How to Log in with 2FA

Overview

Once you’ve enrolled in 2FA, you’ll see an extra page when you’re logging in to certain web applications.  First, you’ll enter your Tufts username (e.g. jjumbo01) and password.  Then, the extra page will prompt you to verify your identity on the default device you previously enrolled in 2FA (e.g. your smart phone).  If you do not have your default device available, the page gives you the option of selecting another device, as long as it was also previously enrolled in 2FA.

Login process. Tufts credentials plus Duo 2FA equals successful login!

 

The frequency that you are asked to verify your identify will vary, depending upon:

  • The website you log into.
  • Whether or not you’re using the “trusted browser” feature.
  • Whether or not you use more than one computer and web browser. (The trusted browser feature must be specified for each computer and each browser you use to access 2FA-protected websites.)
  • Your individual browser settings and whether or not you clear cookies.

Depending on your enrolled device(s), there are various methods available to verify your identity:

  • Duo Push
  • Phone call
  • Bypass code (Requires a passcode generated by a Duo hardware token. Passcodes generated by the Duo mobile application are NOT supported.)
  • Security Key (YubiKey U2F Token)

 

The table below summarizes what verification options are available on different types of devices.

Verification options available by device
Device Type Verification Options Supported Platforms
Smartphone
  • Duo Push
  • Phone call
iOS, Android, Windows Mobile
Tablet
  • Duo Push
iOS, Android, Windows Mobile
Mobile phone
  • Phone call
All phones
Landline
  • Phone call
All phones

 

Notes

  • For convenience, consider using the "trusted browser" feature. When used, it will ensure that you do not need to verify your identity again on that device and browser for the next thirty days.
  • If you are using a public computer, be sure to log out of the web application and exit the web browser when you are done!

Smartphones and tablets with the Duo Mobile application installed can use the Push option.

  1. When you are logging into a website and get to the Duo 2FA step, make sure that the Duo Push option is being used.Duo Push option
    If the push option is not being used and you want to switch to it, click Other options then select the Duo Push method.
    Selecting the Push option
  2. On your smartphone or tablet, you should receive a notification from Duo Mobile of a login request. (Note: Make sure you allow the Duo Mobile application to send you notifications on your device.)
  3. Open the Duo Mobile app.
  4. Tap Approve.

Note: If you tap Deny, you will have the option to select whether it was a mistake or appears to be a fraudulent login attempt.

Smartphones, mobile phones, and landlines can use the Phone call option.

  1. When you are logging into a website and get to the Duo 2FA step, make sure that the Phone call option is being used.Duo phone call option
    If the call option is not being used and you want to switch to it, click Other options then select the appropriate Phone call method.
    Selecting the call option
  2. You should receive an automated call from Duo at the selected number. Answer the call.
  3. Press any key on the phone to complete identity verification.

Bypass codes can be used for two-factor authentication when a user doesn't have phone or internet service, such as when you are traveling abroad. Passcodes that are generated by the DUO mobile application are NOT supported. Only passcodes that have been generated by a DUO hardware token can be used. See below for more details.

Duo hardware token

Requesting a Hardware Token

If you don’t have a smart phone and all other device options are unavailable to you, you can acquire a hardware device (a “token”) whose sole purpose is to generate Duo passcodes. Please note that hardware tokens are distributed only when all other options have been exhausted. A cost to your department may be incurred. Please contact the TTS Service Desk at 617-627-3376 or email it@tufts.edu to request a hardware token.

Using a Hardware Token

  1. When you are logging into a website and get to the Duo 2FA step, make sure that the Bypass code option is being used. If the Bypass code option is not being used and you want to switch to it, click Other options then select the Bypass code method.Selecting the bypass code options

     

  2. Press the button on your token to generate a new passcode.
  3. Enter the code in the passcode field.Entering bypass code
  4. Click Verify.

Note: Tokens can get "out of sync" if the button is pressed too many times in a row and the generated passcodes aren't used for login. Contact the Service Desk if your token stops working.

  1. When you are logging into a website and get to the Duo 2FA step, make sure that the Security Key option is being used. If the Security Key option is not being used and you want to switch to it, click Other options then select the security key method.Selecting security key
  2. Insert your U2F token into your computer
  3. When it starts flashing, tap the token.
  4. If necessary, click Continue.Duo security key option

When you use the “trusted browser” option during two-factor authentication, you will not need to verify your identity through 2FA for the next thirty days on the specific device and browser you are currently using. 

Notes:

  • Do NOT use the trusted browser option if you are on a public/shared computer!
  • You will not receive any kind of notice when the thirty days are up, you will just be prompted to authenticate again. 
  • If you have your web browser or machine set to remove cookies upon exit, the system will not retain the trusted browser option after exiting.
  • Some applications or devices may not be supported the use of cookies. The trusted browser option will not work when cookies are not supported.

Using the Trusted Browser Feature

  1. Log into your work computer and open the browser (e.g. Chrome) that you use for work.
  2. Log into a Tufts website or service that requires 2FA (e.g. Box).
  3. After completing 2FA, a prompt will appear that asks if you want to trust this browser. Click “Yes, trust browser.”Trusted browser prompt
  4. This device and browser combination will be trusted for up to 30 days. After the 30 days expire, you will be prompted to complete Duo 2FA once again. When you do this, make sure the box next to “Trust browser” is checked to continue trusted this device/browser.Trusted browser checkbox