Sixty-five to ninety-five percent of all data breaches are related to compromised passwords. With Duo, someone who has your Net ID and password cannot log in to yor BYU accounts without your device or passcode. Anyone with a Net ID and password can sign up for Duo! You just need a second factor device: mobile phones (smart or analog), landlines (home or office), tablets, or hardware tokens. Right now, Duo is only required to access BYU confidential information like direct deposit, or to make changes to personal information. This prevents hackers from seeing and changing things they shouldn't. During Fall semester 2017, all employees, including student employees, will be required to use Duo. Even though Duo is only required to access certain pages, once you are enrolled, it will protect all pages and you will be required to use it everytime you log in.

Enroll with at least one device. Then return here to confirm enrollment. (Don't forget this step! If you don't confirm enrollment you won't be able to access confidential information like direct deposit.) Once you're enrolled and confirmed, log in to a BYU website, and you will be prompted to authenticate with your second factor device. You can send a "Push" to a smart device. This sends a notification to the device that you accept. Or you can send a "Call" to your phone (smart, analag, or landline). Or you can enter a "Passcode." For more information on passcodes, click here. If you are logging in to your personal computer with a browser you use regularly, you can select "Remember me for 30 days" before authenticating. The browser will store the authentication cookies and you won't have to authenticate again for 30 days (as long as you don't clear the cookies).

If you have a question or concern, we have several ways that you can contact us. During business hours (9-5 p.m.), visit your Duo Access Coordinator. Coordinators have received training and tools to help "Prove it's you" and troubleshoot problems. For employees, Duo Access Coordinators are usually an HR/Payroll Manager, office manager, department secretary or CSR. For students, the ID Center (1057 WSC) acts as Duo Access Coordinator for in-person visits; BYU IT Support (801-422-4000) acts as Duo Access Coordinator over the phone. For a complete list of Duo Access Coordinators, click here.

Smartphones are great because you can generate a passcode without wifi or network service or you can get a push and approve it with the touch of a button. But, if you don't have a smartphone or enough room for the app, other devices work great too: landlines (home, office), analog mobile phones (text only), tablets, and tokens. Consider adding two or more devices so you'll have options if something goes wrong with your default device. To add, remove, reactivate, or change your default device, open an incognito browser and log in to a BYU website with your username and password. Once the Duo page comes up, click on "My Settings and Devices." Then finish authenticating and make your changes. If you only have one device, you must add another device first, then remove the old device. To reactivate Duo on a new phone (same number) select "Device Options" and "Reactivate Duo Mobile." You can receive a phone call to complete the authentication process before you reactivate Duo Mobile. For help adding a U2F token, see FAQ 3. To add a Duo Token, take the token to the ID Center, 1057 WSC, or your department Duo Access Coordinator. Tokens can be purchased at the BYU Store.
More On Managing Your Devices

If you cannot use a "Push" or "Call," use a "Passcode." You can generate a passcode by touching the green key in the Duo Mobile app. You can also generate a passcode with a token, see FAQ 3 for more information. If you don't have the app or a token, use one of the 10 SMS passcodes you had texted to you when you enrolled in Duo (remember that safe place that you stored them?). If you don't have any passcodes and you can get a text, text yourself 10 new passcodes. On the Duo authentication webpage, select "Enter a Passcode," then "Text me new codes" at the bottom of the page. (Note: If the "Enter a Passcode" option is unavailable, either push "Cancel" in the blue banner, or add a cell phone to your account.)

U2F tokens and Duo tokens are available for purchase at the BYU Store Tech register. U2F tokens only work with Chrome browsers and require a USB port, but they populate the passcode box with a simple touch. Duo tokens work with any browser and do not require a usb port. Duo tokens display a passcode at the touch of a button, but you must then type in the passcode. To add a U2F token, log in to a BYU site in an incognito browser (ctrl+shift+n) and select "My Settings & Devices." Authenticate, then click "Add another device." Select "U2F token" and continue. Insert your U2F key into your computer, and when it flashes, touch the token button. Keep in mind, U2F keys only work with chrome browsers and require a USB port. To add a Duo passcode token, purchase a token at the BYU Store Tech register and take it to your Duo Access Coordinator.

Duo is connected to BYU's log-in screen (CAS), so you will need to authenticate every time you log in to a BYU website. However, if you select "Remember me for 30 days" on a personal device, your browser cookies will "remember you" and while you'll still need to log in normally, you won't need to manually authenticate with Duo for 30 days. If you want Duo to remember you on multiple devices, you will need to push "Remember me for 30 days" on each device. "Remember me for 30 days" is unlikely to work on shared computers such as lab computers and classroom podium computers. Some public computers (especially in labs and classrooms) are automatically re-imaged every day or after sign out. Cookies that Duo uses to "remember you" on that computer automatically get deleted, and cannot "remember you." If you selected an automatic authentication method, you will have to push "Cancel" before you can check "Remember me for 30 days." Once you've checked it, select an authentication method, and finish signing in.

We hope that you already have a list of passcodes stowed somewhere safe (backpack, car, wallet, etc.) that you can use if you don't have your phone (passcodes can be texted to your phone and then saved for later use; they never expire until you use them or until you request a new set of 10). That way, you can just enter one of the passcodes and not have to do anything else to log in. We also encourage you to associate multiple devices with your account: mobile phone, landline (office or home), tablet, or token, so you aren't reliant on only one method. If you find yourself in a situation where you've forgotten your phone, don't have any back-up passcodes stored, and haven't associated a second device with your account, you can visit your Duo Access Coordinator in person. You can also check out a Duo passcode token for free from the ID Center (1057 WSC) for up to 2 weeks.

If you enter an incorrect passcode too many times, your account will be locked. This is a security measure that prevents hackers from guessing passcodes and getting into your account. If your account gets locked, you have two options. First, you can wait. After about five minutes, your account will automatically unlock itself, and you will be able to try logging in again. Second, you can visit your Duo Access Coordinator, explain the situation, and ask them to unlock your account.