Log in with 2FA
Overview
Once you’ve enrolled in 2FA, you’ll see an extra page when you’re logging in to certain web applications. First, you’ll enter your Tufts username (e.g. jjumbo01) and password. Then, the extra page will prompt you to verify your identity on the default device you previously enrolled in 2FA (e.g. your smart phone). If you do not have your default device available, the page gives you the option of selecting another device, as long as it was also previously enrolled in 2FA.
The frequency that you are asked to verify your identify will vary, depending upon:
- The website you log into.
- Whether or not you’re using the “trusted browser” feature.
- Whether or not you use more than one computer and web browser. (The trusted browser feature must be specified for each computer and each browser you use to access 2FA-protected websites.)
- Your individual browser settings and whether or not you clear cookies.
Depending on your enrolled device(s), there are various methods available to verify your identity:
- Duo Push
- Phone call
- Hardware token passcode (Requires a passcode generated by a Duo hardware token. Passcodes generated by the Duo mobile application are NOT supported.)
- Security Key (YubiKey U2F Token)
The table below summarizes what verification options are available on different types of devices.
Device Type | Verification Options | Supported Platforms |
---|---|---|
Smartphone |
|
iOS, Android, Windows Mobile |
Tablet |
|
iOS, Android, Windows Mobile |
Mobile phone |
|
All phones |
Landline |
|
All phones |
Notes
- For convenience, consider using the "trusted browser" feature. When used, it will ensure that you do not need to verify your identity again on that device and browser for the next thirty days.
- If you are using a public computer, be sure to log out of the web application and exit the web browser when you are done!
Mobile devices with the Duo Mobile app installed can be used to complete two-factor authentication via a push notification. There are two types of push notification:
- Verified Duo Push
- (Simple) Duo Push
- Only requires user to tap Approve when verifying a login request.
- Required when logging in to services that are not Shibboleth-enabled, such as the Tufts VPN, Windows servers, etc.
How to Use Verified Duo Push
- When you are logging in to a web service and get to the Duo 2FA step, make sure that the Duo Push option is being used. If the push option is not being used and you want to switch to it, click Other options then select the Duo Push method.
- A numerical verification code will appear on your screen.
- At the same time, you should receive a push notification from the Duo Mobile app on your mobile device. Open the Duo Mobile app.
- Enter the code into Duo app, then tap Verify.
Note: If you tap “I’m not logging in”, you will have the option to select whether it was a mistake or appears to be a fraudulent login attempt.
How to Use (Simple) Duo Push
- When you are logging into a web service and get to the Duo 2FA step, make sure that the Duo Push option is being used.
If the push option is not being used and you want to switch to it, click Other options then select the Duo Push method. - On your smartphone or tablet, you should receive a notification from Duo Mobile of a login request. (Note: Make sure you allow the Duo Mobile application to send you notifications on your device.)
- Open the Duo Mobile app.
- Tap Approve.
Note: If you tap Deny, you will have the option to select whether it was a mistake or appears to be a fraudulent login attempt.
Smartphones, mobile phones, and landlines can use the Phone call option.
- When you are logging into a website and get to the Duo 2FA step, make sure that the Phone call option is being used.
If the call option is not being used and you want to switch to it, click Other options then select the appropriate Phone call method. - You should receive an automated call from Duo at the selected number. Answer the call.
- Press 1 to approve and complete identity verification.
Note: If you receive an unsolicited verification request via phone call, press 9 to decline.
Hardware token passcodes can be used for two-factor authentication when a user doesn't have phone or internet service, such as when you are traveling abroad. Passcodes that are generated by the DUO mobile application are NOT supported. Only passcodes that have been generated by a DUO hardware token can be used. See below for more details.
Requesting a Hardware Token
If you don’t have a smart phone and all other device options are unavailable to you, you can acquire a hardware device (a “token”) whose sole purpose is to generate Duo passcodes. Please note that hardware tokens are distributed only when all other options have been exhausted. A cost to your department may be incurred. Please contact the TTS Service Desk at 617-627-3376 or email it@tufts.edu to request a hardware token.
Using a Hardware Token
- When you are logging into a website and get to the Duo 2FA step, make sure that the Bypass code option is being used. If the Bypass code option is not being used and you want to switch to it, click Other options then select the Bypass code method.
- Press the button on your token to generate a new passcode.
- Enter the code in the passcode field.
- Click Verify.
Note: Tokens can get "out of sync" if the button is pressed too many times in a row and the generated passcodes aren't used for login. Contact the Service Desk if your token stops working.
- When you are logging into a website and get to the Duo 2FA step, make sure that the Security Key option is being used. If the Security Key option is not being used and you want to switch to it, click Other options then select the security key method.
- Insert your U2F token into your computer
- When it starts flashing, tap the token.
- If necessary, click Continue.
When you use the “trusted device” option during two-factor authentication, you will not need to verify your identity through 2FA for the next thirty days on the specific device and browser you are currently using.
Notes:
- Do NOT use the trusted device option if you are on a public/shared computer!
- You will not receive any kind of notice when the thirty days are up, you will just be prompted to authenticate again.
- If you have your web browser or machine set to remove cookies upon exit, the system will not retain the trusted device option after exiting.
- Some applications or devices may not support the use of cookies. The trusted device option will not work when cookies are not supported.
Using the Trusted Device Feature
- Log into your work computer and open the browser (e.g. Chrome) that you use for work.
- Log into a Tufts website or service that requires 2FA (e.g. Box).
- After completing 2FA, a prompt will appear that asks if you are using your own device or a shared device. Click “Yes, this is my device.”
- This device and browser combination will be trusted for up to 30 days. After the 30 days expire, you will be prompted to complete Duo 2FA once again.
Duo’s Append Mode can be used when logging in to applications that don’t support inline Duo prompts or secondary passcode fields. To use Append Mode, you enter both your Tufts password AND your desired authentication method separated by comma, as shown below, in the password field:
password,authentication_method
More information about how to use append mode with authentication methods that are accepted by Tufts University are described in the table below.
Append Mode Function | Use to... |
password,push | Push a login request to your phone. You must have Duo Mobile app installed and activated on the device. |
password,phone | Initiate an authentication call to your registered number. |
password,passcode | Log in using a Duo passcode generated by a hardware token. |
If you have multiple devices registered with Duo, you can add a number to the end of the authentication method to indicate which device you’d like to use. For example, if you’d like Duo to send a push notification to your second phone, you would type “push2”.
Below are some examples of how Append Mode could be used, with “Tufts123!” used as an example password.
If you'd like to... | Enter this into the password field... |
Authenticate through a push notification to your SECOND registered phone | Tufts123!,push2 |
Authenticate through a call to a phone you have registered with Duo | Tufts123!,phone |
Authenticate with a bypass code (e.g. 123456) generated by your hardware token | Tufts123!,123456 |