Coming Soon for Duo at BU
Starting February 4, 2025, Boston University will disable the text and phone call options for Duo Multi-Factor Authentication (Duo MFA). You will need to use Duo Push via the Duo Mobile App on your mobile device instead. Have questions about this upcoming change? Contact the BU IT Help Center 617-353-4357 or email ithelp@bu.edu. We have answers to frequently asked questions below!
Frequently Asked Questions (FAQ) about what's new in Duo
Why is Boston University making this change?
The University is continuously improving its security practices to ensure the highest standards of protection for University data and assets. Duo Push is more secure and user-friendly compared to SMS or phone call methods and is in line with best practices at peer institutions.
Why am I receiving this email "Important: Duo Changes Effective February 4, 2025?"
You are receiving this email because you currently have used SMS passcodes or phone calls for Duo Multi-Factor Authentication (MFA) at Boston University.These options will be disabled on February 4, 2025. This notification is to help you prepare for the upcoming change and to ensure uninterrupted access to your online resources.
What do I do now that I’ve received this communication?
We encourage you to prepare for this change by setting up Duo Push as soon as possible.
What is Duo Push and how does it work?
Duo Push is a more secure and convenient method of authenticating your BU login. Once you attempt to log in to a University system, you will receive a push notification through the Duo Mobile App on your mobile phone. You can approve or deny the authentication request directly from the notification.
How do I set up Duo Push?
It's easy! Download the Duo Mobile App on your smartphone or tablet (available for iOS and Android).
Then log in from your desktop or laptop to any online application or resource at BU. At the Duo MFA screen, select other options. Here you will be able to scroll down to "Manage a Device" to add a new smartphone or tablet. If your is already registered, scroll down and select Duo Push to begin using it!
Is Duo Push easy to use?
Yes! Duo Push is designed to be simple and quick. Once the app is installed and linked to your account, you’ll receive a push notification each time you attempt to log in. All you need to do is tap "Approve" (or "Deny” if you didn’t login and initiate the notification) to complete the authentication.
What devices are compatible with the Duo Mobile App?
The Duo Mobile App is compatible with both iOS and Android smartphones and tablets.
What should I do if I have trouble downloading or setting up the Duo Mobile App?
If you encounter any issues while downloading or setting up the Duo Mobile App, please contact the IT Help Center for assistance. We can guide you through the process and troubleshoot any problems you may encounter.
Can I still use SMS or phone calls for authentication?
Yes, you can use SMS and phone call options up until February 4, 2025. On that day you will no longer be able to use SMS passcodes or phone calls for Duo MFA. All users must switch to Duo Push through the Duo Mobile App or use an alternative method, such as a hardware security key.
What will happen if I don’t switch to Duo Push by the deadline?
If you do not switch to Duo Push by February 4, 2025, you will no longer be able to use Duo MFA to authenticate your login via SMS or phone call. To ensure uninterrupted access to University resources, it’s important to download the Duo Mobile App and begin using Duo Push now.
I don’t have a smart phone so I can’t download the app?
You can use a security token which works like a USB, you can plug it into your laptop or desktop to authenticate.
What if I can't use the Duo Mobile App on my phone?
If you're unable to use the Duo Mobile App (e.g., due to device compatibility issues), you can use security token as an alternative. For more information about hardware security keys and how to set them up, visit the Duo Security Key page.
What is Two-Factor Authentication?
Multi-factor authentication (MFA) adds a second layer of security to your online accounts. Verifying your identity using a second factor (like your phone or other mobile device) prevents anyone but you from logging in, even if they know your password.
How It Works
1. Enter username and password as usual
2. Use your registered device to verify your identity
3. Securely logged in
Once you've enrolled in Duo you're ready to go: You'll login as usual with your username and password, and then use your device to verify that it's you. Your administrator can set up the system to do this via SMS, voice call, one-time passcode, the Duo Mobile smartphone app, and so on.
Why Do I Need This?
Passwords are increasingly easy to compromise. They can often be stolen, guessed, or hacked — you might not even know someone is accessing your account.
Two-factor authentication adds a second layer of security, keeping your account secure even if your password is compromised. With Duo Push, you'll be alerted right away (on your phone) if someone is trying to log in as you.
This second factor of authentication is separate and independent from your username and password — Duo never sees your password.
