FAQ - Two-factor Authentication with Duo

Brief description of the service and overview of purpose of Q&A


Do I need a smartphone to use Two-Factor Authentication (2FA)?

A smartphone is the recommended device since the Duo Mobile app provides the greatest level of security and flexibility. The app can receive push notifications for easy, one-tap authentication. Duo Security offers multiple other ways to authenticate with Duo. Besides a smartphone, you can use a tablet, USB security key, or printed backup codes.

What devices are supported by Duo Mobile?

The Duo Mobile App is available on iOS, Android, and Apple WatchOS.

Can I generate backup codes for when I don't have access to my devices?

It is highly recommended that you generate and print backup codes that you can use when you do not have access to your other devices, such as phone. Connect to https://accounts.lehigh.edu/duocodes/generate to generate and print these codes. Remember to store the codes in a safe location such as your wallet.

I have an Apple Watch. Will it work with Two-Factor Authentication (2FA)?

Yes, it will work for 2FA. You will need to have an iPhone enrolled in the service, and then follow the set up instructions from Duo Security.

How long do I have to enter my Duo security code or reply to a Push notification?

The Duo 2FA prompt will remain on-screen for one minute before returning you to the login prompt.

I seem to be locked out of the Two-Factor Authentication (2FA) service. What should I do?

A user is automatically locked out when there are 10 consecutive failed log in attempts. This could happen if you don't respond to multiple push notifications, or if you selected the wrong device (calling an office landline when at home), or automatic log-in attempts by a 2FA-protected system when a user isn’t expecting them.

Once you have been locked out, you can call the LTS Help Desk (610-758-4357) for assistance in unlocking the account.

What do I do if I get a Duo notification and I haven't attempted to log into any Lehigh system?

This could be an indication that your account has been compromised. The first thing to do is change your password by visiting the Password Change page. After changing your password, please notify us by calling or emailing the Help Desk.

How do I set up an older cell phone, or use a smartphone without the Duo app installed?

(This option will no longer be available for new enrollments Dec. 1 and will be unavailable for all accounts beginning March 4, 2024)

Duo will work with any cell phone that can receive text (SMS) messages. When adding a device in this mode, first choose "Phone number" and on the next screen enter the phone number. After confirming the phone number you will be returned to the main Devices menu.


Now that your phone has been added, whenever you see the Duo Authentication screen, you can select "Text message passcode" as your authentication option. A new code will be sent via SMS to your phone immediately, just take a look in your phone's text message app.

What do I do if I don’t have my mobile phone with me?

  1. It is highly recommended that you generate and print backup codes that you can use when you do not have access to your other devices, such as phone. Connect to https://accounts.lehigh.edu/duocodes/generate to generate and print these codes. Remember to store the codes in a safe location such as your wallet.
  2. You can use a USB Security Key, available from YubiKey and other vendors. Again, this must be set up in advance. We have tested the following options.
    1. USB-C
    2. USB-A

I will be getting a new phone soon. How can I make a smooth transition to a new phone?

Steps to take for setting up a new phone.

STEP 1. Before wiping your old phone, go to go.lehigh.edu/duobackup to print out a new set of one-time-use bypass codes to help with enrolling your new phone. You can use these codes at other times too – if you lose, break, or forget your phone, for example. Keep them in your wallet or purse!

STEP 2. Once you have the codes, download the Duo Mobile app on your new phone.

    1. Click to download Duo Mobile for Android 
    2. Click to download Duo Mobile for Apple devices

You can also search Duo mobile in the Playstore or Apple Store and look for this icon:  

STEP 3. Open a web browser and go to Duo Device Management.  You may need to authenticate with Duo using the "Bypass Code" option.


STEP 4. You will see your existing iPhone or Android phone in the list of devices.  

 

If your phone number will not change, choose "I have a new Phone" and follow the steps.  You can scan the QR code or have an activation link texted to you. 

If you have a new phone number, choose "Add a device" and follow the steps. 


Can I reuse a passcode?

No. Passcodes are only good for a single use.

How long are passcodes good for?

Passcodes never expire. They last until they are used, or until you generate a new set.

I clicked on the 30 day checkbox -- why do I keep getting prompted for 2FA?

The “remember me” option is tied to a particular browser on a device. So if you are using a different browser, or a different device to login, you will need to check the box again.

My phone was stolen, damaged, or lost. Now what?

Ideally, you will have other options for authenticating. Did you set up the app on another cell phone, tablet, set up a security key, or print out backup codes at go.lehigh.edu/duobackup ? If not call or email the Help Desk for assistance removing the device from your account.

I already have Duo setup at another institution, can I add Lehigh?

