2FA Frequently Asked Questions   |  

[General Questions]
[Using 2FA with Your Smartphone]
[Duo Tokens]
[Using 2FA when Travelling Internationally]

General Questions

All Andrews University employees (faculty, staff and student employees) are required to enroll in and use 2FA to access Andrews web-based resources beginning with:
On January 30, 2018, the open enrollment period for Duo ended. Andrews employees will need to use the 2FA service whenever attempting to log in to any Andrews University system that has been configured to use 2FA.

Two-factor authentication is mandatory for all Andrews faculty, staff and student employees.

You will need to use a device like a smartphone or tablet, registered with Duo whenever you log into 2FA-protected Andrews services. This is in addition to using your Andrews username and password.
See Using 2FA with Duo
If your Duo-registered device is lost or stolen, contact either your ITS building technician or ITS Helpdesk immediately and report the lost or stolen device. ITS may assist you to remove the enrolled device from the Duo 2FA service.

Remember: Your Andrews username and password (first-factor) will continue to protect your Andrews account even if your device is lost.

Smartphone users: The Duo Mobile app includes a feature called Duo Restore. This functionality, available on all Duo editions, enables Android and iOS Duo Mobile users to back up their Duo-protected accounts and recover them when they get a new device. See Duo's Guide to the Duo Restore feature for Duo Mobile account recovery
The only data that Duo Security stores is the user's Andrews username (Duo does not know your Andrews password) and information about your second factor device, such as a phone number (if using a phone) or the serial number of your tablet or Duo token.
Yes. If you’re using a smartphone for 2FA, then the Duo Mobile app can integrate with third-party accounts. See Duo’s Third-Party Accounts page for more information.
Microsoft is officially marking Internet Explorer (IE) versions 8, 9, and 10 as “end-of-life,” meaning any further updates, including important security patches, will also end. IE 8, 9, and 10 are also not compatible with 2FA’s self-service portal. Microsoft’s official recommendation is to upgrade to IE 11 or Microsoft’s Edge browser. You may also use a different web browser (other than Microsoft) to authenticate and manage devices.
A user lockout occurs whenever 6 consecutive attempts to log in via Duo fail. The lockout will expire after a period of time.
Here are a some suggestions on how to prevent this from happening:
  1. On your mobile device, make sure the Duo Mobile app is open: A user lockout sometimes happens when the Duo Mobile app receives multiple attempts to authenticate that are not responded to. Make sure that you have your Duo Mobile app open and that you approve the "Duo Push" notification when you request authentication. This is to reduce the number of unanswered push notifications.
  2. Log out of your computer: In very rare cases, some 2FA-protected Andrews University systems or services may be configured to attempt to automatically log in. If this is done when you’re not expecting it; and do not wish to authenticate to that service, then it could result in 6 consecutive failed attempts to authenticate resulting in a lockout. Closing the web browser or logging out of your computer should prevent this from happening.
  3. Authenticate to an enrolled and available device: Persistent attempts to authenticate to an inactive or incorrect device can cause a lockout. Make sure that you are attempting to authenticate to a properly enrolled device that is currently available to you.
Contact the ITS Helpdesk or visit the ITS Service Desk if you have been locked out of Duo.
If you are certain that you did not attempt to login to a 2FA-protected system, then you are most likely experiencing a fraudulent attempt to access your account:
  1. Reject the notification on your mobile device by selecting Deny and confirm why you are denying the notification. The Andrews University ITS system administrators will be notified to investigate further.
  2. Change your Andrews password immediately.
  3. Contact the ITS Helpdesk for additional assistance.
An unrequested authentication attempt might be an indication of fraudulent activity on your account, or it could be an Andrews University 2FA-protected system configured to automatically log in.

If the unrequested authentication attempt is an automatic login attempt—for instance, you left your computer logged in overnight, and a system is attempting to log in—then this could lead to multiple, unanswered login attempts and a user lockout could occur. For information on how to prevent lockouts, see How Do I Prevent Being Locked Out of 2FA?

