Carnegie Mellon University
Office of the CIO  ›  Computing Services  ›  Services  ›  Security Services  ›  Identity and Access Management  ›  Authentication Services  ›  How to Use 2fa Authentication

How to Use Two-Factor Authentication

Two-factor authentication (2fa) provides an extra layer of security to protect your identity and university data. At Carnegie Mellon University, we use the DUO app. When you enroll in 2fa and attempt to log in with CMU Web Login, you'll receive a prompt from DUO on your smartphone, tablet or hardware token to approve the login. This takes security beyond your username and password by verifying with CMU's servers that you are who you say you are.

Use the buttons below to find the information you need. And if you're still stuck, review our FAQ.

Register to Use 2fa for the First Time

If you have never used 2fa, you will need to register and set it up. Follow the steps below to register and setup 2fa with a mobile device. 

Before you begin registration, make sure you have the following on hand:

  • Your mobile device (smartphone or tablet) and a computer.
  • Your Andrew userID and password.
  • Your personal email address on file with the university.

Download and install the DUO Mobile app on your smartphone or tablet.


iOS
Android

On your computer or other device:

  1. Visit the 2fa.cmu.edu.
  2. Log in with your Andrew userID and password.
  3. Click Complete Your Enrollment.
  4. Look for the email link sent to your personal email address on file.
  5. Follow the prompts to proceed.

On your smartphone or tablet:

  1. Open DUO Mobile.
  2. Tap the plus (+).
  3. Hold your tablet or smartphone up to your computer to scan the QR code that displayed in step 3.
  4. Carnegie Mellon University will appear in the DUO app with the text DUO-PROTECTED.

On your computer:

  1. A green checkmark will appear on your QR code.
  2. Click Continue. You will receive a message that your enrollment was successful!

Pro Tip: Before you leave the Two-Factor Authentication Self-Service Tool, add a secondary device to help ensure you don’t get locked out if you lose your primary device.

What if I don't have a mobile device?

If you do not have access to a smartphone or tablet for 2fa, consider a Yubikey or a hard token. These devices replace the mobile app and allow you to authenticate with 2fa.

Note: Staff or faculty who do not have access to a mobile device can request a hard token from the Help Center. Campus affiliates (students, faculty, and staff) also have the option to purchase a YubiKey 5 series or security key with NFC that supports FIDO2/WebAuthN. 

Register a Hard Token
Register a Yubikey 

Use Your Registered Device with 2fa

Once you've registered a device for 2fa, you'll be prompted to approve your log in whenever you attempt to access CMU systems or services. You should keep your registered device with you to use with 2fa.

Note: When you first authenticate, DUO automatically selects the most secure authentication method you have configured. If you want to authenticate using another option, click or tap Other options. DUO will use the method you choose for future login attempts.

  1. The DUO mobile app will send a push notification to your mobile device.
  2. Tap Approve on your mobile device.

Use Touch ID on your MacBook Pro, MacBook Air, or Magic Keyboard with a Touch ID button.

  1. Open the DUO app on your mobile device.
  2. Find your Carnegie Mellon University account and click Show.
  3. Enter the passcode into the DUO prompt on your computer and click Verify.
  1. Press the button on the token to generate a one-time passcode.
  2. Enter the passcode into the DUO prompt on your computer.
  3. Click Verify.

Tap your U2F token (Yubikey) to send approval.

 

After you authenticate, Duo will ask whether or not to trust your browser. If you choose to trust the browser, you can skip 2fa when you log in again with the same browser and device for the next 30 days.

To enable a trusted browser session:

  1. Log in to any service protected by CMU Web Login with your Andrew userID and password.
  2. Authenticate with Duo when prompted.
  3. Click or tap Yes, this is my device.

If you are using a shared device, click or tap No, other people use this device.

Update Your 2fa Device

When Should I Update?

Update your existing device for 2fa if you:

  • Purchased a new smartphone with the same phone number.of 2fa.
  • Have performed a factory reset on your phone and need to reconnect to 2fa.

How to Update Your 2fa Device

  1. Visit the 2fa.cmu.edu.
  2. Log in with your Andrew userID and password.
  3. Click Manage Devices.
  4. Follow the prompts to complete the update.

Or, use Instant Restore to update registration.

 

Manage Your Devices

If you have already registered a primary device for 2fa, follow these steps to add a secondary device, manage device preferences, remove a device, or change a device name.

  1. Visit the 2fa.cmu.edu.
  2. Log in with your Andrew userID and password.
  3. Click Manage Devices.
  4. Follow the prompts to add a new device or edit your existing devices.

