Brief description of the service and overview of purpose of Q&A
A smartphone is the recommended device since the Duo Mobile app provides the greatest level of security and flexibility. The app generates passcodes for login (even without cellular connectivity) and can receive push notifications for easy, one-tap authentication. Duo Security offers multiple other ways to authenticate with Duo. Besides a smartphone, you can use an older cell phone, landline (such as your office or home phone), tablet, or security key.
The Duo Mobile App is available on iOS, Android, and Apple WatchOS.
It is highly recommended that you generate and print backup codes that you can use when you do not have access to your other devices, such as phone. Connect to https://accounts.lehigh.edu/duocodes/generate to generate and print these codes. Remember to store the codes in a safe location such as your wallet.
Yes, it will work for 2FA. You will need to have an iPhone enrolled in the service, and then follow the set up instructions from Duo Security.
The Duo 2FA prompt will remain on-screen for one minute before returning you to the login prompt.
A user is automatically locked out when there are 10 consecutive failed log in attempts. This could happen if you don't respond to multiple push notifications, or if you selected the wrong device (calling an office landline when at home), or automatic log-in attempts by a 2FA-protected system when a user isn’t expecting them.
Once you have been locked out, you will need to call the LTS Help Desk (610-758-4357) for assistance in unlocking the account.
This could be an indication that your account has been compromised. The first thing to do is change your password by visiting the Password Change page. After changing your password, please notify us by calling or emailing the Help Desk.
Duo will work with any cell phone that can receive text (SMS) messages. When adding a device in this mode, first choose "Mobile Phone," and on the next screen enter the phone number. After confirming the phone number, set the phone type as "Other (and cell phones)" and the mobile device will be added.
Now that your phone has been added, whenever you see the Duo Authentication screen, you can select your Mobile phone as the device to use. After choosing Mobile, click on the green "Enter a Passcode" button, then in the blue bar at the bottom, click on the link to "Text me new codes. Take a look in your phone's text message app. You should see new message with a list of five codes you can use one time each. Enter one of the codes in the box shown below, and you're in!
Two factor authentication will be required going forward. If you have extenuating circumstances that require a temporary bypass of 2FA, please contact firstname.lastname@example.org
Before wiping your old phone, you should print out a new set of one-time-use codes to help with enrolling your new phone. Once you have the print-out, download the Duo Mobile app on your new phone. Then open a web browser and go to the Duo Device Management page.
On the Device Management page, press the green "Enter a Passcode" button, and enter one of the codes you printed out.
You will see your existing iPhone or Android phone in the list of devices. Click the Device Options button next to your phone.
A Reactivate Duo Mobile button will appear below your phone.
Clicking on the button will show you a QR code. On your new phone, bring up the Duo Mobile app and tap the Add Account button. It will switch to your phone's camera. Point the camera at the QR code (2d bar code). Lehigh University will now appear in your Duo Mobile app. You're done!
No. Passcodes are only good for a single use.
Passcodes never expire. They last until they are used, or until you generate a new set.
The “remember me” option is tied to a particular browser on a device. So if you are using a different browser, or a different device to login, you will need to check the box again.
Call or email the Help Desk for assistance removing the device from your account.
Yes! Duo supports multi-factor authentication across many institutions. To add Lehigh, simply visit your Duo Options page and proceed with the setup until you see the QR code. Open the Duo Mobile app on your phone and tap on the "+" sign in the upper right corner. Point your phone's camera at the QR code and Lehigh is added! That's all there is to it.
The only data stored by Duo Security is the client's Lehigh user ID (Duo does NOT know your password) and information about your second factor, such as a phone number (if using a phone for the service) or the serial number of your Duo Token (if not using a phone for the service).
Visit www.lehigh.edu/account and follow the “Two-factor authentication with Duo” link. You will first need to authenticate with Duo, after which you will see the settings screen as pictured below.
Click the "+ Add another device" link, then choose the type of device you will be adding.
If you're adding your office phone, select Landline.
You will receive a confirmation call on that number. Answer the phone and press any key on the phone's number pad. This will confirm the device and finish the process. Repeat as necessary for additional phone numbers.
Yes, you can forward your enrolled phone to another number (or add the other number temporarily at the 2FA self-service portal).
Yes, Duo will work from pretty much anywhere you can access the Internet. We recommend that you have the Duo mobile app installed on your phone while traveling. If you’re planning to travel without your phone, please contact us in advance for assistance.
Yes, Duo Mobile application can be used to generate passcodes on airplanes or in remote regions where Duo Push, SMS-delivered passcodes, phone callback or cellular service may be unavailable or difficult to use. Duo Push can use a Wi-Fi connection to function. If you can access the Internet from your mobile device, you can receive push notifications.
When you leave Lehigh your staff affiliation will change to retiree, and as such, you will no longer be required to be enrolled in 2FA.
Sometimes when prompted for re-authentication and the user selects push notification but did not receive one on iPhone. The Duo application icon was displayed on home screen with no indication of offloaded status. When icon was tapped, icon changed to superimposed standard iOS loading wheel. After loading was completed, push notification worked as normal. This may be a result of the application being considered as an "unused" application. Apple has not published the criteria on when it considers an app 'unused' but reports are common for apps unopened for as little as one week. In older devices that have 8 or 16gb of storage, this could be a common issue as those users are quickly faced with storage issues.
When Mac users connect to Lehigh's VPN server, they are prompted to enter their username and password, followed by a Duo 2FA screen. On the Duo screen there is a checkbox to "Remember me for 30 days" but it is greyed out with an error below, prompting the user to enable cookies in order to remember the device. Enabling cookies in Safari does not fix this error. This is a known bug with the Mac version of Cisco Anyconnect, and we are waiting on a fix from the manufacturer.