When you leave Andrews University—retirement or termination—you may no longer be required to be enrolled in Duo 2FA. However, as a retiree, you may still have access to, and therefore the need to sign-in to, an Andrews Univesrity 2FA-protected system. This includes retired faculty who have been granted emeritus status.
Security Checkup for Android and iOS devices empowers users to improve and maintain the security of their mobile device. It also provides a friendly list of common security options that are being checked by Duo, and if their mobile device adheres to them. If there are any issues, easy-to-follow instructions on how to fix them are presented.  For more information, see Mobile Device Security Made Easy with Duo’s Security Checkup

Using 2FA with Your Smartphone

A smartphone is the recommended device since it provides the greatest level of security and allows you to use the Duo Mobile app. The app can receive push notifications for easy, one-tap authentication and can generate passcodes for login (even without cellular connectivity).
If you do not have a smartphone, contact the ITS Helpdesk or visit the ITS Service Desk.
If you have a new smartphone with the same phone number, the Duo Mobile app will need to be re-activated in order for the app to work with the new phone. In other words, you will not be able to generate push notifications or passcodes through the app until the app has been re-activated.  See Adding a New Device in Duo or contact the ITS Helpdesk for assistance.

To re-activate the app, follow the re-activation instructions described in I’m trying to log in to 2FA on my phone, but it tells me I can’t. What should I do?

See also Duo's Guide to the Duo Restore feature for Duo Mobile account recovery
Yes. You can enroll a tablet if you have one.  If you do not own a smartphone or a tablet, other options are available.
Contact your ITS building technician or the ITS Helpdesk for assistance.
No. International numbers cannot be enrolled at this time.
Using Two-Factor Authentication (2FA) on your phone or tablet is perfectly safe! A smartphone or a tablet are the recommended devices to use because an app is available.
All Andrews University employees (faculty, staff or student employees) are required to enroll in and use 2FA to access protected web-based resources.
You can set up two-factor authentication (2FA) on multiple devices (like mobile phones & tablets). Best practice : one (1) phone and one (1) secondary device such as a tablet in case there are any problems with the primary device (battery dies, device is lost, stolen or accidentally left at home, etc.). More devices may be enrolled at your discretion.
No. Each person would need to enroll a unique device or devices, with a unique number to associate with their own Andrews username.
Using 2FA via the Duo app does not cost anything beyond what your standard data rates may be.  On average, less data is used than when an email is received on your phone.
Yes. You can change to a different phone with a different number. Go to one of the 2FA-protected Andrews services and authenticate using an enrolled and active device. You will be able to enroll your new device by selecting “Add New Device” and following the instructions. You may then remove the old devices. For more infomration, see Add Additional Devices in Duo and Manage Devices in Duo.
The Duo Mobile app does not access your other apps or other data on your phone; it uses some base functionality of the phone and a certificate that identifies your phone to ensure accurate identification.
In cases where cell coverage is not available, use the Duo Mobile app (smartphone & tablets only) to generate a passcode to use as your second factor. That’s one of the advantages of the Duo Mobile app; no cellular (or Internet) coverage is needed to generate a passcode.

Duo Tokens

A Duo token is a piece of hardware (about the size of a USB stick) needed when a person is not using a smartphone or tablet for two-factor authentication. Please note that using a Duo app on a smarthphone or tablet is still the preferred way to use 2FA for a number of reasons including greater security and having one fewer “thing” to keep track of. Therefore, only in limited cases will a Duo Token be issued.
No one is required to have a Duo token. In fact, most people will not want, or need, a Duo Token because using a smartphone or tablet is the easiest way to use Andrews University's two-factor authentication (2FA) service. Only in limited cases when a smartphone and tablet cannot be used should a Duo token be issued.
A Duo token generates a random series of numbers each time that the token is used, which are entered as part of the authentication process to prove that you have the token. This adds a second layer of security to your Andrews username and password. See How to Use a Duo Token.
At this time, departments may purchase a token for their eligible faculty and staff.
Duo token purchases are dependent upon the rules of the department. Each department has its own procedure on purchasing and providing the Duo tokens. To purchase a Duo token, see How Do I Purchase a Duo token?
Duo tokens used with Andrews University's two-factor authentication are priced at $25 per token and may be charged to an department IDC.
Departments may contact their ITS Building Technician or the ITS Helpdesk and arrange to have a Duo token issued.  Once issued, the tokens are not returnable.
If the correct Duo token is not working, contact your ITS building technician or the ITS Helpdesk.
Signs that a Duo token needs to be replaced may include:
  • Battery is completely dead.
  • Some or no numbers are displaying when the button on the Duo token is pressed.
  • The token does not display a passcode when the button is pressed or the button does not release when pressed.
The Duo token may be out of sync and may need to be resynchronized with Duo. This occurs when the green button on the token is pressed multiple times without using the generated numbers to two-factor in.
Contact your ITS building technician or the ITS Helpdesk for assistance.

