How to use the ‘Two-Factor VPN’ with Duo Security


Please note:

  • For Two-Factor authentication VPN, be sure to use For AD authentication, use
  • For Two Factor VPN you'll need to install the Duo Mobile app on your phone from the Apple or Google Play store and enroll your device. For further assistance with Duo activation please contact and include your your device type (e.g., iPhone, Android) and phone number.

When using the AnyConnect client:

  1. Make sure you are connecting to
  2. When you click the Connect button, in addition to the username and password boxes (enter your BU login name and Kerberos password), you will now see a third box for Second Password
  3. In the Second Password box type in one of the options listed below (the actual word push, phone, sms, or a generated passcode number. SMS is the text message option)
    Type... To...
    A passcode Log in using a passcode, either generated with Duo Mobile, sent via SMS, generated by your hardware token, or provided by an administrator.
    Examples: "123456" or "1456789"
    push Push a login request to your phone (if you have Duo Mobile installed and activated on your iPhone, Android, Windows Phone, or BlackBerry device). Just review the request and tap "Approve" to log in.
    phone Authenticate via phone callback.
    sms Get a new SMS passcode.
    Your initial login attempt will fail - login again with the new passcode sent to you.


  4. If you have multiple devices associated to DUO, you will have to specify which device you will be using for multi factor authentication. For example, if you have two devices and you are using the 2nd device to authenticate you will have to append a 2 at the end (example: push2, phone2, sms2). If there is only one device, you do not have to append a number at the end. You can find out how the devices are mapped on your account by managing your devices for DUO

    Note: If you’re using the Duo mobile app, you may want to have it open and ready at this point before authenticating.  The time-out period for the push authentication is fairly quick, so it helps to have the app ready to be accessed.


If you connect using the AnyConnect web page:

Please note:

  • Only use Internet Explorer or Firefox from a Windows machine.
  • Chrome and Safari can not be used for connecting.
  • Mac users will need to use the AnyConnect client. As of Firefox version 52, Java is no longer supported on Mac devices and the AnyConnect web page will not work.
  1. In your web browser, go to:
  2. In the login box, enter BU login name and Kerberos password
  3. You should then be presented with the Duo screen you are used to seeing (such as when accessing the BUworks portal)