2FA Frequently Asked Questions   |  

[General Questions]
[Enrollment Process]
[Using 2FA with Your Smartphone]
[Duo Tokens]
[Using 2FA when Travelling Internationally]

General Questions

All Andrews University employees (faculty, staff and student employees) are required to enroll in and use 2FA to access Andrews web-based resources beginning with:
Once you are enrolled in Duo, you will need to use the 2FA service whenever attempting to log in to any Andrews University system that has been configured to use 2FA.

2FA is mandatory for all Andrews faculty, staff and student employees.

You will need to use a device, like a smartphone or tablet, registered with Duo whenever you log into 2FA-protected Andrews services (in addition to using your Andrews username and password).
See Using 2FA with Duo
If your Duo-registered device is lost or stolen, contact either your ITS building technician or ITS Helpdesk immediately and report the lost or stolen device. ITS may assist you to remove the enrolled device from the Duo 2FA service.

Remember: Your Andrews username and password (first-factor) will continue to protect your Andrews account even if your device is lost.

Smartphone users: The Duo Mobile app includes a feature called Duo Restore. This functionality, available on all Duo editions, enables Android and iOS Duo Mobile users to back up their Duo-protected accounts and recover them when they get a new device. See Duo's Guide to the Duo Restore feature for Duo Mobile account recovery
The only data that Duo Security, stores is the user's Andrews username (Duo does NOT know your Andrews password) and information about your second factor device, such as a phone number (if using a phone for the service) or the serial number of your tablet or Duo token (if not using a phone for the service).
Yes. If you’re using a smartphone for 2FA, then the Duo Mobile app can integrate with third-party accounts. See Duo’s Third-Party Accounts page for more information.
Microsoft is officially marking Internet Explorer versions 8, 9, and 10 as “end-of-life,” meaning any further updates, including important security patches, will also end. IE 8, 9, and 10 are also not compatible with 2FA’s self-service portal. Microsoft’s official recommendation is to upgrade to IE 11, or Microsoft’s Edge Browser, the successor to Internet Explorer. You may also use a different browser (other than IE) to authenticate and manage devices.
A user lockout occurs whenever 6 consecutive attempts to log in via Duo fail. The lockout will expire after a period of time.
Here are a some suggestions on how to prevent this from happening:
  1. Make sure the Duo Mobile app is open: A user lockout sometimes happens when the Duo Mobile app receives multiple attempts to authenticate that are not responded to. Make sure that you have your Duo Mobile app open and that you approve the "Duo Push" notification when you request authentication. This is to reduce the number of unanswered push notifications.
  2. Log out of your computer: In rare cases, some 2FA-protected Andrews University systems or services may be configured to attempt to automatically log in. If this is done when you’re not expecting it; and do not wish to authenticate to that service, then it could result in 6 consecutive failed attempts to authenticate resulting in a lockout. Closing the web browser or logging out of your computer should prevent this from happening.
  3. Authenticate to an enrolled and available device: Persistent attempts to authenticate to an inactive or incorrect device can cause a lockout. Make sure that you’re attempting to authenticate to a properly enrolled device that is currently available to you.
Contact the ITS Helpdesk or visit the ITS Service Desk if you have been locked out of Duo.
If you are certain that you did not attempt to login to a 2FA-protected system, then you are most likely experiencing a fraudulent attempt to access your account:
  1. Reject the notification on your mobile device by selecting Deny and confirm why you are denying the notification. The Andrews University ITS system administrators will be notified to investigate further.
  2. Change your Andrews password immediately.
  3. Contact the ITS Helpdesk for additional assistance.
An unrequested authentication attempt might be an indication of fraudulent activity on your account, or it could be an Andrews University 2FA-protected system configured to automatically log in.

If the unrequested authentication attempt is an automatic login attempt—for instance, you left your computer logged in overnight, and a system is attempting to log in—then this could lead to multiple, unanswered login attempts and a user lockout of Duo. For information on how to prevent lockouts, see How Do I Prevent Being Locked Out of 2FA?

