First-time Enrollment in Duo

Enrollment is the process that registers you as a user in Duo with a device capable of performing two-factor authentication. Duo prompts you to enroll the first time you log into a protected VPN or web application when using a browser or client application that shows the interactive Duo web-based prompt. Follow the on-screen prompts to set up your Duo authentication device.

 

Instead of enrolling when you log in to an application, you might receive an email from your organization's Duo administrator with an enrollment link instead. This emailed link takes you directly to the Duo enrollment portal. You'll see either the Universal Prompt experience shown on this page or enrollment in the traditional Duo prompt depending on your organization's email enrollment configuration.

Step One: Introduction

Logging into a Duo-protected application enabled for self-enrollment takes you to the device management page to enroll. Click Next to learn why protecting your identity with two-step verification is important and begin the setup process.

Step Two: Choose Your Verification Method

Click the device type in the list that matches your desired authentication experience:

• Touch ID: Use the fingerprint sensor on Apple MacBooks and Magic Keyboards. Requires Chrome 70 or later.
• Duo Mobile: Approve Duo Push verification requests on iOS or Android devices, or generate a one-time passcode from the Duo Mobile app.
• Security key: Tap a WebAuthn/FIDO2 security key. Requires Chrome, Safari, Firefox, or Edge.
• Phone number: Receive a one-time passcode in an SMS message or approve a login attempt with a phone call from Duo.

Only your organization's Duo administrator or help desk can add hardware tokens and Yubikey OTP tokens for you. These verification options do not show up in the list of available options. Neither do any methods that your organization blocks from use; if your Duo administrator applied a policy that doesn't allow authentication with text messages or phone calls, the "Phone number" option will be missing when you enroll.

Duo recommends the most secure option of the methods available to you, so it's a good idea to set up that method first if you have a device that supports it.

Step Three: Add Your Chosen Method

Once you choose how to verify your identity, you will next complete the setup steps for that method.

Touch ID

In order to use Touch ID with Duo, make sure you have the following:

 

• A MacBook Pro, MacBook Air, or Apple Magic Keyboard with a Touch ID button.
• A fingerprint enrolled in Touch ID (see how to do this at the Apple Support site).
• Chrome 70 or later. Safari and other browsers on macOS are not supported.

 

1. Read the Touch ID information and click Continue.
   
2. Chrome prompts you to verify your identity on duosecurity.com.
   
3. Place your finger on the Touch ID button in the Touch Bar to complete Touch ID enrollment.
   
4. When you receive confirmation that you added Touch ID as a verification method click Continue.
   

You can now log in to Duo-protected applications that show the Duo prompt in a web browser using your fingerprint sensor.

If you have more than one MacBook with which you'd like to approve Duo login requests using Touch ID, you'll need to add each of them separately as a new Touch ID device in Duo. To do this, your organization must have enabled self-service device management.

Duo Mobile

Duo Mobile is an app that runs on iOS and Android phones and tablets. It's fast and easy to use, and doesn't require cell services. Duo pushes login requests to Duo Mobile when you have mobile data or wifi connectivity to the internet. When you have no data service, you can generate passcodes with Duo Mobile for logging in to applications.

The current version of Duo Mobile supports iOS 13.0 or greater and Android 8 or greater.

1. Select your country from the drop-down list and type your mobile phone number, and then click Add phone number.
   
   If you're going to use Duo Mobile on a tablet (like an iPad) with no phone service, don't enter a phone number and click I have a tablet instead.
2. If you entered a phone number, double-check that you entered it correctly and click Yes, it's correct to continue (or No, change it to go back and enter the number again).
   
   If the phone number you entered already exists in Duo as the authentication device for another user then you'll need to enter a code sent to that number by phone call or text message to confirm that you own it. Choose how you want to receive the code and enter it to complete verification and continue.
   
3. Download and install Duo Mobile on your phone or tablet from the Google Play Store or Apple App Store. Once you have Duo Mobile installed click Next.
   
