In response to the phishing scam that redirected employee payroll deposits in December, 2013, and at the request of President Brown, Information Services & Technology has implemented a high-security login process for BUworks that requires a second method to confirm the identity of the person logging in.

Referred to as two-step or two-factor authentication, this process, which uses Duo Security, asks individuals logging in to confirm their identity using a smartphone, via text, via automated voice calls, or on a secured kiosk (for certain staff).

Help with Duo is available! Use the “Get Help” button above, call the IT Help Center directly at 617-353-4357, or contact your local IT administrator.

Troubleshooting and frequently asked questions

Do I have to use Duo every time I log in to BUworks?

Duo allows you to remember a device for 30 days. You can approve any computer that you commonly use and will not be required to provide two-factor authentication confirmation until next month. For example, if you have a desktop and a laptop, you can approve both computers as trusted devices and not have to confirm your identity with a phone until the following month.

Can I set up Duo on more than one phone?

When you are doing your initial setup, you may add as many phones as you like (landline and/or mobile). After that, when you are logging in you can choose which line Duo will send the authentication request to (via smart phone app, SMS text message, or phone call depending on what you chose).

What is the Manage Devices button? Can I use that to add more devices?

Yes, you can use the Manage Devices feature to add, remove, or change the devices that Duo can use to verify who you are. However, you can’t alter your current device without an administrator. For example, if you get a new phone for your existing phone number, you should contact the IT Help Center for assistance. Note that, when an administrator adds your device, you will not need to go through the setup screen – we will send you the needed codes directly from Duo Security.

I have a new phone and the Duo app stopped working. What should I do?

If you get a new phone, even if the Duo app is restored from a cloud backup, it will lose its association with your account. If the phone number of your new phone is the same, you can still authenticate using the phone call or sms option, but the push option will not work until re-activated.

You can re-activate your new phone with the Manage devices option. First, ensure that you still have access to any of the phone numbers enrolled in Duo. Set the authentication option to Phone Call and then select Manage devices. The phone you chose should ring, and you will need to answer, and hit any key to authenticate. From here, you can select the phone number of your new phone (assuming it’s the same phone number) and under Actions, select Activate Duo Mobile. This will prompt you to scan in a new QR code from the Duo app. If you have difficulties with this process, you can submit a ticket to the IT Help Center or call for immediate assistance – 617-353-4357.

Can I use the Duo app internationally?

The Duo smart phone app is designed to work internationally. If you install the app, it can generate the required code without need of either a telephone signal or data plan, and it can do this anywhere in the world. If you have a signal and data plan, the app makes two-factor authentication as easy as a pushing a single button, but if you don’t have one of those two things, you can use the app to generate a six digit code and enter that manually.

What happens if I set up my browser to clear cache/cookies after exiting?

The “Remember your device for 30 days” option uses a persistent cookie. If you clear cookies after you log off of the browser, the device will not be remembered and you will have to confirm your identity again when logging in.

What if I forget my phone at home?

You can contact the IT Help Center. They will verify your identity and provide a temporary passcode.

What if I lose my phone?

Contact the IT Help Center immediately and we will lock your Duo account to prevent malicious activity.

After confirming a legitimate login attempt, I'm stuck on a strange two-step screen. Why?

Logging in with Duo requires that JavaScript is enabled. If it is not, your attempt to log in will fail and your screen will look like this:

If you encounter this issue, disable any JavaScript blocking plugins or browser settings (or include an exception for scripts from and attempt to log in again.

Do I still need to use my old/current token?

If you are logging in to Quest for SAP or the mainframe (legacy system) and currently use a physical token, you would continue using your current token on those systems even when enrolled in Duo. We are working on implementing Duo for Quest and the mainframe and will notify you when we have more information.

What if I don’t have a cell phone?

If you don’t have a cell phone, Duo allows you to use your landline phone. You would receive an automated phone call that requires you to hit any button to confirm your identity.

What if I don’t have a data plan on my phone? What if I don’t have a connection?

The Duo smart phone app provides options that work without a data plan, a texting plan or even a connection, if necessary. The app can generate the required code without need of either a telephone signal or data plan, and it can do so anywhere in the world. If you have a signal and data plan, the app makes two-factor authentication as easy as a pushing a single button, but if you don’t, you can use the app to generate a six digit code and enter that instead.

About Duo and two-factor authentication

Am I required to use two-factor authentication?

Once your group has been automatically enrolled in Duo, you will be required to use two-factor authentication.

I know how to avoid phishing email messages, why do I need to use this?

Unfortunately, experience has shown that people are not as good at recognizing malicious email as you might think. Every day, members of the BU community fall prey to these kinds of scams. We have to take steps to ensure that we are more than just a single click away from having our paycheck stolen or becoming a victim of identity theft.

Whom should I contact if I have questions or concerns about the requirement to use Duo?

We encourage you to contact us with feedback, or with questions or concerns about the project in general. The Vice President of Information Services & Technology and the Information Security & Business Continuity governance committee for IS&T can be reached directly at

How will Duo use change how I log in to BUworks and other web services?

First, Duo will require a second method of confirmation for a person logging in to view or edit sensitive data. Individuals will be asked to confirm their identity using a smartphone app, via text message to a device, via automated calls to a mobile or landline phone, or using a secured kiosk (for certain staff).

The login screen you’re used to seeing at will change slightly. Also due to the transition, Web Login-secured applications, including those linked from BUworks Central, will require you to log in again. These other applications do share the same login credentials as many applications at BU, so logging in more than twice during a session is very unlikely.

More and more applications to be compatible with the high-security login process so that you’ll be required to log in less often while using web applications.

Do I need a smart phone to use Duo?

No. Duo provides a great deal of flexibility and you do not need a smart phone to use it.

The recommended smart mobile phone option makes two-factor authentication extremely easy, but a lot of other easy options exist as well. Duo can send a text message to a regular cell phone or place a voice call to your office landline phone or cell phone.