Supported Devices
Click your device platform to learn more:
iOS phones and tablets
Android phones and tablets
Security Keys
Troubleshooting and frequently asked questions
Do I have to use Duo every time I log in to an online application at BU?
Yes and Duo allows you to remember a device for 30 days. You can approve any computer that you commonly use and will not be required to provide two-factor authentication confirmation until next month. For example, if you have a desktop and a laptop, you can approve both computers as trusted devices and not have to confirm your identity with a phone until the following month.
Can I set up Duo on more than one phone?
You are encouraged to set up Duo on more than one phone in case you forget a phone at home or are not at your office phone. When you are doing your initial setup, you may add as many phones as you like (landline and/or mobile). After that, when you are logging in you can choose which line Duo will send the authentication request to (via smart phone app, SMS text message, or phone call depending on what you chose).
What is the Manage Devices button? Can I use that to add more devices?
Yes, you can use the Manage Devices feature to add, remove, or change the devices that Duo can use to verify who you are. Note that, when an administrator adds your device, you will not need to go through the setup screen - we will send you the needed codes directly from Duo Security.
I have a new phone and the Duo app stopped working. What should I do?
If you get a new phone, even if the Duo app is restored from a cloud backup, it will lose its association with your account. If the phone number of your new phone is the same, you can still authenticate using the phone call or sms option, but the push option will not work until re-activated.
You can re-activate your new phone with the Manage devices option. First, ensure that you still have access to any of the phone numbers enrolled in Duo. Set the authentication option to Phone Call and then select Manage devices. The phone you chose should ring, and you will need to answer, and hit any key to authenticate. From here, you can select the phone number of your new phone (assuming it’s the same phone number) and under Actions, select Activate Duo Mobile. This will prompt you to scan in a new QR code from the Duo app. If you have difficulties with this process, you can submit a ticket to the IT Help Center or call for immediate assistance - 617-353-4357.
Can I use the Duo app internationally?
The Duo smart phone app is designed to work internationally. If you install the app, it can generate the required code without need of either a telephone signal or data plan, and it can do this anywhere in the world. If you have a signal and data plan, the app makes two-factor authentication as easy as a pushing a single button, but if you don’t have one of those two things, you can use the app to generate a six digit code and enter that manually.
What happens if I set up my browser to clear cache/cookies after exiting?
The "Remember your device for 30 days" option uses a persistent cookie. If you clear cookies after you log off of the browser, the device will not be remembered and you will have to confirm your identity again when logging in.
What if I forget my phone at home?
You can contact the IT Help Center. They will verify your identity and provide a temporary passcode. We encourage you to then go into manage devices and add an additional phone.
Why am I seeing a blank DUO screen when using an iOS or macOS device when accessing a BU site requiring Single Sign On (SSO) Authentication?
Logging in with Duo requires that JavaScript is enabled
To resolve this issue:
- Make sure that JavaScript is enabled in Safari on your macOS or iOS device.
- If you have an MDM on the device, such as JAMF, please check to determine if the MDM settings could be preventing the Duo Prompt from displaying.
- Disable content restrictions on the device. The instructions are described below for different versions of iOS or macOS.
Disabling Content Restrictions
iOS 12 or newer
- Navigate to Settings > Screen Time > Content & Privacy Restrictions > Content Restrictions > Web Content.
- Uncheck Limit Adult Websites to completely disable content restrictions.
- If you do not want to fully disable content restrictions, you can allow duosecurity.com within the Content Restrictions page on the iOS device. This will allow the Duo Prompt to display even if content restrictions are enabled.
Note that if you are opening Screen Time for the first time and haven't set up the feature, you will be prompted to set up the phone either for yourself or a child and will have the option to set a passcode.
iOS 11 or older
- Go to Settings > General > Restrictions > Websites
- Uncheck Limit Adult Content to completely disable content restrictions.
macOS 10.15 (Catalina) or higher
- Open System Preferences
- Navigate to Screen Time > Preferences > Content & Privacy
- Set any Web Content restrictions to Unrestricted access
- If you do not want to fully disable content restrictions, you can allow duosecurity.com within the Content Restrictions page on the iOS device or to the Allowed Websites Only list on macOS. This will allow the Duo Prompt to display even if content restrictions are enabled.
After confirming a legitimate login attempt, I'm stuck on a strange two-step screen. Why?
