Explore UAB

Colleges & Schools

Information Technology

What is two-factor authentication?

Two-factor authentication (2FA) leverages two separate methods of proving a user is who they claim to be. Anyone who has ever used a debit card to withdraw money from an ATM has used two-factor authentication. Sliding the debit card into the ATM provides the first factor of authentication: using something you have. Typing in your PIN provides the second factor of authentication: using something you know.

UAB is implementing a similar methodology for logging in to select applications and sites, such as uab.box.com. To access those select applications and sites, users will be required to type in their BlazerID and strong password (something you know) and then use Duo Mobile on a smartphone, tablet, cellphone, or token (something you have) to complete the log in.

A number of different synonyms and acronyms exist for two-factor authentication, in addition to 2FA. Among the most popular that you might hear are:

  • Strong authentication
  • Multi-factor authentication (MFA)
  • Two-step authentication

Why is UAB adopting the use of 2FA?

Like many organizations today, UAB, its employees, and its students are prime targets for hackers, online criminal organizations, and bad actors in general. Providing this extra layer of security for access to select applications and sites enhances the level of security that UAB provides for all of its stakeholders.

In fact, a number of universities such as Harvard, Stanford, Yale, and Georgia Tech have begun using Duo Mobile 2FA. Outside of the academic arena, common examples of services and products that provide 2FA options include:

  • Many mobile and online banking applications
  • Popular email services, such as Gmail
  • Mobile phones (Android and iPhone, for example)
  • Social media sites, such as Facebook
  • Online commerce sites (PayPal and Amazon)

How does 2FA protect me?

One of the most valuable sets of information that malicious actors can steal are our BlazerIDs and strong passwords. If a malicious actor steals those credentials, whether through a successful phishing attack or a password-reuse issue, they can impersonate you and access any accounts to which you have access.

That can open the door to serious issues, such as changing your direct deposit settings to someone else's bank account or corrupting, stealing, or destroying your research data. Using 2FA raises the bar required to successfully pull off such attacks.

Will 2FA be used to log in to all UAB applications and associated sites?

Not at this time. UAB will begin integrating Duo Mobile's 2FA capability soon. Duo 2FA is slated to be incorporated into the log in process for select applications and sites during the 2018 fiscal year and beyond.

What's needed to use Duo Mobile and 2FA?

In general, four things are needed to use Duo Mobile and the 2FA process:

  • A Duo Mobile account
  • A mobile device, such as a smartphone or tablet
  • The Duo Mobile app installed on that smartphone or tablet
  • A cellular or Wi-Fi connection

If you do not have a smartphone that can run the Duo Mobile app, alternative methods for using Duo and 2FA are available. More information on using hard tokens and cellphones can be found later in this FAQ.

How do I get a Duo account?

As part of the University's initiative to expand our use of two-factor authentication, most University students, faculty, and staff are automatically enrolled in Duo, effective FY 2019. Users not required to use Duo are still welcome to opt in by visiting UAB's 2FA Sign-Up page .

What is the Duo Mobile app and what does it do?

Duo Mobile is an app that generates an out-of-band notification to users when they attempt to log in to sites or applications that require Duo 2FA. After typing in a BlazerID and strong password at such a site, Duo can be used on a mobile device to confirm that your log in attempt is valid. By simply pushing a button on your mobile device or entering in the PIN that Duo generated, you can confirm that your log in is a legitimate session and gain access to the site or application.

If your mobile device, such as an older cell phone, does not support apps, Duo can send passcodes via SMS text that allow you to complete the 2FA process.

How do I get the Duo Mobile app?

Android users can download the Duo Mobile app from the Google Play store. Simply search for "Duo Mobile," which is provided by Duo Security. Apple users can download the Duo Mobile app from the App Store using the same search term. The app is free, so simply download and install it.

What devices can I use with Duo for 2FA?

