MFA Installation and Troubleshooting FAQ

Common questions regarding Columbia's two factor sign-in authentication to protect systems with sensitive data

Also known as MFA, two-factor authentication, TFA and two-step verification.

Installation Videos

iPhone

Android

Installing and Using Duo

Troubleshooting the Duo app

Duo for Windows RDP

Duo for Unix logins

FAQ: Installing and Using Duo

Full-featured Duo authentication ("Duo Push") requires a modern web browser with JavaScript enabled, and a smartphone or tablet with the Duo Mobile app installed.  The browser must be a recent version of Chrome, Mozilla Firefox, Safari, Edge, Opera or Internet Explorer (IE). For IE, version 8 or later is required.   Devices with the following mobile OS versions are fully-supported: iPhone/iPad (iOS 8.0 and greater) and Android (4.0 and greater).  BlackBerry (BlackBerry 10 and BBOS 4.5.0 and greater) and Windows Phone (8 and greater) are supported, with limitations.  Minimal versions of Duo authentication based on SMS messaging ("Passcodes") and voice calls ("Call Me") are also available. These versions require a modern web browser but will work with any device that can send and receive text messages (for Passcodes) and any voice phone (for Call Me.)

Android: launch the Play Store app. Tap the magnifying glass icon in the upper right and enter Duo Mobile. Choose the Duo Mobile app from Duo Security, Inc., (not Google Duo), download the app, install and accept app permissions.

Apple: launch the App Store app. Enter Duo Mobile and choose the Duo Mobile app from Duo Security, Inc. (not Google Duo.) If you have not previously downloaded an app from the App Store, you will be required to enter your Apple ID and a credit card number, although you will not be charged for the Duo app. (This requirement comes from Apple, not Duo or Columbia University.) Download the app, install and accept app permissions.

Blackberry: Sign in with your BlackBerry ID, download the Duo Mobile for BlackBerry 10 app from Blackberry World and install.

Windows Phone: Log in to the Microsoft store, search for Duo Mobile, download the Duo Mobile app and install.

The first time you log into an MFA-protected resource via CAS, after entering your username and password, you will be presented with a screen asking you to enroll in Duo multifactor authentication.

screen asking you to enroll in Duo multi-factor authentication.

Press the green Start setup button and follow the online instructions.  You will be asked to enter your phone number and device type.  If you want to use the mobile app, you'll need to download and install Duo Mobile on your device and scan a QR code by opening the Duo Mobile app, tapping the "+" button in the upper right, and holding the device so that the black and white QR code appears on the device screen.

image that says: scan a QR code by opening the Duo Mobile app, tapping the "+" button in the upper right
the Duo Mobile app will present you with an Authentication Request, with 2 buttons, Approve and Deny.

(Scanning the QR code activates your device.  Be sure to answer Yes when you are asked to permit Duo Mobile to use your phone's camera since this is required for activation.)  If you want to authenticate via text message or landline call, you will have to confirm ownership of your device by entering a verification code that is delivered to you via phone call or text message. The whole process of enrolling in Duo and activating your device takes about 3 minutes.

Once you have activated your phone, the Duo Mobile app will present you with an Authentication Request, with 2 buttons, Approve and Deny.

image that shows: the Duo Mobile app will present you with an Authentication Request, with 2 buttons, Approve and Deny.

Tap Approve to let the authentication proceed and continue to your destination. Tap Deny to halt the request. In some cases, the length of the enrollment process may cause your CAS login to time out, and you'll have to log in a second time.

Each time you log into an MFA-protected application or computer with your username and password, you may also be prompted by Duo to Approve or Deny the authentication request. If you are using the Duo Mobile app, tap Approve to let the authentication proceed and continue to your destination. Tap Deny to halt the request. To minimize the number of Push requests, see the instructions for using the Duo Remember me for 12 hours feature.

If you are already using Duo, you can wait until you actually need to access a Columbia MFA-protected resource and you'll be prompted to enroll at that time.  The enrollment process involves entering information about your phone in a web browser form and then verifying that the phone is in your possession with an activation code, which is delivered to your phone at enrollment time.

