Article - Duo Multi-Factor Authentica...

First Time Duo Setup

Category	Eligibility
Students	Once students enroll in classes, they will receive a message giving them 14 days to enroll in Duo
Employees	New employees will not be granted access to Duo until their official start day. There can sometimes be a delay in the system however that can prevent this process from beginning right away.
Excluded groups	Parents & Guardians - Delegate system (Enroll & Pay) does not require Duo enrollment for parent or guardians. Graduated Students Retired & Emeritus Staff

Please ensure your mobile device is compatible with Duo Mobile before proceeding with any of the steps below.

Supported Operating Systems
Operating System	Information
Android	https://help.duo.com/s/article/1872?language=en_US
iOS	https://help.duo.com/s/article/1871?language=en_US

To check your phone's operating system version, the

Android: The appearance and organization of the settings on an Android phone will vary depending on the manufacturer's operating system. The instructions below are a general guideline for how to find this information in two common types of Android devices. If you have a different device, the instructions should serve as a guideline as to where you may find your Operating System Version.
- Open the Settings application and navigate through the settings to find and open the About Phone category (if your phone offers a search option, you can search for this area by name). Scroll down and find Android version or Software information to find the operating system version.
iOS/ iPadOS:
- Open the Settings application and select General. Next select About and the look for the Software Version.

Once the system is ready for the you to enroll in Duo, you will be prompted to go through the process below to set it up. Once your duo account is setup you will no longer be able to sign in to KU Single Sign-On, VPN, or other KU services without using duo to complete your authentication request.

Login with your KU Online ID and password to Single Sign-On if prompted.
You should then see the Duo welcome screen below. Click Get Started.
Select the type of device that you are setting up to use with Duo. KU IT recommends using a cell phone with the Duo Mobile application, and the following instructions will proceed with steps on how to add a phone. The following options are also available for multifactor authentication:
- A cell phone without Duo Mobile and authenticate with phone calls or text message passcodes.
- A landline or cell phone to authenticate via phone call.
- A tablet with Duo mobile and an active Internet connection.
- If you have a security key device, you can follow the steps in the U2F panel later in this article to add it as your Duo device.
Enter your mobile phone number, and click Continue.
Check that you typed the number correctly. Then click Yes if it's correct, or No, I need to change it if you need to retype it.
Download the Duo Mobile application to your mobile phone through your device's application store (App Store on iOS devices or Playstore on Android devices). Once the app is installed, click Next.
Activate the phone by either scanning the QR code through the Duo Mobile application, or by sending an activation link by email.
- To activate using the QR code, open the Duo application on your phone and tap the (Add +) icon in the upper right. You will need to provide the Duo Mobile application permission to use your device's camera. Then, scan the QR code on the screen.
After adding the Duo account to the application, your screen should show this page. Click Continue.
Click I don't want to add more devices, unless you have a physical security key device that you'd also like to setup, and you can start that here (follow steps in U2F panel of this article).
Click Log in with Duo to login to the KU website you started at.

You will now be prompted to authenticate with Duo authentication whenever you sign into your KU account. Single sign-on has the option Remember Me for 30 Days, so that you only have to use Duo once every 30 days in that particular browser. When connecting to the VPN, you will need to use Duo authentication every time.

International Travel & Phone Number Support

International Travel

Users who are traveling aboard to a country where Duo is restricted will not be able to access KU resources until they leave the restricted country. You can see a list of countries posted here.

https://help.duo.com/s/article/7544?language=en_US

Adding International Phone Number to Duo

This article assumes you have a device already enrolled with Duo and you have it handy to authenticate with.

If you have previously selected the This is my device option, you must clear cache and cookies, use an Incognito/Private browsing.

Login with your KU Online ID and password to Single Sign-On if prompted
On the Duo screen, click Other Options rather than performing your Duo authentication.
Click Manage devices at the bottom.
Authenticate with Duo using your existing device.
- After successfully authenticating with Duo, you'll be redirected to your Duo devices page
Select Add a device.
Select Phone number.
Select your country's code from the scrollable drop-down on the left, and then enter your phone number in the text field to the right.
After setting your appropriate country code and phone number, click "Continue" to add the number.