  • Smartphones (iPhone, Android, Microsoft)
  • Tablets (iPad and Android)
  • Any phone capable of receiving a call
  • Mobile phones that can receive batches of Duo passcodes via text
  • Hard tokens (small devices that generate one-time PINs for Duo)

Do I need just one mobile device to use Duo for 2FA?

Yes, but it doesn't hurt to have more than one device enrolled. As long as you have an active Duo account and at least one enrolled mobile device, you can use that device to complete the 2FA process. However, a best practice is to enroll two devices and use one as a primary authentication device and the other as a backup. For example, if you have an iPhone and an iPad, you can install the Duo Mobile app on each and enroll them for use with your Duo account.

Use the iPhone as your primary device for 2FA authentication. If you lose your phone or it is stolen, you can still use your iPad for 2FA authentication until you purchase a new phone and enroll it. If you lose or break your phone, be sure to delete it from your account as soon as possible.

What if I want to add a new mobile phone or device to my Duo Mobile account?

If you already have enrolled a primary mobile device for use with your Duo account and want to add a second device, visit Adding a Device in Duo and Managing Settings for instructions on how to add another device.

How do I enroll my first authentication device?

If you have a Duo account and have never enrolled a mobile device, launch a browser on your computer and visit UAB's 2FA Sign-Up page. Click the "Manage Devices" button and log in with your BlazerID and strong password. Once authenticated, you will land on Duo's Start Setup page. Then visit one of the following guides for instructions on enrolling your device (skip steps 1 through 3 and start with step 4):

How do Duo and 2FA work?

Once a device is linked to your Duo Mobile account, that device can use multiple methods to help you log in to a site that requires Duo 2FA. The two most common ways are via a Duo Push or a randomly generated passcode. Duo Push is the recommended way to complete the 2FA process. Passcodes can also be generated via the Duo app or via text message. The Duo app is the best way to receive passcodes, but if you do not have a smartphone you can receive a passcode via text message. If you are unable to receive SMS messages or run the Duo app, you can also choose to receive a call to your enrolled telephone number.

How does Duo Push work?

When you log in from your computer to an application or site that requires Duo 2FA, you first enter your BlazerID and strong password as usual. You will then see a screen asking you to choose a Duo authentication method (usually Duo Push or Passcode).

When you click the "Send Me a Push" button on your computer screen, open the Duo Mobile app on your device and check for a request. A "Request waiting" banner will appear in the Duo app (sometimes you have to swipe down to make the banner appear). Tap the banner to pull up the confirmation screen. Tap the green "Accept" button to complete the log in, or the red "Deny" button to decline and cancel the log in.

If you click "Accept" and return to your computer screen, your log in session will be completed. If you wait too long to choose "Accept" or "Deny," the Duo Push request will expire.

Note: If you receive a Duo Push notification and you are not trying to log in, do not tap "Accept." An unsolicited Push notification is likely a sign that your BlazerID credentials have been compromised and a malicious actor is trying to log in as you. Tap "Deny," then immediately visit BlazerID Central and change your strong password.

How does the Call Me feature work when authenticating?

The Duo Call Me feature allows users to complete part of their authentication by receiving a call on an enrolled device. Users with a landline or mobile phone enrolled in Duo's Call Me feature can click the "Call Me" button at the bottom of the Duo log in screen, answer an automated call from a UAB telephone number, and press 1 on the phone's keypad to complete the log in process. This feature is ideal for phones not able to install the Duo app or receive SMS messages, and also works well as a backup method if another Duo-activated device becomes lost or stolen.

How do Passcodes work when authenticating?

When you log in from your computer to an application or site that requires Duo 2FA, you first enter your BlazerID and strong password as usual. You will then see a screen asking you to choose a Duo authentication method (usually Duo Push or Passcode).

When you click the "Enter a Passcode" button, go to your device, open the Duo Mobile app, and click the green key next to your UAB BlazerID account. The Duo app will generate a six-digit number. Return to your computer, type in the six-digit number, and press Enter. If the passcode is valid, your log in session will be completed successfully.

