Duo Security is CMU's primary service for providing multi-factor authentication (MFA) when logging into online services. At a high level, MFA is a security process by which you use more than one factor when accessing an online account. One of those factors is your Global ID password. With Duo MFA, your mobile phone is most commonly used as the second factor. Just install the Duo Mobile app, and you will receive a prompt on your mobile phone that you can use to verify that you are the person accessing your account. CMU has implemented Duo because having MFA enabled on an account provides significant security benefits.
Known / Common Issues
- Clicking Enroll now logs you in but does not continue setup. While believed to be uncommon, certain network configurations on campus may result in you being prompted to enroll, but when you click the Enroll now button, it seems like nothing happens.If this does happen to you, please attempt to enroll when connected to a non-CMU network. One easy way to do this is to disable Wi-Fi on your phone and enroll using cellular data.
- Unable to log in after enrolling in MFA. If you complete the MFA enrollment process but find yourself unable to log in, try clearing your browser's cookies and cache. You can find specific instructions for your browser and OS combination online, but for most browsers, you can clear cookies and cache by pressing Ctrl + Shift + Del.
- Cannot setup MFA on an iPad. It is possible to setup Duo Mobile on an iPad, but you will first need to enroll with another device, such as a mobile phone. Once you have done so, you can add a secondary device on the Duo window when logging in. If you have multiple devices configured, either one can be used to confirm your login with Duo Mobile.
- Duo Mobile unavailable / incompatible with your device. If Duo Mobile isn't compatible with your device, you should first attempt to run a system update on your device. If no compatible version is available, you may be able to receive a hardware token you can use for MFA
- If you do not own a smartphone, you may be able to receive a hardware token you can use for MFA. Contact the Help Desk for further assistance
- Seeing You need to enable cookies in order to remember this device after selecting Remember me for 30 days. For Safari on macOS, the solution below should work.
- Go to Safari > Preferences
- Click the Privacy tab
- Disable the Block all cookies option
- Safari 13.1 and later: You must also disable the Prevent cross-site tracking option
Important Information, FAQs, and Caveats
- Answers to frequently asked questions (FAQs) can be found at the Multi-Factor Authentication (MFA) at CMU informational site: https://www.cmich.edu/offices-departments/office-information-technology/multi-factor-authentication-at-cmu/frequently-asked-questions
- PLEASE NOTE that there is a Google Duo app that will be listed when you search for Duo Mobile. They are NOT the same, so please search and make sure the app you choose matches the one on step 1 of How To Enroll below
- When confirming MFA, you can choose to apply it for 30 days. If you do, you will not receive further MFA prompts on that browser on that computer for 30 days. If you log in with a different browser, such as using Firefox instead of Chrome, you will need to confirm MFA again
- You will not receive an MFA prompt if you are on CMU's main Mt. Pleasant campus and connected to the network (Wi-Fi or wired). In this case, your location is considered a second factor because we know you're on campus
- Being connected by VPN is not considered a second factor, and you will still receive MFA prompts when connected to VPN
- The Virtual Lab is not considered to be an on-campus location for purposes of MFA, and you will still receive MFA prompts from within the Virtual Lab
- You should enroll in MFA as soon as reasonably convenient during your opt-in period. This can prevent disruption to your account access when the opt-in period is over
- Enrollment is easiest if you do all of the steps below on your mobile device, including the step where you log into CentralLink in your browser. Doing it this way eliminates some additional steps
- If you have enrolled in MFA and receive prompts when you have not tried to log in, you should change your Global ID password immediately
- If you needed to factory reset your phone for any reason and you previously had Duo on it, contact the Help Desk to get a new code issued to you through text
Getting Support
As always, you should direct any questions or technical problems to the OIT Help Desk.
- Lost phone
- Incorrect phone number on setup
- No cell phone
- Any other technical issues
How To Enroll and Activate Duo Mobile
Before you begin, we strongly recommend that you visit the app store on your mobile device and download the Duo Mobile app. This will make the handoff during step 9 seamless.
- Visit your phone's app store and download the Duo Mobile app. Yes, we're mentioning it twice in a row, but it really does simplify things
IMPORTANT: If you are on campus, disable Wi-Fi on your phone to disconnect from CMU's network.
- Open your phone's web browser and navigate to https://www.cmich.edu/centrallink
NOTE: You can do this from your computer's browser if you are off-campus, but it requires additional steps later.
- Log in with your Global ID and password
- A Duo Security window will replace the login box. Click the Enroll Now button
- Click the Start Setup button
- Choose the Mobile phone option and click Continue
- Enter your phone number, check the box, and click Continue
- Click the Take me to Duo Mobile button to open the Duo Mobile app and complete the setup in the app
NOTE: If you haven't downloaded the app already, you'll have to do it now, and you may need to redo some of the steps above.
NOTE: If you're on your computer, click the link to enroll with a QR code and resume setup in the Duo Mobile app on your phone. If you don't see the QR code, it could be that you are already enrolled, or that you selected Landline by accident.
- You are now enrolled and have the Duo Mobile app activated
Authenticating with Duo Mobile When Prompted
Now that you're enrolled in Duo Mobile, you will see a second screen after you log into CMU web services unless you are either on-campus or have chosen to remember your MFA for 30 days (and log in on the same computer and browser).
When you see this screen, you can simply click the Send Me a Push button. This will push the request to your phone, where you can press the on-screen prompt to accept your login. Depending on your device or how quickly you turn it on, you may need to open the Duo Mobile app directly and accept the prompt.
Using the Duo Mobile App
This is a high-level overview of the Duo Mobile app. For the most part, the setup process is a linear series of steps, and once it is activated, you only need to interact with Duo Mobile when you sign in and need to confirm MFA. Because the third-party app can be updated at any time, and because the app restricts taking screenshots until it has already been activated, please review Duo Security's documentation if the overview below isn't sufficient for you.
- To manually add an account to Duo Mobile, such as if you're enrolling from your computer and need to scan a QR code, just click the plus [ + ] button at the top
- You can go into the settings options to do things like enable screenshots temporarily, change your notifications settings, and toggle whether it sends usage data
Aside from that, the app is streamlined to do only one thing: Provide prompts for you to accept when you need to log in.