When you leave Andrews University—retirement or termination—you may no longer be required to be enrolled in Duo 2FA. However, as a retiree, you may still have access to—and therefore the need to log in to—an Andrews Univesrity 2FA-protected system. This includes retired faculty who have been granted emeritus status.
Security Checkup for Android and iOS devices empowers users to improve and maintain the security of their mobile device. It also provides a friendly list of common security options that are being checked by Duo, and if their mobile device adheres to them. If there are any issues, easy-to-follow instructions on how to fix them are presented.  For more information, see Mobile Device Security Made Easy with Duo’s Security Checkup

Enrollment Process

Yes, it will work with 2FA.
Duo Security supports login requests and passcode generation from an Apple Watch. You will need to have an iPhone enrolled in the service first, and then follow the set up instructions from Duo Security.
You can manage enrolled devices by signing in to a 2FA-protected Andrews  system then follow the steps found at Managing Devices in Duo.

For more information on enrollment, see How to Enroll in Two-Factor Authentication and Enrollment Tips.
No. If you are no longer employed at Andrews University, you will be automatically un-enrollment from 2FA.  For more information on enrollment, see How to Enroll in Two-Factor Authentication and Enrollment Tips.

Using 2FA with Your Smartphone

A smartphone is the recommended device since it provides the greatest level of security and allows you to use the Duo Mobile app. The app can receive push notifications for easy, one-tap authentication and can generate passcodes for login (even without cellular connectivity).
If you do not have a smartphone, contact the ITS Helpdesk or visit the ITS Service Desk.
If you have a new smartphone with the same phone number, the Duo Mobile app will need to be re-activated in order for the app to work with the new phone. In other words, you will not be able to generate push notifications or passcodes through the app until the app has been re-activated.  See Adding a New Device in Duo.

To re-activate the app, follow the re-activation instructions described in I’m trying to log in to 2FA on my phone, but it tells me I can’t. What should I do?

See also Duo's Guide to the Duo Restore feature for Duo Mobile account recovery
Yes. You can enroll a tablet if you have one.  If you do not own a smartphone or a tablet, other options are available.
Contact your ITS building technician or the ITS Helpdesk for assistance.
No. International numbers cannot be enrolled at this time.
Using Two-Factor Authentication (2FA) on your phone or tablet is perfectly safe. A smartphone or a tablet are the recommended devices to use because an app is available.
All Andrews University employees (faculty, staff, or student employees) are required to enroll in and use 2FA to access Andrews web-based resources.
You can set up Two-Factor Authentication (2FA) on multiple devices (like mobile phones & tablets). Best practice is one (1) phone and one (1) secondary device such as a tablet in case there are any problems with the primary device (battery dies, device is lost, stolen or accidentally left at home, etc.).
No. Each person would need to enroll a unique device or devices at andrews.edu/duo to associate with their own Andrews username.
Using 2FA via the Duo app does not cost anything beyond what your standard data rate may be.  Less data is used than when an email is received on your phone.
Yes, you can change to a different phone with a different number. Go to one of the 2FA-protected Andrews services and authenticate using an enrolled active device. You will be able to enroll your new device by selecting “Add New Device” and following the instructions. You may then remove the old devices. For more infomration, see Add Additional Devices in Duo and Manage Devices in Duo.
The Duo Mobile app does not access your other apps or other data on your phone; it uses some base functionality of the phone and a certificate that identifies your phone to ensure accurate identification.
In cases where cell coverage is not available, use the Duo Mobile app (smartphone & tablets only) to generate a passcode to use as your second factor. That’s one of the advantages of the Duo Mobile app; no cellular (or Internet) coverage is needed to generate a passcode.

Duo Tokens

A Duo token is a piece of hardware (about the size of a USB stick) needed when a person is not using a smartphone or tablet for two-factor authentication. Please note that using a Duo app on a smarthphone or tablet is still the preferred way to use 2FA for a number of reasons including greater security and having one fewer “thing” to keep track of. Therefore, only in limited cases will a Duo Token be used.
No one is required to have a Duo token. In fact, most people will not want, or need, a Duo Token because using a smartphone or tablet is the easiest way to use Andrews University's two-factor authentication (2FA) service. Only in special cases when a smartphone and tablet cannot be used should a Duo token be used.
A Duo token generates a random series of numbers each time that the token is used which are entered as part of the authentication process to prove that you have the token adding a second layer of security to your Andrews username and password. See How to Use a Duo Token.
At this time, departments may purchase a token for their eligible faculty and staff.
Duo token purchases are dependent upon the rules of the department. Each department has its own procedure on purchasing and providing the Duo tokens. To purchase a Duo token, see How Do I Purchase a Duo token?
Duo tokens used with Andrews University's two-factor authentication are priced at $25 per token and may be charged to an department IDC.
Departments may contact their ITS Building Technician or the ITS Helpdesk and arrange to have a Duo token issued.  Once issued, the tokens are not returnable.
If the correct Duo token is not working, contact your ITS building technician or the ITS Helpdesk.
Signs that a Duo token needs to be replaced may include:
  • Battery is completely dead.
  • Some or no numbers are displaying when the button on the Duo token is pressed.
  • Button does not display a passcode when pressed or does not release when pressed.