Authenticate with Duo

Push - This will send a notification to your phone. You can approve the push directly from your notification window or you can open the Duo Mobile application to approve the push.
Passcode - This method is applicable for both the Duo Mobile application and the Duo Hardware token. Type the passcode from your device in the Passcode field. Do not include any spaces when typing the passcode; the spaces between numbers in the application and on the token are only for readability.
- When using a token, press the button on your Duo hardware token to retrieve a code. You will need to click "Verify" before the countdown indicator on the token (located to the left of the first number on the token screen) reaches the bottom. Once the countdown is complete, the token screen goes blank, and the code retrieved is no longer valid.
- When using the Duo mobile application, open the Duo application on your phone and tap the KU account to view your passcode.
Text Message - Passcode - This method initiates the sending of a text message to the default phone on your account. Open your text message to view the passcode. Enter the passcode from the text message in the Passcode field. then click Verify.
- Note: This is a one-time use passcode and will only be valid for 30 minutes.
Phone Call - This method initiates a phone call to the default phone on your account. Answer the call coming from Duo. Listen to the voice message and click the number that the message indicates is for approval.

Reactivate Duo Mobile - Self Service

If you have upgraded/replaced your phone that you were using with Duo but have the same phone number, you can activate Duo Mobile on the new device with the following steps. The process below details how to connect your phone if you have a new phone with the same phone number as your previous Duo device. If your phone number has changed, contact the KU IT Customer Service at itcsc@ku.edu or 785-864-8080 for assistance.

This article assumes you have a device already enrolled with Duo and you have it handy to authenticate with.

If you have previously selected the This is my device option, you must clear cache and cookies, use an Incognito/Private browsing window.

Login with your KU Online ID and password to Single Sign-On if prompted.
On the Duo screen, click More Options rather than performing your Duo authentication.
Click Manage devices at the bottom.
Authenticate with Duo using your existing device. You must use text message passcode or phone call to authenticate at this step.
- After successfully authenticating with Duo, you'll be redirected to your Duo devices page
Click I have a new phone under your previous Duo device. If you didn't have a previous Duo device, or if your new phone uses a different number than your current Duo device listed on the device page, please follow the steps in the Enroll Additional Devices in Duo panel of this article to add the new device.
Click Get Started.
Download the Duo Mobile application on your new phone, and click Next.
Activate the new phone by either scanning the QR code through the Duo Mobile application, or by sending an activation link by email.

Enroll Additional Devices in Duo

This article assumes you have a device already enrolled with Duo and you have it handy to authenticate with.

If you have previously selected the This is my device option, you must clear cache and cookies, use an Incognito/Private browsing window

Login with your KU Online ID and password to Single Sign-On if prompted.
Click Other Options instead.
Click Manage devices at the bottom.
Authenticate with Duo using your existing device.
- After successfully authenticating with Duo, you'll be redirected to your Duo devices page
Select Add a device.
Select what type of device you are adding and follow the prompts. See the appropriate panel within this article for further steps on adding your device.
- For steps on adding an international phone, see International Travel & Phone Number Support panel above.

Setup U2F Device with Duo

KU IT has enabled Universal Second Factor (U2F) device support for KU applications protected by Duo Multifactor Authentication (MFA). This means if you own a U2F device (e.g., Yubikey or iCloud Keychain), you can register it as another option for MFA. Instructions for setting up a U2F device are below.Yubikeys and other U2F devices are supported as a “best-effort” or “bring-your-own” service. Additionally, U2F devices cannot be used with the KU Anywhere VPN service. <-- Vet for accuracy as VPN moved to SSO

Your U2F device will be associated with your account only it cannot be shared with other users. It works on any computer where you log in with your username and password.

Note: You must use a Chromium-based web browser to add or use U2F devices. If your browser is not compatible, the choice will be unavailable.

This article assumes you have a device already enrolled with Duo and you have it handy to authenticate with.

If you have previously selected the This is my device option, you must clear cache and cookies, use an Incognito/Private browsing window.