When you're authenticating to an MFA-protected service with CAS, click the Add a new device link in your web browser on the left hand side of the Duo authentication page.

Image shows: Add a new devicelink in your web browser on the left hand side of the Duo authentication page

(If you have set up Duo to automatically send you a Duo Push, you will first have to click the Cancel button to halt the Duo Push request.)  After authenticating with Duo using your first device, follow the online instructions to enter information about your second (or additional) device. Press Done to save your information and continue to your original destination.

Yes. Different services can share the same Duo mobile app, landline phone or sms-capable phone.  If you're using the Duo Mobile app, each service you enroll in appears as a stripe labelled with the name of the service owner ("Columbia University", "New York Presbyterian", "Acme Industries," etc.)  Note that passcodes are service-specific. To generate a passcode for a specific service, open the Duo Mobile app and tap the key icon to the right of the service name.

When you see the enrollment invitation asking you to "Protect Your Columbia University Account," click the Start setup button.

image shows: click the Start setup button

Next, select the Landline radio button on the "What type of device are you adding?" screen.

image: select the Landline radio button on the "What type of device are you adding?" screen

Enter the number of your landline or sms-capable phone on the "Enter your phone number" screen, click the box labelled This is the correct number when you're done, and then click Continue.

image shows: Enter the number of your landline or sms-capable phone on the "Enter your phone number" screen, click the box labelled This is the correct number when you're done, and then click Continue.

Confirm your choices on the "My Settings and Devices" screen and ensure that Ask me to choose an authentication method is selected in the the drop down box labelled When I log in. This will allow you to use a passcode when your phone is not available. Depending on your screen, you may have to scroll down to see the drop down box. Now click Continue to Login.

image shows: "My Settings and Devices" screen

Choose Call Me and follow the instructions from Duo in your call to press a key on your phone to complete your login.

image shows: Choose Call Me and follow the instructions from Duo in your call to press a key on your phone to complete your login.

Probably not, unless you want to. Duo authentication is required for logins to CUIT-managed linux and Windows servers but only for selected CAS logins. For CAS, you can set Duo to "remember" your authentication for 12 hours by checking the Remember me checkbox. If Remember me is checked, you will not be prompted to approve a Duo authentication for 12 hours after your first approval. If Remember me is not checked, your Duo authentication will remain valid for the duration of the CAS single sign-on session, which lasts for up to 60 minutes.

image shows: Duo authentication

When you click on the Remember me for 12 hours box, Duo sets a cookie in your browser that tells Duo not to prompt you on authentications during the 12 hour period.  There are a few limitations.  Since the bypass is cookie-based, it is confined to a specific browser instance.  It is also confined to a single user account.  (If the same browser is used to log in with a different UNI, you will be prompted.)  If you use private windows and exit the browser or in some other way delete cookies, the Remember me setting will not be saved.

If you tap Deny to halt the authentication request, the Duo Mobile app will ask Why are you denying this request?  If you did not initiate the login, you can report a fraudulent login request by choosing It seems fraudulent. Otherwise, choose It was a mistake. If you accidentally Deny a Duo authentication request on a CAS login, you can return to the CAS login page by clicking click here to QUIT near the top of the page.

In addition to the resources that require Duo authentication, you can opt in to MFA for a group of CAS-protected services that are MFA-optional.  Just browse to the MFA self-service application and in the SELECT APPLICATIONS FOR MFA box, select Required + optional web applications. Then click UPDATE.

Certain people at Columbia who have access to sensitive data are required to use Duo and may not opt out. In addition, MFA is required for access to some high-value resources. However, if you've opted in to Duo, you can also opt out, and this will remove MFA for your UNI from the group of CAS-protected services that are MFA-optional. Just browse to the MFA self-service application and in the SELECT APPLICATIONS FOR MFA box, select Required web applications only. Then click UPDATE.

Reset your Duo account as described here.