4. Open the Duo Mobile app on your phone or tablet and add this account by scanning the QR code shown on-screen.
   
   If you aren't able to scan the QR code, tap Or email activation code and then enter your email address to send the activation link to yourself. Follow the instructions in the email to activate the new account in Duo Mobile.
5. When you receive confirmation that Duo Mobile was added click Continue.
   

You can now log in to Duo-protected applications with Duo Push or with a Duo Mobile passcode.

Security Key

A security key is an external device that when tapped or when the button is pressed sends a signed response back to Duo to validate your login. Duo uses the WebAuthn authentication standard to interact with your security keys. You may also see WebAuthn referred to as "FIDO2".

To use a security key with Duo, make sure you have the following:

 

• A supported security key. WebAuthn/FIDO2 security keys from Yubico or Feitian are good options. U2F-only security keys (like the Yubikey NEO-n) can't be used with the Universal Prompt.
• A supported browser: Chrome, Safari, Firefox, or Edge. Refer to the Universal Prompt browser support table for minimum browser versions with security key support in Duo.

 

1. Read the security key information and click Continue.
   
2. Your browser prompts you to tap your security key to use it with Duo (Chrome example shown).
   
3. When you receive confirmation that you added your security key as a verification method click Continue.
   

You can now log in to Duo-protected applications that show the Duo prompt in a web browser using your security key.

Phone for Call or Text

This option is suitable for mobile phones that can't run Duo Mobile, or office phones and landlines.

1. Select your country from the drop-down list and type your phone number, and then click Add phone number.
   
   If this phone number is a landline and can't receive text messages, select the This is a landline phone option before continuing.
2. If you opted to add a landline, you can enter the landline's extension on the next screen and click Add extension or click Skip this step if you do not need to enter an extension for your landline.
   
3. Verify that the phone number shown (and landline extension, if you entered one) is accurate and click Yes, it's correct to continue (or No, change it to go back and enter the number again).
   
   If the phone number you entered already exists in Duo as the authentication device for another user then you'll need to enter a code sent to that number by phone call or text message to confirm that you own it. Choose how you want to receive the code and enter it to complete verification and continue.
   
4. When you receive confirmation of adding the new mobile phone number for texts or calls, click Continue to login to log in to the application with a passcode received via text message or a phone call from Duo.
5. When you receive confirmation of adding the new phone number for text messaging, click Continue to log in to the application with a passcode received via text message or a phone call from Duo.
   
   If you added a landline phone number, click Continue to log in to the application with a phone call from Duo.
   

Step Four: Add a Backup Method

It's a good idea to add a second verification method that you can use as a backup if the first method you added isn't available to you at some point, like if you lose or forget your phone and need to log in with Duo, or if you want to access an application from a different MacBook than the one you used to set up Touch ID in Duo.

When you click Continue after registering your first verification method, Duo prompts you to add another one.

Choose any of the available methods and proceed through the steps for adding it. If you don't want to add another method at this time, click Skip for now.

After you add a second login verification method, or if you chose to skip it, you'll arrive at the end of the Duo setup process. Click Log in with Duo to log in to the application using the Duo method you just added.

Add or Manage Devices After Enrollment

If enabled by your administrator, you can add additional verification methods, manage your existing devices, or reactivate Duo Mobile for Duo Push from the Duo Universal Prompt.

When logging in to an application with the Universal Prompt, click the Other options link on the authentication page to view your list of available methods. If your organization enabled self-service device management then you'll see a Manage devices choice at the end of the list. Click that to enter the device management portal.

To access the device management you'll first need to verify your identity, just as you do when logging in to a service or application protected by Duo. Click on an available option to verify your identity. If you're visiting device management to delete or update a device you don't have anymore (such as a phone you lost or replaced), be sure to pick a verification option that you still have with you. If you don't have any devices you can use to authenticate to device management, contact your organization's Duo administrator or help desk.

After approving a Duo authentication request, you can see all your registered devices in the device management portal.