Using 2FA when Traveling Internationally

It’s up to the user to know and understand the implications of using his/her cell service while abroad (cost to use the phone abroad, cellular service availability where traveling, etc.). If the user is satisfied with those conditions and is planning to use his/her device normally while traveling, then using the device as the second-factor will not change. If using a smartphone, then an enrolled user can simply use the Duo Mobile app to generate a passcode each time authentication is needed regardless of the implications of using a cellular service abroad or whether there is any Internet connectivity. Use the passcode as your second factor.

For those who will not be able to use their mobile devices while traveling, another option is the purchase of a Duo hardware token before leaving. Duo Tokens are available upon request.  Allow enough time for the purchase to be completed and the Duo Token to be delivered to ensure that the token is available when needed. Contact your ITS building technician or the ITS Helpdesk for assistance.

Please be mindful of restrictions on travel to certain countries. It is important to verify whether connecting to University resources or using University devices is recommended/approved from certain destinations prior to travel.
If you have two devices registered (which is recommended), then you can remove the lost or stolen phone by signing in to a 2FA-protected Andrews system, then add a replacement device at that time (or at a later time). See Adding a New Device in Duo.
No. International numbers cannot be enrolled at this time.


As long as you have more than one device enrolled (which is encouraged), you can simply sign-in to a 2FA-protected Andrews service. From there, you can remove the damaged device and add a new device. If the damaged device is your only enrolled device, then contact the ITS Helpdesk for assistance.
Selecting “Remember me for 1 day” will allow you to bypass Duo authentication for a period of 1 day (24 hours). This applies to one (1) computer, IP address and web browser. You will still be prompted to authenticate to Duo if you open another web browser or you use another computer.
Certain Windows platforms are not supported by Duo Security so they will not work with the Duo Mobile app, specifically the desktop versions of Windows operating systems (Windows 10, Windows 8.1, etc). Only those with a mobile operating system such as Windows Phones or Windows Mobile are supported and will work with two-factor authentication.
A user is automatically locked out when there are 6 consecutive failed log in attempts. This might be caused by but not limited to the following:
  • Not responding to multiple push notifications because the Duo Mobile app is not open
  • Selecting the wrong device or by selecting a device that’s not properly enrolled
  • Automatic log in attempts by a 2FA-protected system when a user isn’t expecting it
  • Fraudulent log in attempts without the user's knowledge
Once a user has been locked out, they will need to contact the ITS Helpdesk by emailing helpdesk@andrews.edu or calling 269-471-6016 for assistance in unlocking the account.
If you have stopped receiving push notifications:
  • Check for network problems between your device and the 2FA-protected Andrews system.
  • Check to make sure that the Duo Mobile app is open when attempting authentication
  • Attempt to reactivate the Duo Mobile app by signing in to a 2FA-protected Andrews service. You may also contact the ITS Helpdesk.
Before attempting to troubleshoot any second-factor problem, make sure that the first-factor authentication, your Andrews username and password, is correct.

If this is the first time that you’ve used the Duo service on a particular device, then make sure that the Duo enrollment process has been completed and then try again. If you’ve used the Duo service on a particular device and cannot log in, then make sure that phone itself is not locked. If the phone is locked, then unlock the phone and start the Duo Mobile app (if on a smartphone) and try again.

Make sure that you’re using the correct mobile device. If you’re using a new device (even if you have the same phone number), then reactivate the Duo Mobile app for the new device. If you’re changing types of phone, such as going from an Android to an iPhone, then select the new type of phone before reactivating. If the service is still not working, contact the ITS Helpdesk by emailing helpdesk@andrews.edu or calling 269-471-6016.
This may be because you have been locked out of Duo. This usually occurs with 6 consecutive failed attempts to authenticate. If you need immediate assistance, contact the ITS Helpdesk.


[top of page]
[Duo Welcome Page]