Login with your KU Online ID and password to Single Sign-On if prompted.
On the Duo screen, click "More Options" rather than performing your Duo authentication.
Click Manage devices at the bottom.
Authenticate with Duo using your existing device.
- After successfully authenticating with Duo, you'll be redirected to your Duo devices page
Select Add a device.
Select the Security key option.
Click Continue.
Windows Security will prompt you to setup the key. Select an option then Click Next. If Security key is selected, go to Step 10
If iPhone, iPad or Android device is selected, scan the QR code with your device.
If Security Key is selected, insert your U2F device into a USB port on your computer. It should flash when inserted. If the device does not flash, remove it from the USB port and re-insert it.
- Note: It is best practice to pinch the USB device carefully from the top and bottom to avoid damaging the USB device or port.
Place your finger on the U2F device's flashing key icon when prompted by this popup below. This should register as an accepted authentication.
Click Continue, and you should now see the security key added to your Duo devices page.
The next time you login to a KU website, it should automatically request authentication using the U2F device. When prompted, insert the U2F device and touch the blinking key to authenticate Duo. This will let you login.

Using Duo Mobile with Multiple KU Accounts

Users with multiple KU accounts, such as an admin account (also called "underscore A," due to the format for the username being j123h456_a), will need to use Duo authentication for both accounts. While you can use the same phone number and devices across multiple accounts, you will need to log in to KU single sign-on (SSO) individually for every account you are required to use Duo with, in order to start the enrollment process for that account, including any admin accounts.The instructions and screenshots below assume that the secondary account is an admin account, but they are applicable to any account that uses SSO and Duo authentication.

Setting Up Your Account

Admin accounts must begin the process by signing in to MyIdentity and then clicking on "View Profile".

Like with your initial enrollment (see "First Time Duo Setup" panel above for details on how to process through enrollment, if needed), you will not be able to set up Duo with your admin account until it has been added to the multifactor authentication group. Once you're active in that group, the Duo enrollment will start automatically once you sign in.

If you are using the same phone number to enroll in Duo with both your admin account and your main KU account, enrollment may deviate after you enter your phone number. Instead of being asked to scan the phone number, you will be prompted to verify your phone number.

Click Call Me or Text Me to get a six-digit verification code. The screenshots below detail using the text message option.
Check your text messages or answer the phone call to get the six-digit code.
Type in the code.
Click Verify.
Select Continue.

This will complete the enrollment process and connect your phone number to your admin account.

Managing Multiple Accounts in Duo Mobile Application

Generally, you shouldn't need to interact with the account via the Duo Mobile application if you're using push notifications; once approved, the login process continues. However, if you want to use a mobile passcode you may open up the account and note that both accounts have the same name: "KU." This may not be the case if you set your accounts up in Duo Mobile after the UI change in October 2021; with that change, users were prompted to set up their accounts with a custom name.

As a solution, you can rename the accounts to distinguish between the two. The process is the same on Android and iOS devices, with minor differences in the UI.

Click the three dots located in the upper right corner of the account card.
Select Rename.
Enter the new name for your Duo account. This name will only impact the device you're on; it doesn't change the account name on other Duo devices you may have connected to your KU account.
Click Save.

Viewing Push Notification Details

To view the details of a push notification to see where it comes from, click the notification as it comes in. You can also view these details by opening the Duo Mobile application — when a request is pending, you'll see the full request automatically, or by clicking "(1) Login request waiting" at the top of the application.

Push details will include:

Whether the push came from SSO (called CAS in the screenshot below) or the KU Anywhere VPN.
The account used to send the push notification.
The IP address and location of the request.
The date and time of the login request.

Ordering Hardware Token

Duo tokens are available to KU students, faculty and staff. Token's can be picked up on campus at Anschutz Library Room 201. You will need to bring a government issued photo ID with you.

Updating...

Duo Multi-Factor Authentication - Setup and Device Management

First Time Duo Setup

International Travel & Phone Number Support

Authenticate with Duo

Reactivate Duo Mobile - Self Service

Enroll Additional Devices in Duo

Setup U2F Device with Duo

Using Duo Mobile with Multiple KU Accounts

Setting Up Your Account

Managing Multiple Accounts in Duo Mobile Application

Viewing Push Notification Details

Ordering Hardware Token

Related Articles (1)

Deleting...