application from a device whose IP address originates in an OFAC-regulated country or region are blocked from completing their Duo login and receive the following error message: “Access denied. Duo Security does not provide services in your current location.” Non-web-based applications may display a generic failed login message.

OFAC restrictions relevant to Duo currently apply to the following countries or regions: Cuba, North Korea, Iran, Sudan, Syria, Crimea region, Sevastopol region, Donetsk region, Luhansk region.

Some users in China have reported difficulty with downloading and installing Duo. If you have an Android device and are installing Duo from a location in China, we recommend that you:

1. Download the Duo Mobile app directly from Duo's website (clicking this link will automatically download the APK).

2. If you receive a warning about installing "harmful" apps, navigate to your Security settings and select the Verify Apps option to enable installation of the APK. (The warning appears because you are not downloading directly from the Google Play store.)

Set up a secondary MFA device either during enrollment or afterwards by choosing Other options on the Duo authentication view, and choosing Manage devices on the Other options to log in view.  Authenticate with Duo, choose Add a device, and follow the same steps described in How do I use Duo for the First Time. 

You can also use pre-generated Passcodes.  If you don't already have a list of Passcodes, log into MFA Self-Service and choose GENERATE PASSCODES. You will be prompted to enter your University ID Card Number (UCN). Print out your Passcode list and keep it in a safe place.

See How do I reset my Duo Account?  Once your Duo account has been reset, you will be able to re-enroll with a new device.

You can still authenticate with Duo. You can use a pre-generated Passcode or open the Duo Mobile app and generate a single Passcode by tapping the bar labeled "Columbia University." See What is a Passcode and how do I use one? for more information.

It is possible you are connecting to Duo with an unsupported browser or browser version. The Duo web browser UI, collectively known as the Duo Universal Prompt, is supported in the following browsers: Chrome (Desktop and Mobile), Firefox, Safari (Desktop and Mobile), Edge, and Internet Explorer (version 11 and later.) In Internet Explorer, compatibility view must be off.

The behavior of the app is device-dependent and differs between Android and Apple (iOS) phones.

Android: Under most circumstances, if the phone is on, is able to receive messages, and the screen is active, the app will pop open for a Duo Push request. On the other hand, if the phone is on, able to receive messages, and the screen is inactive (dark), you should get an alert (a sound or vibration) and a message that you have received a Duo Login Request. Open the Duo app and Approve or Deny the request. See these detailed instructions from Duo for resolving this issue.

Apple: Apple phones don't allow this. If the phone is on and is able to receive messages, you should receive a message saying that a Duo authentication request is pending. You can tap the message or open the Duo app to Approve or Deny the request.  Under some circumstances, some Apple devices do not display a message indicating that you have received a Duo Push Request. If this happens, open the Duo app and Approve or Deny the request. See these detailed instructions from Duo for resolving this issue.

The display of messages is device-dependent and differs between Android and Apple (iOS) devices. If Duo has sent a Push request to your mobile device but the message is not visible, swiping down on your home screen should display the request. Otherwise, you can tap open Duo Mobile and any pending authentication requests will display as bars near the top of the app. Here are detailed instructions for Android and detailed instructions for iOS for resolving the message display issue.

Try disconnecting from wifi and reconnecting.  If your wifi network cannot connect to the internet, Duo Mobile Push notifications will not reach your device.  This can happen even if your phone can still receive calls while connected to wifi (phone calls and data use different networks.)  If that doesn't help, try restarting your phone.

iOS 10 and the iPhone 6s/7 introduced a feature called 3D Touch. If you have 3D Touch enabled on your device you will need to perform the hardest press action to make the Approve and Deny options appear. Once they are displayed, you can use TouchID, FaceID, or enter a passcode to approve the Push Authentication request. For additional details, please see the Duo documentation.

If all else fails, reset your Duo account as described. If you're using Duo Mobile, un-install and re-install the app, and restart your phone. The next time you log in to CAS, you should be prompted to re-enroll in Duo.

Enter your username and password at the RDP prompt as usual.  Following a successful username and password authentication, you will see the Duo authentication prompt.  In most cases, Duo for RDP has been configured to automatically push an authentication request to your Duo Mobile app. See Duo's RDP documentation for details.

• If you are logging in with your UNI and you are already enrolled in Duo thru CAS, you're all set.
• If you are logging in with your UNI and you are not already enrolled in Duo thru CAS, browse to MFA self-service, click on SETUP in the Duo MFA Setup box, and complete the enrollment process using the web browser-based workflow. You are now ready to authenticate with Duo for RDP.
• If you are logging in with a non-UNI username, request a Duo enrollment link for the account thru Service Now.

Yes, Duo RDP supports passcodes for authentication, as well as Duo Push and phone callback.

Duo MFA has been installed on a small number of jump hosts. Users are required to first log in to one of these jump hosts before connecting to a protected server. Note: from off-Morningside-campus, access to the jump hosts requires a VPN login.

A jump host or jump server is a computer that provides access to other computers that lie in a separate, less accessible zone. See this Wikipedia article for a summary. Configuring a small group of MFA-enabled jump hosts and forcing all access to go through them is a way to enforce MFA for a large group of hosts while limiting the number of MFA installations and user MFA challenges.

MFA is managed by the PAM authentication stack. On an MFA-protected jump host, PAM authentication is configured to require the use of Duo as well as the entry of a username and password. Authentication to one of the jump hosts hosts using a kerberos Ticket Granting Ticket or SSH key also requires the use of Duo.

• If you are logging in with your UNI and you are already enrolled in Duo thru CAS, you're all set.
• If you are logging in with your UNI and you are not already enrolled in Duo thru CAS, browse to MFA self-service, click on SETUP in the Duo MFA Setup box, and complete the enrollment process using the web browser-based workflow.  You are now ready to authenticate with Duo for Unix.
• If you are logging in with a non-UNI username, request a Duo enrollment link for the account by submitting a ticket in ServiceNow.

After you have enrolled your user account with Duo as described above, authenticate as usual. After logging in with your username and password, you'll receive the Duo prompt which will look approximately like this:

Duo two-factor login for abc123

Enter a passcode or select one of the following options:

  1. Duo Push to XXX-XXX-0123
  2. Phone call to XXX-XXX-0123
  3. Phone call to XXX-XXX-0987

Passcode or option (1-3):

Enter "1" to have a Duo Push authentication sent to your Duo Mobile app, enter "2" to request a phone callback authentication, enter a passcode value (the 6- or 8-digit number), or enter "3" to request a phone callback authentication using your secondary phone.

No, Duo will use a single user account for all of the CUIT-managed MFA protected Unix jump hosts you log into with your UNI. However, if you log into Unix with multiple usernames, you’ll have to enroll each username separately.

Yes, Duo supports passcodes, Duo Push and phone callback for Unix authentication.