1. Enter username and password as usual
2. Use your personal device to verify your identity
3. Securely logged in

Get Started!


Check out the video below for a walkthrough of the enrollment process!



Helpful How-To’s



Sixty-five to ninety-five percent of all data breaches are related to compromised passwords. With Duo, someone who has your Net ID and password cannot log in to yor BYU accounts without your device or passcode. Anyone with a Net ID and password can sign up for Duo! You just need a second factor device: mobile phones (smart or analog), landlines (home or office), tablets, or hardware tokens.

Right now, Duo is only required to access BYU confidential information like direct deposit, or to make changes to personal information. This prevents hackers from seeing and changing things they shouldn’t. During Fall semester 2017, all employees, including student employees, will be required to use Duo.

Even though Duo is only required to access certain pages, once you are enrolled, it will protect all pages and you will be required to use it everytime you log in.

Enroll with at least one device.
Then return here to confirm enrollment. (Don’t forget this step! If you don’t confirm enrollment you won’t be able to access confidential information like direct deposit.)

Once you’re enrolled and confirmed, log in to a BYU website, and you will be prompted to authenticate with your second factor device. You can send a “Push” to a smart device. This sends a notification to the device that you accept. Or you can send a “Call” to your phone (smart, analag, or landline). Or you can enter a “Passcode.” For more information on passcodes, click here.

If you are logging in to your personal computer with a browser you use regularly, you can select “Remember me for 30 days” before authenticating. The browser will store the authentication cookies and you won’t have to authenticate again for 30 days (as long as you don’t clear the cookies).

If you have a question or concern, we have several ways that you can contact us. During business hours (9-5 p.m.), visit your Duo Access Coordinator. Coordinators have received training and tools to help “Prove it’s you” and troubleshoot problems.

For employees, Duo Access Coordinators are usually an HR/Payroll Manager, office manager, department secretary or CSR. For students, the ID Center (1057 WSC) acts as Duo Access Coordinator for in-person visits; BYU IT Support (801-422-4000) acts as Duo Access Coordinator over the phone. For a complete list of Duo Access Coordinators, click here.


Smartphones are great because you can generate a passcode without wifi or network service or you can get a push and approve it with the touch of a button. But, if you don’t have a smartphone or enough room for the app, other devices work great too: landlines (home, office), analog mobile phones (call or back-up codes), tablets, and tokens. Consider adding two or more devices so you’ll have options if something goes wrong with your default device.

To add, remove, reactivate, or change your default device, open an incognito browser and log in to a BYU website with your username and password. Once the Duo page comes up, click on “My Settings and Devices.” Then finish authenticating and make your changes. If you only have one device, you must add another device first, then remove the old device. To reactivate Duo on a new phone (same number) select “Device Options” and “Reactivate Duo Mobile.” You can receive a phone call to complete the authentication process before you reactivate Duo Mobile.

For help adding a U2F token, see FAQ 3. To add a Duo Token, take the token to the ID Center, 1057 WSC, or your department Duo Access Coordinator. Tokens can be purchased at the BYU Store.

More On Managing Your Devices ››

If you cannot use a “Push” or “Call,” use a “Passcode.” You can generate a passcode by touching the green key in the Duo Mobile app. You can also generate a passcode with a token, see FAQ 3 for more information. If you don’t have the app or a token, use one of the back-up codes you had texted to you when you enrolled in Duo.

If you don’t have any passcodes and you can get a text, text yourself 10 new passcodes. On the Duo authentication webpage, select “Enter a Passcode,” then “Text me new codes” at the bottom of the page. (Note: If the “Enter a Passcode” option is unavailable, either push “Cancel” in the blue banner, or add a cell phone to your account.)

If none of these options work, contact your Duo Access Coordinator.

U2F tokens and Duo tokens are available for purchase at the BYU Store Tech register. U2F tokens only work with Chrome browsers and require a USB port, but they populate the passcode box with a simple touch.

Duo tokens work with any browser and do not require a usb port. Duo tokens display a passcode at the touch of a button, but you must then type in the passcode.

To add a U2F token, log in to a BYU site in an incognito browser (ctrl+shift+n) and select “My Settings & Devices.” Authenticate, then click “Add another device.” Select “U2F token” and continue. Insert your U2F key into your computer, and when it flashes, touch the token button. Keep in mind, U2F keys only work with chrome browsers and require a USB port.

To add a Duo passcode token, purchase a token at the BYU Store Tech register and take it to your Duo Access Coordinator.

Duo is connected to BYU’s log-in screen (CAS), so you will need to authenticate every time you log in to a BYU website. However, if you select “Remember me for 30 days” on a personal device, your browser cookies will “remember you” and while you’ll still need to log in normally, you won’t need to manually authenticate with Duo for 30 days.

If you want Duo to remember you on multiple devices, you will need to push “Remember me for 30 days” on each device. “Remember me for 30 days” is unlikely to work on shared computers such as lab computers and classroom podium computers. Some public computers (especially in labs and classrooms) are automatically re-imaged every day or after sign out. Cookies that Duo uses to “remember you” on that computer automatically get deleted, and cannot “remember you.”

If you selected an automatic authentication method, you will have to push “Cancel” before you can check “Remember me for 30 days.” Once you’ve checked it, select an authentication method, and finish signing in.

We hope that you already have a list of passcodes stowed somewhere safe (backpack, car, wallet, etc.) that you can use if you don’t have your phone (passcodes can be texted to your phone and then saved for later use; they never expire until you use them or until you request a new set of 10). That way, you can just enter one of the passcodes and not have to do anything else to log in. We also encourage you to associate multiple devices with your account: mobile phone, landline (office or home), tablet, or token, so you aren’t reliant on only one method.