Using 2FA when Traveling Internationally

It’s up to the user to know and understand the implications of using his/her cell service while abroad (cost to use the phone abroad, cellular service availability where traveling, etc.). If the user is satisfied with those conditions and is planning to use his/her device normally while traveling, then using the device as the second-factor will not change. If using a smartphone, then an enrolled user can simply use the Duo Mobile app to generate a passcode each time authentication is needed regardless of the implications of using a cellular service abroad or whether there is any Internet connectivity. See how to generate a passcode on your mobile smartphone or tablet.

For those who will not be able to use their mobile devices while traveling, another option is the purchase of a Duo hardware token before leaving. Duo Tokens are available upon request.  Allow enough time for the purchase to be completed and the Duo Token to be delivered to ensure that the token is available when needed. Contact your ITS building technician or the ITS Helpdesk for assistance.

Please be mindful of restrictions on travel to certain countries. It is important to verify whether connecting to University resources or using University devices is recommended/approved from certain destinations prior to travel.
If you have two devices registered (which is recommended), then you can remove the lost or stolen phone by signing in to a 2FA-protected Andrews system, then add a replacement device at that time (or at a later time). See Adding a New Device in Duo.
No. International numbers cannot be enrolled at this time.


As long as you have more than one device enrolled (which is encouraged), you can simply sign-in to a 2FA-protected Andrews service. From there, you can remove the damaged device and add a new device. If the damaged device is your only enrolled device, then contact the ITS Helpdesk for assistance.
Selecting “Remember me for 1 day” will allow you to bypass Duo authentication for a period of 1 day (24 hours). This applies to one (1) computer, IP address and web browser. You will still be prompted to authenticate to Duo if you open another web browser or you use another computer.
Certain Windows platforms are not supported by Duo Security and will not work with the Duo Mobile app, specifically the desktop versions of Windows operating systems (Windows 10, Windows 8.1, etc). Only those with a mobile operating system such as Windows Phones or Windows Mobile are supported and will work with Duo two-factor authentication.
A user is automatically locked out when there are 6 consecutive failed log in attempts. This might be caused by but not limited to the following:
  • Not responding to multiple push notifications because the Duo Mobile app is not open
  • Selecting the wrong device or by selecting a device that’s not properly enrolled
  • Automatic log in attempts by a 2FA-protected system when a user isn’t expecting it
  • Fraudulent log in attempts without the user's knowledge
The lockout will expire after a period of time. For immediate assistance, contact the ITS Helpdesk by emailing helpdesk@andrews.edu or calling 269-471-6016 for assistance in unlocking the account.
If you have stopped receiving push notifications:
  • Make sure a screen lock is enabled on your device.  Screen locks may include a PIN, pattern swipe, fingerprint or facial recognition.
  • On your mobile device, make sure notifications are enabled for the Duo Mobile app.
  • Check for network problems between your device and the 2FA-protected Andrews system.
  • Have the Duo Mobile app open when attempting to authenticate.
  • Attempt to reactivate the Duo Mobile app by signing in to a 2FA-protected Andrews service. You may also contact the ITS Helpdesk.
Before attempting to troubleshoot any second-factor problem, make sure that your Andrews username and password (first-factor), is correct.

Troubleshooting tips:
  • If this is the first time that you’ve used the Duo service on a smartphone or tablet, make sure you've completed the Getting Started guide, then try again.
  • If you’ve used the Duo on a mobile device and authenticate in, then make sure that the device itself is not locked. If it is locked, then unlock the phone and open the Duo Mobile app and try again. Some users may see a green bar appear.  Tap the green bar to open the notification.
  • Make sure that you’re using the correct mobile device. If you’re using a new device (even if you have the same phone number), then reactivate the Duo Mobile app for the new device. If you’re changing types of phone, such as going from an Android to an iPhone, then select the new type of phone before reactivating. If the service is still not working, contact the ITS Helpdesk.
This may be because you have been locked out of Duo. This usually occurs with 6 consecutive failed attempts to authenticate. The lockout will expire after a period of time. If you need immediate assistance, contact the ITS Helpdesk or visit the ITS Service Desk.


[top of page]
[Duo Welcome Page]