Add Another Device

To add a new method of verifying your identity in Duo, click Add a device and select one of the verification options.

Duo takes you through the steps of adding the new device, just like first-time enrollment. The difference between adding a new device from device management and during first-time enrollment is that when you have finished enrolling the new device you return to the device management page to view all your registered devices, including the new one, instead of continuing to log into an application.

Rename or Remove a Device

Click Edit and then Rename to give a device a new name to help you identify it. This new name shows up in the verification method list and on the authentication page when you log in with Duo to make it easier for you to identify which device you're using.

To delete a device, click Edit and then Remove. You'll be able to confirm that you want to remove this device before deleting it. Once deleted, a verification device can't be restored, but if you still have the device available you can add it again. You can't delete your only identity verification device.

Reactivate Duo Mobile for an Existing Device

If you have replaced the phone you activated for Duo Push, or if Duo Push stops working, you can get Duo Push working again without contacting your help desk. If your organization has self-service enabled then if a Duo Push authentication times out you'll see the I got a new phone link shown in the Universal Prompt. Click or tap that link to begin the reactivation process.

If you still use the same phone number as you did when you first set up the phone to use Duo Push, then click or tap the Text me a link button. When the text message with the link arrives on your phone, tap it to automatically reactivate Duo Mobile on your phone to use Duo Push again. If you don't have Duo Mobile installed be sure to install it before you try to open the activation link in the text message.

If you are using a different phone number than the one you first set up to use Duo Push then tap or click the I got a new number link.

If you have a new phone number then you can't send yourself a text message with a Duo Push reactivation link. Click or tap Continue to proceed to the Duo self-service device management portal, where you can complete the steps to add your new phone number and set up Duo Push on the new phone so you can use it to log in with Duo.

You'll still need to verify your identity with a different Duo verification method, so if you don't have one available you will need to contact your organization's help desk or Duo administrator for assistance.

You can also reactivate Duo Mobile for use with Duo Push on a new phone from the device portal if it uses the same phone number as when you set up the original phone in Duo.

1. Locate the existing phone in the device management portal and click the I have a new phone link.
2. Click Get started if your phone uses the same phone number as before. If you want to add a new phone with a different number, cancel reactivation and follow the process for adding a new device instead.
   
3. Verify that you have access to the phone by clicking Send me a passcode or Or call my phone to receive a passcode from Duo.
   
4. Enter the verification passcode you received in a text message or phone call and click Verify .
   
5. Install the Duo Mobile app on your new phone if you hadn't already done so, open it and tap Add to scan the QR code shown on-screen, continuing the same steps you completed when you originally set up Duo Mobile for Duo Push on your phone.
   
6. Click Continue when you've finished reactivating Duo Mobile on your new phone to return to the device management portal.

If your existing phone stops receiving Duo Push requests your Duo administrator or help desk might suggest that you try reactivating Duo Mobile on your phone with this process as a troubleshooting step.

Software Updates

The Universal Prompt includes software update checks.

Refer to the Duo Software Update page to learn about software notifications shown by Duo and how to update your software.

Duo Device Health

Duo Device Health is an application installed on your desktop or laptop that performs health checks whenever you access Duo protected applications through the Universal Prompt, ensuring that your computer meets the organization’s security requirements. This helps protect corporate data and make sure your computer is less vulnerable to compromise.

Refer to the Duo Device Health page to learn how to install Duo Device Health and address issues discovered by the app.

Personal Devices

Your organization may choose to block access to applications from devices not managed by the organization. The Universal Prompt will include device management checks in a future release. Until then, you will fall back to the traditional Duo Prompt for the managed device check and any notifications.

Refer to the traditional Duo Prompt page to learn about personal devices and Duo.

How to Get Help

If you can't authenticate or aren't sure what to do, contact your organization's Duo administrator or help desk for guidance. If you click Need help? at the bottom-left of the Universal Prompt your administrator may have customized the help text with further instructions or contact information. Please do not contact Duo Support directly, as Duo Support can only assist named Duo account administrators.