Logging in with Duo requires that JavaScript is enabled. If it is not, your attempt to log in will fail and your screen will look like this:
If you encounter this issue, disable any JavaScript blocking plugins or browser settings (or include an exception for scripts from duosecurity.com) and attempt to log in again.
What if I don’t have a data plan on my phone? What if I don’t have a connection?
The Duo smart phone app provides options that work without a data plan or even a connection, if necessary. The app can generate the required code without need of either a telephone signal or data plan, and it can do so anywhere in the world. If you have a signal and data plan, the app makes two-factor authentication as easy as a pushing a single button.
I am studying abroad this semester and don't have an international phone plan, can I still use Duo?
YES! Duo works internationally, don’t worry – Duo can work with or without cellular service or a wifi connection.
Even with cellular service disabled or without a wifi connection, you may use the Duo Mobile app to generate a passcode that you can use to authenticate. Simply choose the Enter a Passcode option when you get the Duo authentication prompt. To generate the passcode, open the Duo Mobile app on your phone or tablet and tap the button with the KEY symbol.
I am an international student and I have two phones I use when I am in the U.S. and at home. Can I access Duo when I am home?
For those who use a different phone when in your home countries:If you don’t have a data or cellular plan with your U.S. smartphone when you visit home for the holidays or during the summer, you can add your international device as a second device to your Duo account.
I am alumnus and I use the Student Link to download my transcripts. Do I also need to enroll in Duo?
Yes, anyone accessing the Student Link for protected records will need to enroll in Duo. We want all sensitive information within the link protected!
I am BU staff member and I take classes. I do not use Duo for my job, do I need to enroll in Duo to access the Student Link?
Yes, anyone accessing BU online resources will need to use Duo MFA!
What happens if I forget my phone at home?
You can contact the IT Help Center. They will verify your identity and provide a temporary passcode. We encourage you to then go into manage devices and add an additional phone.
What if I lose my phone?
Contact the IT Help Center immediately and we will lock your Duo account to prevent malicious activity.
What if I don’t have a smartphone or cell phone?
If you don't have a smart phone, you can use security token as an alternative. For more information about hardware security keys and how to set them up, visit the Duo Webpage:
https://guide.duo.com/security-keys
You can also use a tablet to access Duo, or purchase a Yubikey.
What is a Yubikey and how does it work with Duo?
A Yubikey is a small hardware device (think USB stick) that supports two-factor authentication. A Yubikey can be plugged into your computer's USB port or "tapped" on your device (if supported) to verify your login. A Yubikey is another method you can use to access Duo! Yubikeys can be purchased from Amazon or directly from the Yubico.
What if I have an extenuating circumstance that doesn't allow me to use Duo?
Contact the IT Help Center and they will be able to help you find the best solution for accessing Duo two-factor with the Student Link
About Duo and two-factor authentication
Am I required to use two-factor authentication?
Yes, everyone at the University is required to use Duo MFA.
I know how to avoid phishing email messages, why do I need to use this?
Unfortunately, experience has shown that people are not as good at recognizing malicious email as you might think. Every day, members of the BU community fall prey to these kinds of scams. We have to take steps to ensure that we are more than just a single click away from having our paycheck stolen or becoming a victim of identity theft.
Whom should I contact if I have questions or concerns about the requirement to use Duo?
We encourage you to contact us with feedback, or with questions or concerns about the project in general. The Vice President of Information Services & Technology and the Information Security & Business Continuity governance committee for IS&T can be reached directly at duo@bu.edu.
How will Duo use change how I log in to BUworks and other web services?
First, Duo will require a second method of confirmation for a person logging in to view or edit sensitive data. Individuals will be asked to confirm their identity using a smartphone app, via text message to a device, via automated calls to a mobile or landline phone, or using a secured kiosk (for certain staff).
The login screen you're used to seeing at www.bu.edu/buworkscentral/ will change slightly. Also due to the transition, Web Login-secured applications, including those linked from BUworks Central, will require you to log in again. These other applications do share the same login credentials as many applications at BU, so logging in more than twice during a session is very unlikely.
More and more applications to be compatible with the high-security login process so that you'll be required to log in less often while using web applications.
Do I need a smart phone to use Duo?
If you're unable to use the Duo Mobile App (e.g., due to device compatibility issues), you can use security token as an alternative. For more information about hardware security keys and how to set them up, visit the Duo Webpage: https://guide.duo.com/security-keys