When you log in to a Boston University Web page that requires two-factor authentication, a login screen like this will be displayed.

1. Enter your BU login name and Kerberos password.
2. Then press the Continue button.
3. If you have not yet registered a device to serve as the second factor in the required two-factor authentication process, you will be directed to this enrollment screen. Read more about enrolling a device.
   
4. If you have already enrolled one or more devices, you will be directed to the Two-step Login window.
5. Regardless of the method you choose (instructions follow), note the Remember this device for 30 days checkbox on the authentication screen. This feature, which we believe many will find useful, is described in the Remember this Device section below.
6. Select the contact method to be used for authentication by clicking on the Device drop-down arrow.
   
   Authenticator options include:
   1. Duo Push: this option is recommended and is selected by default. Using this option results in a challenge being sent to your smart phone or tablet.
   2. Phone call: a call is placed to the phone number you specified during enrollment.
   3. Passcode: this field can be used in concert with the Duo mobile app or the SMS message option.
   4. SMS message : click this hyperlink to send a text message to the mobile phone you specified during enrollment. Any mobile phone that can receive an SMS text message can be used for this authentication method.

Duo Push

The most common method is to use the push feature, whereby a challenge sent to your device requires that you confirm, via Duo, that your log on attempt is valid.

1. If you have more than one device enrolled, you must specify which will receive the challenge. Click the drop-down arrow and then select a device.
   
2. Press the Log In button to proceed.
3. After clicking the Log In button, an alert will be delivered to the smart phone or tablet selected as the Authenticator in the previous section.
4. Open the alert and click on the Approve button on your phone/tablet. Your screen will look similar to this:

On iOS

If you receive a login request that you weren’t expecting, press Deny to reject the request. You’ll be given the opportunity to report it as fraudulent – in which case an email notification will be sent to IS&T Information Security – or you can tap It was a mistake to deny the request without reporting it. Note that pressing Deny three times will lock your user account and email will again be sent to the IS&T Information Security team.

Remembering a Device

If you check the Remember this device for 30 days checkbox, you will not be prompted to provide second factor authentication only if you log in via the same computer and browser you are using when you check the box.

For example, suppose you checked this box yesterday when you logged in using Firefox on your laptop. When logging in from your laptop today, you decide to use Internet Explorer. Because this browser does not match that in use when you checked Remember yesterday, you will be prompted to authenticate.

If you select this option, you will receive a prompt again when the 30-day period expires.