A passcode is a numeric code that can substitute for Duo Mobile authentication when you don't have your phone or your phone does not have wifi or cell connectivity. Passcodes are good for a single use. You can pre-generate a list of 10 passcodes by logging into MFA Self-Service and choosing GENERATE PASSCODES. You can also get a single passcode by opening the Duo Mobile app and tapping the key icon in the bar labeled "Columbia University."  This app-generated passcode is good for 30 seconds. To use a passcode to authenticate in your web browser, type the numeric code in the box on the Duo authentication page labeled Enter a Passcode. (If you have set up Duo to automatically send you a Duo Push, you will first have to hit the Cancel button to halt the Duo Push request.)

You can use Duo with a landline phone or SMS-capable phone. See How do I enroll in Duo with a landline? for instructions. If you can't use either of these options, you can also use pre-generated passcodes without a registered phone, or passcodes generated by a hardware token.  Please call the CUIT Service Desk at 212-854-1919 for details about requesting either of these two options.

Yes. You can specify an international country code when enrolling in Duo. When you enter your device's phone number, you can change the country code with the drop-down menu directly above the box. If you are enrolling with a US phone number, you will not need to change anything because the US country code (+1) is selected by default.

FAQ: Troubleshooting the Duo App

Log into MFA Self-Service and choose DUO RESET. You will be prompted to enter your University ID Card Number (UCN). Once your Duo account has been reset, you will be able to re-enroll with a new device. But first, de-activate any phone(s) you have activated for Duo by removing your Columbia University account from the Duo Mobile app:

Android: open the Duo Mobile app and press the bar titled "Columbia University" for a few seconds. In the window that pops up, choose Remove Account.

Apple: open the Duo Mobile app, choose Edit and tap the minus sign, then tap Delete.

You can set up a backup MFA device during enrollment or afterwards by clicking the Add a new device link on the Duo web authentication page and configuring your authentication options. Then, if your primary device is unavailable or temporarily unusable, you can authenticate with your second, non-default device until you have your primary device back. You can also use pre-generated Passcodes.  If you don't already have a list of Passcodes, log into MFA Self-Service and choose GENERATE PASSCODES. You will be prompted to enter your University ID Card Number (UCN). Print out your Passcode list and keep it in a safe place.

See How do I reset my Duo Account?  Once your Duo account has been reset, you will be able to re-enroll with a new device.

You can still authenticate with Duo.  You can use a pre-generated Passcode or open the Duo Mobile app and generate a single Passcode by tapping the key icon in the bar labeled "Columbia University." See What is a Passcode and how do I use one? for more information.

This happens on some older browser versions and on Internet Explorer with compatibility view turned on. The Duo webpage requires a recent version of Chrome, Mozilla Firefox, Opera, Safari or Internet Explorer (IE). For IE, version 8 or later is required and compatibility view must be off.

This option is only available when you select Ask me to choose an authentication method either during enrollment or afterwards or if you Cancel the authentication request. To choose this option after you've already enrolled, click the blue Cancel button that appears in the lower right in your browser before you respond to the authentication request. You should now be able to select the Remember me for 12 hours checkbox. Now select an authentication method and continue with your request.

The behavior of the app is device-dependent and differs between Android and Apple (iOS) phones.

Android: Under most circumstances, if the phone is on, is able to receive messages, and the screen is active, the app will pop open for a Duo Push request. On the other hand, if the phone is on, able to receive messages, and the screen is inactive (dark), you should get an alert (a sound or vibration) and a message that you have received a Duo Login Request. Open the Duo app and Approve or Deny the request. See these detailed instructions from Duo for resolving this issue.

Apple: Apple phones don't allow this. If the phone is on and is able to receive messages, you should receive a message saying that a Duo authentication request is pending. You can tap the message or open the Duo app to Approve or Deny  the request.  Under some circumstances, some Apple devices do not display a message indicating that you have received a Duo Push Request. If this happens, open the Duo app and Approve or Deny the request. See these detailed instructions from Duo for resolving this issue.

The display of messages is device-dependent and differs between Android and Apple (iOS) devices. If Duo has sent a Push request to your mobile device but the message is not visible, swiping down on your home screen should display the request. Otherwise, you can tap open Duo Mobile and any pending authentication requests will display as bars near the top of the app. Here are detailed instructions for Android and detailed instructions for iOS for resolving the message display issue.