Yes! Duo supports multi-factor authentication across many institutions. To add Lehigh, simply visit your Duo Options page and proceed with the setup until you see the QR code. Open the Duo Mobile app on your phone and tap on the "+" sign in the upper right corner. Point your phone's camera at the QR code and Lehigh is added! That's all there is to it.

What data is stored by Duo Security?

The only data stored by Duo Security is the client's Lehigh user ID (Duo does NOT know your password) and information about your second factor, such as a phone number (if using a phone for the service) or the serial number of your Duo Token (if not using a phone for the service).

How do I add or remove 2FA devices and manage my Duo settings?

I use a landline for Two-Factor Authentication (2FA), and I’m going away for a week. Can I still use the service?

(This option will no longer be available for new enrollments Dec. 1 and will be unavailable for all accounts beginning March 4, 2024)

Yes, you can forward your enrolled phone to another number (or add the other number temporarily at the 2FA self-service portal).

Will Duo work while I’m traveling outside the U.S.?

Yes, Duo will work from pretty much anywhere you can access the Internet. We recommend that you have the Duo mobile app installed on your phone while traveling. If you’re planning to travel without your phone please print out backup codes or set up a security key. Please contact us if you need assistance.

I'm an international student/employee; how will Duo work for me?

The Duo app will work internationally as long as you have cellular data, and is recommended as a primary authentication method. Generating backup codes or set up a security key to have handy when your connection may not be available is also recommended. Duo might be unavailable is countries sanctioned by the United States due to export control regulations. Contact the Help Desk for assistance in changing your phone number, installing the app, or obtaining a one-time use backup code.

I will be using the Internet only at wifi hotspots and won’t have cell phone access while traveling, will Duo still work?

(The Duo mobile generated passcodes, SMS, phone callback option will no longer be available for new enrollments Dec. 1 and will be unavailable for all accounts beginning March 4, 2024)

Yes, Duo Mobile application can be used to generate passcodes on airplanes or in remote regions where Duo Push, SMS-delivered passcodes, phone callback or cellular service may be unavailable or difficult to use. Duo Push can use a Wi-Fi connection to function. If you can access the Internet from your mobile device, you can receive push notifications.

I’m an employee who will be retiring soon. Will I be required to use 2FA after I retire?

Yes, to meet current security requirements, beginning around January 1st, 2024 retirees will need to be enrolled in Duo to use their Lehigh accounts. 

Requested a push notification but did not receive one on iPhone?

Sometimes when prompted for re-authentication and the user selects push notification but did not receive one on iPhone. The Duo application icon was displayed on home screen with no indication of offloaded status. When icon was tapped, icon changed to superimposed standard iOS loading wheel. After loading was completed, push notification worked as normal. This may be a result of the application being considered as an "unused" application. Apple has not published the criteria on when it considers an app 'unused' but reports are common for apps unopened for as little as one week. In older devices that have 8 or 16gb of storage, this could be a common issue as those users are quickly faced with storage issues.

How do I resolve Duo Prompt display issues (white screen, no fields) related to iOS or macOS content restrictions?

Some versions of iOS and MacOS restrict screen access to apps, and Duo will only display the background box, not the data entry fields.  To correct this problem, please see the Duo documentation listed at: https://help.duo.com/s/article/3710?language=en_US

Mac version of Cisco AnyConnect does not allow setting the "30 Day" cookie in the Duo Authentication app

When Mac users connect to Lehigh's VPN server, they are prompted to enter their username and password, followed by a Duo 2FA screen. On the Duo screen there is a checkbox to "Remember me for 30 days" but it is greyed out with an error below, prompting the user to enable cookies in order to remember the device. Enabling cookies in Safari does not fix this error. This is a known bug with the Mac version of Cisco Anyconnect, and we are waiting on a fix from the manufacturer.



I'm using Chrome on my iPhone with cookies enabled, but it's still telling me to enable cookies to 'Remember me for 30 days'. How do I fix this?

On an iOS device, even with cookies enabled in your browser, you may need to enable cookies through your iPhone settings for Safari as well. Follow these steps to access your Safari settings and make sure 'Block All Cookies' is not enabled.


How do I change my default authentication method?

Your default authentication method is the last method you use. If you prefer a different default method, choose "Other Options" from the Duo menu and select your preferred method to make it the default method. For more information see https://help.duo.com/s/article/2236?language=en_US



For immediate help, contact the LTS Help Desk (Hours)
EWFM Library | Call: 610-758-4357 (8-HELP) | Text: 610-616-5910 | Chat | helpdesk@lehigh.edu
Submit a help request (login required)