If your device cannot run the Duo app, click "Enter a Passcode," then click "Text Me New Codes" to receive an SMS message with a six-digit Duo passcode. Enter that passcode into the Duo log in box and press Enter to continue.

What if I receive an unexpected Duo login attempt notification on my mobile device?

That is a sign that your UAB credentials likely have been compromised and an attacker is trying to log in with your BlazerID. Tap the red "Deny" button in the Duo Mobile app. Since the attacker does not have access to your mobile device, they cannot complete the log in via Duo and the attempt will fail. However, you should immediately visit BlazerID Central and change your strong password.

I don't have a smartphone. How can I use Duo and 2FA?

Users may enroll their landline or mobile phone to receive authentication calls via Duo's Call Me feature. During log in, click the Call Me option when prompted. When you answer the call, press 1 on your phone's keypad to complete the log in process.

Any mobile phone that can receive SMS text messages can work with Duo Mobile. Duo will send a batch of 10 passcodes via text, each of which can be used once to complete the 2FA sign-on. If you have a cell phone that can receive SMS text messages, visit the following page to learn how to enroll and use that device: Enrollment Guide for non-smartphones .

A hard token that generates PIN passcodes can also be used. To request a hard token, a user must first gain approval from their supervisor and then submit a ServiceNow ticket to AskIT. Please note that users requesting hard tokens cannot use UAB's Duo account creation and device enrollment process on UAB's 2FA Sign-Up page. Instead, hard token account requests will be handled by AskIT for account creation and token provisioning. For more on requesting a hard token, please visit UAB's two-factor token page .

Can I still use Duo Mobile for 2FA even if my smartphone or tablet can't get a signal or connect to the Internet?

Yes. When you log in from your computer to an application or site that requires Duo 2FA, you first enter your BlazerID and strong password as usual. You will then see a screen asking you to choose a Duo authentication method.

Click the "Enter a Passcode" button, go to your device, open the Duo Mobile app, and click the green key next to your UAB BlazerID account. The Duo app will generate a six-digit number. Return to your computer, type in the six-digit number, and press Enter. If the passcode is valid, your log in session will be completed successfully.

What if my Duo-registered phone or device is lost or stolen?

If you have a second device enrolled for use with Duo Mobile, use it to complete the 2FA log in process and access the Duo portal. Then select the "My Settings & Devices" link and follow the "Remove a device" instructions in the following document to delete the lost or stolen device from your account: Adding a Device in Duo and Managing Settings .

If you do not have a second enrolled device, contact AskIT and ask them to delete the lost or stolen device from your account.

What if I don't have a mobile phone that receives texts, a smartphone, or a tablet?

Users who cannot use the Duo Mobile app or SMS messaging may enroll a mobile or landline telephone for use with Duo's Call Me feature. With this method, Duo will call your enrolled phone number and advise you to press 1 on your keypad to authenticate.

A hard token that generates PIN passcodes can also be used. To request a hard token, a user must first gain approval from their supervisor and then submit a ServiceNow ticket to AskIT. Please note that users requesting hard tokens cannot use UAB's Duo account creation and device enrollment process on UAB's 2FA Sign-Up page. Instead, hard token account requests will be handled by AskIT for account creation and token provisioning. For more on requesting a hard token, please visit UAB's two-factor token page .

Do I have to complete the 2FA process every time?

You can if you like, but you don't have to receive a push notification, type in a passcode, or answer a call every single time you perform a Duo-enabled log in. During the log in process, when you choose an authentication method, a "Remember me" checkbox appears below the log in choices. By checking that box, Duo will remember that you successfully logged in using 2FA from that particular device. During the defined "Remember me" period, Duo will not require 2FA from that particular device.

However, Duo is device-specific and browser-specific. That means you need to check the "Remember me for 30 days" box for each device and browser you use. For example, at 8 a.m. you log in from your desktop computer to a site protected with Duo and check the "Remember me" box. During the "Remember me" period, you will not have to repeat the 2FA process for that site while using your desktop. However, if at 10 a.m. you log in to that same site on a tablet, Duo will require you to complete the 2FA process because it is the first time it has seen you log in from the tablet.