Frequently Asked Questions

Review the topics below for answers to common questions related to 2fa.

If you receive a DUO 2fa push notification and you are not actively logging in to your account or an approved website that utilizes Single Sign-On (SSO) select Deny. You will then receive a Was this a suspicious login? prompt. Clicking Yes on this prompt sends a DUO Fraud alert to the Information Security Office.

You should immediately report the incident to iso-ir@andrew.cmu.edu or by phone at 412-268-2044 as someone could be attempting to compromise your account. 

DUO deny prompts

If you already registered to use 2fa and need to add a new smartphone, follow the instructions below. If this is your first time using 2fa, review Register to Use 2fa.

I have a new smartphone with the same phone number:

  • Use DUO Restore.
    Note: You may only use this option if you enabled iCloud Keychain on your old iOS device or Google Backup on your Android device.
  • Review Update Your 2fa Device.

I have a new smartphone with a new phone number.

  • If you have a secondary authentication method registered (tablet, TouchID, etc.), visit 2fa.cmu.edu and click Manage Devices to add your new phone.
  • If you do not have a secondary authentication method registered, visit 2fa.cmu.edu and click Request a Bypass Code. After logging in with a bypass code, click Manage Devices to add your new phone.

DUO will lock you out after several consecutive failed authentication attempts. You may see the following error messages:

  • Account disabled: Your Duo account is disabled and cannot access this application. Please contact your IT help desk.

To reactivate your account:

  1. Visit 2fa.cmu.edu and log in.
  2. Click Request Unlock Link.
  3. Retrieve the unlock link from the personal email address you have on file.
  4. Log in to any DUO-protected service, like email, and authenticate using DUO.

If you don’t have a personal email address associated with your account, contact the Computing Services Help Center.

Yes! You can generate a numeric passcode even if your device does not have any network connection.

Yes! We encourage you to register multiple devices. To learn how, review Manage Your Devices.

Yes! 

  • You will need a security key, a device that connects to DUO and provides a secure passcode for 2fa. Students, faculty, and staff can purchase any YubiKey 5 series or security key with NFC that supports FIDO2/WebAuthN. 
  • Faculty and staff can request a Hard Token from the Computing Services Help Center by emailing it-help@cmu.edu.

If you have forgotten your 2fa device log in to 2fa.cmu.edu and select Request a Bypass Code. The bypass code will be emailed to the personal email address you have on file.

Log in to 2fa.cmu.edu and select Request a Bypass Code. The bypass code will be emailed to the personal email address you have on file.

Faculty and staff can request a Hard Token from the Help Center. Once you receive your hard token:

  1. Visit the 2fa.cmu.edu.
  2. Log in with your Andrew userID and password.
  3. Click Manage Devices.
  4. Follow the prompts to add a new device.

Students, faculty, and staff can purchase any YubiKey 5 series or security key with NFC that supports FIDO2/WebAuthN. 

Once you have your Yubikey in hand:

  1. Visit the 2fa.cmu.edu.
  2. Log in with your Andrew userID and password.
  3. Click Manage Devices.
  4. Follow the prompts to add a new device.

A hardware token may become "out of sync" if the button is pressed too many times and the generated passcodes aren't used. To fix this, enter 3 generated passcodes within 5 minutes.

Enable a Trusted Browser Session the next time you use DUO.

You may have lost your network connection. If so, you may still authenticate by generating a numeric passcode.

Alternatively, you may have disabled push notifications for DUO.

  1. Log in to  2fa.cmu.edu.
  2. Click Manage Devices.
  3. Verify Ask me to choose an authentication method is selected.
  4. If this still does not resolve the issue, check your mobile device settings below.
  1. Tap Settings > Notifications > DUO Mobile.
  2. Verify the Allow Notifications option is enabled.
  1. Tap Settings > Apps & notifications > DUO Mobile.
  2. Verify the Notifications are set to on.
  1. Log in to 2fa.cmu.edu.
  2. Select Request a Bypass Code. The bypass code will be emailed to the personal email address you have on file.
  3. Use this bypass code to log into 2fa.cmu.edu.
  4. Choose Manage Devices.
  5. Delete the lost device.

CMU uses the DUO Security app to support services using Single Sign-On (SSO) with CMU Web Login. Some examples of services that use CMU Web Login with 2fa include Box, LinkedIn Learning, Workday, SIO/S3, Sparcs, Google for Education apps, Canvas, and Zoom.

All students, faculty, staff, alumni, and sponsored accounts must be enrolled in 2fa. You will not be able to opt-out of this service.

Resources