Help with Duo: Two Factor Authentication
Frequently Asked Questions:
I'm traveling overseas and don't have cellular connectivity. How do I use Duo?
If you’re traveling with an international data plan on your smart phone, the Push feature in the Duo Mobile App should work as normal.
For any situation where you are outside of cellular reception — whether for a short time in an area of low signal around town, because your phone is in airplane mode while traveling, or because you’re abroad in a country with more limited networking infrastructure or restrictive internet policies — Duo supports multiple methods for completing two-factor authentication.
- The Duo hardware token, available at RamTech, is a key-fob device that does not rely on network communication. A push of the button provides a one-time code that can be typed into the Duo prompt.
- The Duo Mobile App, on a cell phone or tablet, also has a one-time code feature that functions even when the device can’t reach the network.
In general, it’s a good idea to have more than one 2nd factor, in case you lose one or it stops functioning for some reason. If you travel extensively, and reaching the CSU help desk might be difficult due to time differences, it would be a great idea to register two devices that you’ll have with you.
How do I configure my Pulse Desktop or Mobile Client?
- Click the plus sign (+) on the top (Windows) or lower left (Mac) to create a new connection.
- Enter a name for the connection (e.g. CSU Two-Factor Connection)
- Enter the server as secure.colostate.edu/2fa
How do I register a foreign phone number using the self-service page?
Foreign phone numbers are supported in DUO. To register a foreign number enter a plus sign (+), followed by the Country Code and the phone number in the phone number field. These numbers should be all in one string; no spaces or dashes. For example: +441234567890
I don’t have a phone and need a hardware token – where do I get one?
Colorado State University supports the DUO Hardware tokens as a 2nd factor authentication device. You can buy a hardware token at RamTech for $23.75 and the staff will enroll the token for you. For information on using a hardware token as your 2nd factor please see the Hardware Tokens user guide below.
I lost a device registered with DUO. How can I remove this device as my 2nd factor?
If you’ve lost your cell phone, hardware token, or any other device you’ve registered with DUO, you can remove it through the self-service application located on the eID website. You will need to have another device registered as a 2nd factor for this to work (recommended). If you do not have a backup device registered with DUO you will need to contact the CSU IT Central Support Helpdesk at (970) 491-7276 or firstname.lastname@example.org.
I’ve replaced the phone I enrolled in DUO – do I need to register it?
If your phone number changed or you have a new phone (with the same number):
- If you have an alternate/backup device enrolled in Duo:
- Log in to the Duo Enrollment website with your eID and password.
- Find your old device under the Registered Devices table and click the delete link to remove it.
- Click on the +Register Device to enroll your new phone and number. If you need help see the instructions below for registering and activating devices.
- If you do not have an alternate/back-up device enrolled in Duo, call the CSU Central IT Support Helpdesk at (970) 491-7276 or email@example.com.
Can I setup more than one device?
We recommend that you setup more than one device as a 2nd factor authentication method with DUO. If you lose, misplace or simply forget a device, having a second registered device (like your desk phone, or a hardware token) will save the day.
What can I use besides my cell phone as a second factor device?
You can setup the following devices as options for a 2nd factor authentication:
- Phone number – Instructions — any device that can receive phone calls, including cell phones and home phones/”landlines”
- Smartphone or Tablet with DUO Mobile App – Instructions
- Hardware Token – visit RamTech to purchase and configure a hardware token. For more information on using a token see the Hardware Token user guide below.
Can I use my "not-so-smart" cell phone?
Yes. Any device capable of receiving a phone call can be registered as a “phone”, also referred to in some Duo documentation as a “landline” even though simpler cell phones also qualify. In fact, if you don’t plan to install the Duo Mobile app, your smart phone can be added simply as a phone and just receive phone calls.
How do I authenticate with my smart phone app if I don’t have cell signal, data, or Wi-Fi connection?
Generate a passcode in the Duo Mobile app by tapping the key icon next to “Colorado State University”. The passcode will appear underneath. Then log in to the system using the passcode.
I only log in once a year – do I need to use Duo?
Yes. If you are logging in from off campus to check HR or other on-campus systems, you will need to use Duo. For this case, it would be good to register one or more phone numbers. These can be your home phone or a cell phone. Using this method, you will ask CSU’s service to call you and when you answer your phone you will need to press the # key to confirm that it’s really you.
How can I start using Duo between the Open Enrollment date of March 19 and the required date of April 25?
During this transition time you will not be asked for a second-factor of authentication when connecting to secure.colostate.edu or when using the Pulse Secure Client. If you want to start getting used to this new method, you can:
- Using the Web Interface – connect to secure.colostate.edu/duo and you will be prompted for your second-factor.
- Using the Pulse Secure Client – Add a connection using the server name secure.colostate.edu/2fa. (see documentation for adding a Pulse connection if needed)
Remember that this is a transitional mechanism and after April 25 you will want to use the normal URL of secure.colostate.edu.
What is Duo Restore and what should I do if it pops up?
Duo Restore is not currently supported at CSU. Our recommendation is to answer ‘No’ to enabling it.
Hardware tokens are the most basic way of authenticating.
To authenticate using a hardware token, click the ‘Enter a Passcode’ button. Press the button on your hardware token to generate a new passcode, type it into the space provided, and click ‘Log In’ (or type the generated passcode in the “second password” field). Using the “Device:” drop-down menu to select your token is not necessary before entering the passcode.
Tokens can get “out of sync” if the button is pressed too many times in a row and the generated passcodes aren’t used for login. Contact the Central IT Support Helpdesk if your token stops working.