Try disconnecting from wifi and reconnecting.  If your wifi network cannot connect to the internet, Duo Mobile Push notifications will not reach your device.  This can happen even if your phone can still receive calls while connected to wifi (phone calls and data use different networks.)  If that doesn't help, try restarting your phone.

iOS 10 and the iPhone 6s/7 have introduced a feature called 3D Touch. If you have 3D Touch enabled on your device you will need to perform the hardest press action to make the Approve and Deny options appear. Once they are displayed, you can use TouchID or enter a passcode to approve the Push Authentication request. For additional details, please see the Duo documentation.

If all else fails, reset your Duo account as described. If you're using Duo Mobile, un-install and re-install the app, and restart your phone. The next time you authenticate to an MFA-protected service, you should be prompted to re-enroll in Duo.

FAQ: Duo for Windows RDP

Logins via RDP can be done with both UNI and non-UNI IDs. Use of a shared non-UNI ID with Duo multifactor authentication presents some complications, like ensuring the Duo authentication request is directed at the correct device (yours).

Enter your username and password at the RDP prompt as usual.  Following a successful username and password authentication, you will see the Duo authentication prompt:

Duo Security prompt screenshot

Enter "push" and click OK to have a Duo Push authentication sent to your Duo Mobile app. You can also enter "phone" to request a phone callback authentication, enter a passcode value (the 6- or 8-digit number), or enter "sms" to receive a new batch of passcodes via SMS message.  If you have more than 1 device activated for your Duo account, you can also specify a number after the factor name, for example, "push2" to send the request to the second device.  See Duo's RDP documentation for further details.

  • If you are logging in with your UNI and you are already enrolled in Duo thru CAS, you're all set.
  • If you are logging in with your UNI and you are not already enrolled in Duo thru CAS, browse to MFA self-service, click on SETUP in the Duo MFA Setup box, and complete the enrollment process using the web browser-based workflow. You are now ready to authenticate with Duo for RDP.
  • If you are logging in with a non-UNI username, request a Duo enrollment link for the account thru Service Now.

Yes, Duo RDP supports passcodes for authentication, as well as Duo Push and phone callback.

FAQ: Duo for Unix Logins

mfa.cc.columbia.edu

Duo MFA is being installed on a small number of jump hosts. Users are required to first log in to one of these jump hosts before connecting to a protected server.

A jump host or jump server is a computer that provides access to other computers that lie in a separate, less accessible zone. See this Wikipedia article for a summary. Configuring a small group of MFA-enabled jump hosts and forcing all access to go through them is a way to enforce MFA for a large group of hosts while limiting the number of MFA installations and user MFA challenges.

MFA is managed by the PAM authentication stack. On an MFA-protected jump host, PAM authentication is configured to require the use of Duo as well as the entry of a username and password. Authentication to one of the jump hosts hosts using a kerberos Ticket Granting Ticket or SSH key is not currently supported.

  • If you are logging in with your UNI and you are already enrolled in Duo thru CAS, you're all set.
  • If you are logging in with your UNI and you are not already enrolled in Duo thru CAS, browse to MFA self-service, click on SETUP in the Duo MFA Setup box, and complete the enrollment process using the web browser-based workflow.  You are now ready to authenticate with Duo for Unix.
  • If you are logging in with a non-UNI username, request a Duo enrollment link for the account by submitting a ticket in ServiceNow.

After you have enrolled your user account with Duo as described above, authenticate as usual. After logging in with your username and password, you'll receive the Duo prompt which will look approximately like this:

Duo two factor login for de3

Enter a passcode or select one of the following options:

  1. Duo Push to XXX-XXX-0152
  2. Phone call to XXX-XXX-0152
  3. SMS passcodes to XXX-XXX-0152

Passcode or option (1-3):

Enter "1" to have a Duo Push authentication sent to your Duo Mobile app, enter "2" to request a phone callback authentication, enter a passcode value (the 6- or 8-digit number), or enter "3" to receive a new batch of passcodes via SMS message.  

Duo will use a single user account for all of the MFA-protected Unix jump hosts you log into with your UNI. If you log into Unix with multiple usernames, you’ll have to enroll each username separately.

Yes, Duo supports passcodes, Duo Push and phone callback for Unix authentication.