If you find yourself in a situation where you’ve forgotten your phone, don’t have any back-up passcodes stored, and haven’t associated a second device with your account, you can visit your Duo Access Coordinator in person. You can also check out a Duo passcode token for free from the ID Center (1057 WSC) for up to 2 weeks.

If you enter an incorrect passcode too many times, your account will be locked. This is a security measure that prevents hackers from guessing passcodes and getting into your account. If your account gets locked, you have two options. First, you can wait. After about five minutes, your account will automatically unlock itself, and you will be able to try logging in again. Second, you can visit your Duo Access Coordinator, explain the situation, and ask them to unlock your account.

For technical reference, you can also refer to:
Duo’s Guide to Two-Factor Authentication ››

Enroll in Two-step verification


 Have your phone or other device(s) on hand to start enrollment

This step works best on a computer, with a mobile phone or other device handy for enrollment. By clicking the “Sign up now” button, you will be asked to log in to BYU and then you will be presented with a screen that allows you to enroll your mobile phone or other device. Just enter your phone number (or skip if you have a tablet), and pick the kind of cell phone or tablet model you have (iPhone, Android, etc.).

By far, the easiest ways to sign in daily is to use the Duo Mobile app (plus “Remember Me”, which we’ll get to later). The mobile app is free, has a very small footprint, and gives you simple, free options: (1) press ‘accept’ on your phone from a “Duo Push”, or (2) generate a “Duo Mobile” passcode (6-digits), and enter it after your username and password to complete sign-in. (“Generate Duo Mobile passcode” requires NO wifi or mobile service). For this option, search for “Duo Mobile” and download the app with the square green icon with their logo on it.

The Duo Mobile App is NOT required. If you don’t have a smart phone or you don’t want to install Duo Mobile, no worries! You can register a tablet, landline, or generic cell phone instead! (See FAQs for more information, including other options.)

If you’re using Duo Mobile, just open the app and use your device’s camera to scan the QR code (that blocky sort of barcode) you are given to activate the account. (This step requires you to give Duo Mobile permission to access your phone’s camera, but it will only be used for this purpose.)

The default authentication method is “Ask me to choose…”. This option makes it easy for you to select “Remember Me” for 30 days the first time you log in on each browser/device combination you use (For example, Chrome on my Windows laptop or Safari on my iPhone). It also makes it easier to add multiple devices and get SMS Passcodes as backup login options when your main device is not available.
Please don’t change this unless you’re an advanced, tech-savvy user and/or if you’re assisted by someone who has been through this process before.

For experienced users, your personality and tech habits will dictate which settings you will want to select. Here are some additional options to choose from:

Unless you’re the type of person who deletes your web cache and cookies on a normal basis, you will probably want to select, “Ask me to choose an authentication method.” This will allow you to use multiple verification methods, including Duo Push (push a button on the Duo Mobile app), Phone Call (answer the phone and push any button), Enter Passcode (type in a 6- or 7-digit code), and Remember Me (don’t do anything; the app will remember your browser). For you, the log-in process will be like this: 1) Sign in with your Net ID and password, 2) Select a verification method, 3) Verify your identity through phone call, Duo push, or passcode. If you select the option “Remember me for 30 days,” the process will be even simpler: 1) Sign in with your Net ID and password. Selecting “Ask me to choose an authentication method” is by far the most common option.

“Automatically send me a Duo push” is a good choice for people who clear their cache and cookies a lot, know that they always want to receive a Duo Push, and want to save a couple extra seconds per log-in. For people who select “Automatically send me a Duo push,” the log-in process will be like this: 1) Sign in with your Net ID and password, 2) Open the Duo mobile app and push two buttons. Note: If you’ve chosen “Automatically send me a Duo push,” but would like to use one of the other methods (including “Remember me for 30 days,” “Call Me,” and “Enter a Passcode”), you can do so by pushing “Cancel” in the blue banner at the bottom of the Duo log-in page.

“Automatically call this device” is a good choice for people who clear their cache and cookies a lot, know that they always want to receive a phone call, and want to save a couple extra seconds per log-in. For people who select “Automatically call this device,” the log-in process will be like this: 1) Sign in with your Net ID and password, 2) Answer the phone and push any button. Note: If you’ve chosen “Automatically call this device,” but would like to use one of the other methods (including “Remember me for 30 days,” “Call Me,” and “Enter a Passcode”), you can do so by pushing “Cancel” in the blue banner at the bottom of the Duo log-in page.



Then make sure you RETURN HERE to confirm your enrollment

To get started, click the “Confirm enrollment” button below. A new tab will open, where you’ll be asked to log in with the device you just set up, and then select a method to confirm your enrollment.

Once you’ve clicked “Sign up now” and logged in using your Net ID and password, you will be asked to select one of the following verification methods: “See Me,” “Call Me,” “Email Me,” or “Text Me.” The menu is organized accordion-style. Click on any of the options to see more information. For some of the options, you will have to select a specific email address or phone number. Once you’ve finished choosing, click “OK.”

What you do for this step depends on the enrollment confirmation method that you selected. If you selected “See Me,” you will have to go in person and show your photo ID to your Duo access coordinator. If you selected “Call Me,” BYU will call you within 24 hours at the phone number you selected, and ask you some questions. If you selected “Email Me,” you will receive an email containing a code. You will then need to enter the code into a verification box. If you select “Text Me,” you will be texted a 10-digit code that you can enter to confirm your enrollment.

Confirm enrollment