You can check the "Remember me" box on your tablet as well, and Duo will then remember both devices. At that point, you will not have to repeat the 2FA process on either your desktop or tablet until the grace period expires.

Browser-specific works the same way. If you authenticate to uab.box.com using Firefox and check "Remember me for 30 days," Duo will remember you for 30 days in Firefox. If you then switch to Chrome, you will need to complete the 2FA process once in Chrome before it also remembers you for 30 days.

Does Duo 2FA work with the Box app on Apple and Android mobile devices?

Yes. The two-factor log in authentication process you use to log in to uab.box.com is the same when you use the Box app on a mobile device. Due to their larger screens, tablets are ideal for using the Box app with the Duo 2FA log in process. UAB IT recommends using a tablet rather than a mobile phone when using the Box app with Duo 2FA.

Why doesn't the "Remember Me" feature seem to work for me?

Duo uses cookies to enable the "Remember Me" feature that exempts users from the 2FA process for a defined period of time. When a user opts in, Duo creates a cookie that remains on your computer and bypasses the 2FA process until the grace period expires. At that time, you are required to complete the 2FA process again and re-check the "Remember Me" box.

If your web browser restricts cookies, does not accept them, or deletes them when you close the browser, Duo's "Remember Me" feature may not work. Check your browser settings and either accept cookies or create an exception for Duo. For information on how your browser manages cookies, visit the following pages:

This issue can also occur when using multiple devices and browsers with Duo 2FA. Please read the "Do I have to complete the 2FA process every time?" answer above to learn more about how specific devices and browsers affect the "Remember me" function.

Is Duo available for UAB Medicine employees?

Duo is available for use with your BlazerID for all UAB students, faculty, and staff.

UAB Medicine employees will continue to use RSA 2-factor authentication for healthcare software that requires it, but can sign up for a Duo account for applications that use BlazerID.

What if I get a new phone?

If you are a Duo user, UAB IT recommends that you enroll more than one device for use with two-factor authentication. If that is not possible and you recently bought a new phone to replace the one you previously used with Duo, please follow these instructions:

  • If you have a new phone with the same phone number, regardless of whether your phone's operating system is the same or different, follow these instructions .
  • If you have a new phone with a different phone number, or you change your phone number, contact AskIT at 205-996-5555.

What information will Duo collect about me?

Duo collects information required to log you into 2FA-protected applications, including your name, BlazerID, email address, and information about the device you enroll. More detailed information can be found on the Duo help site .

Why does Duo Mobile app ask for permission to use my camera?

Duo Mobile requires camera permission when you set up your smartphone or tablet. It only uses your camera to scan the Quick Response (QR) code used for activation. After activation, Duo Mobile does not access your camera. You can remove this permission and Duo Mobile will continue to work.

How do I turn off Duo's access to my smartphone or tablet's camera?

For iPhone or iOS devices, go to Settings and then select Duo Mobile from the list. Toggle the "Camera" option to off.

For Android devices, go to Settings, then Application Manager, and select Duo Mobile from the list. Under "Permissions," toggle the "Camera" option to off.

Does installing the Duo Mobile app collect data or give up control of my phone?

No. Duo Mobile has no access to change settings on your phone. It cannot read your emails or view your web browsing history. Duo Mobile cannot wipe your phone or track your physical location.

The only information Duo Mobile collects is for the purpose of maintaining or troubleshooting the application. Collected data includes the hardware model, operating system version, and the version of Duo Mobile. The app also collects analytical data about how users perform actions within the app, such as selecting the passcode option or using Duo Push. Crash reports are also captured to help IT staff report reliability, stability, or performance issues to the vendor.

Overall, the only information collected within the Duo Mobile application is used to improve the user experience.

Can I turn off the limited information collected by the mobile app?

Yes. Within the Duo app, select the menu button in the upper right corner and deselect "Send Usage Data." After restarting the app, no performance telemetry will be captured.