How to Log in with 2FA
Once you’ve enrolled in 2FA, you’ll see an extra page when you’re logging in to certain web applications. First, you’ll enter your Tufts username (e.g. jjumbo01) and password. Then, the extra page will prompt you to verify your identity on the default device you previously enrolled in 2FA (e.g. your smart phone). If you do not have your default device available, the page gives you the option of selecting another device, as long as it was also previously enrolled in 2FA.
The frequency that you are asked to verify your identify will vary, depending upon:
- The website you log into.
- Whether or not you’re using the “trusted browser” feature.
- Whether or not you use more than one computer and web browser. (The trusted browser feature must be specified for each computer and each browser you use to access 2FA-protected websites.)
- Your individual browser settings and whether or not you clear cookies.
Depending on your enrolled device(s), there are various methods available to verify your identity:
- Duo Push
- Phone call
- Hardware token passcode (Requires a passcode generated by a Duo hardware token. Passcodes generated by the Duo mobile application are NOT supported.)
- Security Key (YubiKey U2F Token)
The table below summarizes what verification options are available on different types of devices.
|Device Type||Verification Options||Supported Platforms|
||iOS, Android, Windows Mobile|
||iOS, Android, Windows Mobile|
- For convenience, consider using the "trusted browser" feature. When used, it will ensure that you do not need to verify your identity again on that device and browser for the next thirty days.
- If you are using a public computer, be sure to log out of the web application and exit the web browser when you are done!
Smartphones and tablets with the Duo Mobile application installed can use the Push option.
- When you are logging into a website and get to the Duo 2FA step, make sure that the Duo Push option is being used.
If the push option is not being used and you want to switch to it, click Other options then select the Duo Push method.
- On your smartphone or tablet, you should receive a notification from Duo Mobile of a login request. (Note: Make sure you allow the Duo Mobile application to send you notifications on your device.)
- Open the Duo Mobile app.
- Tap Approve.
Note: If you tap Deny, you will have the option to select whether it was a mistake or appears to be a fraudulent login attempt.
Note: Duo Verified Push is currently being tested by a small number of individuals before being rolled out to the rest of the University.
Verified Push requires a user to input a verification code on the Duo Mobile app when approving a login request, rather than simply tapping Approve or Deny. This is intended to reduce the number of login attempts from bad actors that are accidentally approved
Verified Push will be available when logging in to Shibboleth-enabled web applications, like the Box, Zoom, etc. Other applications that are not Shibboleth-enabled, such as the Tufts VPN, Windows servers, etc., will NOT use the Duo Verified Push and will instead continue to use the traditional simple push. (Note: As always, you can authenticate via other available methods (e.g. phone call) if you do not wish to use the push method.) To learn more, visit Duo’s Verified Push introduction page.
How to Use Duo Verified Push
- When you are logging in to a website and get to the Duo 2FA step, make sure that the Duo Push option is being used. If the push option is not being used and you want to switch to it, click Other options then select the Duo Push method.
- A numerical verification code will appear on your screen.
- At the same time, you should receive a push notification from the Duo Mobile app on your mobile device. Open the Duo Mobile app.
- Enter the code into Duo app, then tap Verify.
Note: If you tap “I’m not logging in”, you will have the option to select whether it was a mistake or appears to be a fraudulent login attempt.
- As usual, you’ll have the option to have Duo remember your device for up to 30 days. You should NOT do this on devices you share with other people! (Note: This feature is dependent on your device, browser, and the service you are logging in to. Also, it is not available for certain services.)
Smartphones, mobile phones, and landlines can use the Phone call option.
- When you are logging into a website and get to the Duo 2FA step, make sure that the Phone call option is being used.
If the call option is not being used and you want to switch to it, click Other options then select the appropriate Phone call method.
- You should receive an automated call from Duo at the selected number. Answer the call.
- Press any key on the phone to complete identity verification.
Hardware token passcodes can be used for two-factor authentication when a user doesn't have phone or internet service, such as when you are traveling abroad. Passcodes that are generated by the DUO mobile application are NOT supported. Only passcodes that have been generated by a DUO hardware token can be used. See below for more details.
Requesting a Hardware Token
If you don’t have a smart phone and all other device options are unavailable to you, you can acquire a hardware device (a “token”) whose sole purpose is to generate Duo passcodes. Please note that hardware tokens are distributed only when all other options have been exhausted. A cost to your department may be incurred. Please contact the TTS Service Desk at 617-627-3376 or email email@example.com to request a hardware token.
Using a Hardware Token
- When you are logging into a website and get to the Duo 2FA step, make sure that the Bypass code option is being used. If the Bypass code option is not being used and you want to switch to it, click Other options then select the Bypass code method.
- Press the button on your token to generate a new passcode.
- Enter the code in the passcode field.
- Click Verify.
Note: Tokens can get "out of sync" if the button is pressed too many times in a row and the generated passcodes aren't used for login. Contact the Service Desk if your token stops working.
- When you are logging into a website and get to the Duo 2FA step, make sure that the Security Key option is being used. If the Security Key option is not being used and you want to switch to it, click Other options then select the security key method.
- Insert your U2F token into your computer
- When it starts flashing, tap the token.
- If necessary, click Continue.
When you use the “trusted browser” option during two-factor authentication, you will not need to verify your identity through 2FA for the next thirty days on the specific device and browser you are currently using.
- Do NOT use the trusted browser option if you are on a public/shared computer!
- You will not receive any kind of notice when the thirty days are up, you will just be prompted to authenticate again.
- If you have your web browser or machine set to remove cookies upon exit, the system will not retain the trusted browser option after exiting.
Using the Trusted Browser Feature
- Log into your work computer and open the browser (e.g. Chrome) that you use for work.
- Log into a Tufts website or service that requires 2FA (e.g. Box).
- After completing 2FA, a prompt will appear that asks if you want to trust this browser. Click “Yes, trust browser.”
- This device and browser combination will be trusted for up to 30 days. After the 30 days expire, you will be prompted to complete Duo 2FA once again. When you do this, make sure the box next to “Trust browser” is checked to continue trusted this device/browser.
Duo’s Append Mode can be used when logging in to applications that don’t support inline Duo prompts or secondary passcode fields. To use Append Mode, you enter both your Tufts password AND your desired authentication method separated by comma, as shown below, in the password field:
More information about how to use append mode with authentication methods that are accepted by Tufts University are described in the table below.
|Append Mode Function||Use to...|
|password,push||Push a login request to your phone. You must have Duo Mobile app installed and activated on the device.|
|password,phone||Initiate an authentication call to your registered number.|
|password,passcode||Log in using a Duo passcode generated by a hardware token.|
If you have multiple devices registered with Duo, you can add a number to the end of the authentication method to indicate which device you’d like to use. For example, if you’d like Duo to send a push notification to your second phone, you would type “push2”.
Below are some examples of how Append Mode could be used, with “Tufts123!” used as an example password.
|If you'd like to...||Enter this into the password field...|
|Authenticate through a push notification to your SECOND registered phone||Tufts123!,push2|
|Authenticate through a call to a phone you have registered with Duo||Tufts123!,phone|
|Authenticate with a bypass code (e.g. 123456) generated by your hardware token||Tufts123!,123456|