Duo 2FA: How to Authenticate

What to Expect with Duo Two Factor Authentication

Duo Standard Prompt

When logging into a website that utilizes Two Factor Authentication, users will first login using their CSU credentials.

NetID Login Page, prompting users to enter their CSU NetID and NetID password

Upon logging in, the Duo prompt will populate allowing users to choose how to verify their identity.

Duo Two Factor Authentication Prompt on mobile device

If more than one device was registered, make sure to select the one you want to use for this session from the Device dropdown menu.

Duo Prompt Device Drop down menu

Duo Universal Prompt

The Duo Universal Prompt is being rolled out to Duo-protected applications in phases, the first implementation is with the GlobalProtect VPN.

When accessing the GlobalProtect VPN, the user will first enter their NetID (netid@colostate.edu) and password.

Duo will then automatically select their default authentication method. The image below shows a user who has Duo Push as their default method.

Duo Prompt indicating to the user to take action on their default two-factor authentication device

To use a different authentication method, click “Other options”, which will display all other devices you have set up.

A list of authentication methods that the user has set up is provided to use for two-factor authentication

Once you have authenticated with your selected method, you will be logged in to the application.

Options for Duo Authentication:

  • Send Me a Push – Using the Duo Mobile App
    • Easiest, fastest method
  • Enter a Passcode – Using the Duo Mobile App or Hardware Token
    • Great when you’re outside of cellular reception
    • Hardware Tokens (currently only supported for CSU Fort Collins users)
  • Call Me – Using any Registered Phone Number
    • Least reliable option, use only when necessary

Expand the sections below for details on what to expect when you authenticate with each method.

  • Send me a push

    Click on the Send Me a Push button to receive a login request using the Duo Mobile App on a smartphone or tablet.

    Duo Two-Factor authentication, Send Me a Push authentication method

    Important: If a notification is ever received when you are not trying to log in, click the Deny button.

    To approve the login request from the push notification, select “Tap to View Actions” then tap “Approve”.

    Smartphone push notification reading: Verify Your Identify: Are you logging in to CSU Pulse Connect Secure? Tap to View Actions

    To approve the login request in the Duo Mobile App, open the app and tap the Approve button at the bottom of the screen.

    Duo Mobile App Approve or Deny screen. Tap Approve if you initiated the login.

    Once the notification has been approved, you will be logged into the requested website.

  • Enter passcode with Duo Mobile App

    Click on the Enter a Passcode button to authenticate using a passcode generated from the Duo Mobile App.

    Duo Prompt Enter Passcode authentication method

    Open the Duo Mobile App on your device, then tap “Show” next to the Passcode section.

    Duo Mobile App, tap "Show" to display the passcode to authenticate

    The Duo Mobile App will populate a 6-digit code under the Colorado State University account.

    Duo Mobile App showing a 6-digit passcode to use to authenticate

    Enter the 6-digit passcode from the Duo Mobile App into the passcode textbox and then click on the Log In button.

    Duo Prompt, Enter a Passcode authentication method

  • Enter a passcode with a Hardware Token

    Hardware tokens are available for CSU Fort Collins students, faculty, and staff to purchase for Duo authentication. They are not currently supported at CSU Pueblo.

    To authenticate using a hardware token, click the ‘Enter a Passcode’ button. Note: Using the Device dropdown menu to select your token is not necessary before entering the passcode.

    Duo Prompt Enter Passcode authentication method

    Press the button on your hardware token to generate a new passcode, type it into the space provided, and click on the Log In button.

    Duo Prompt, Enter a Passcode authentication method

    Tokens can get “out of sync” if the button is pressed too many times in a row and the generated passcodes aren’t used for login. Contact the IT Support Helpdesk if your token stops working.

    If you need a hardware token, one can be purchased and configured at RamTech in the Lory Student Center.

  • Call Me

    Click on the Call Me button to receive a phone call from Duo to your registered device.

    Duo Two-Factor Authentication Prompt, Call Me method

    The status bar at the bottom of the Duo prompt will update at each step of the process.

    Duo Prompt Dialing phone number message

    Answer the call and listen to the instructions to authenticate. The Duo Prompt status bar will also display how to approve the request over the phone.

    Duo Prompt phone has been answered, Press # on your phone to log in

  • Duo Universal Prompt

    Duo Two-Factor Authentication is required when accessing CSU’s VPN, the GlobalProtect secure gateway; whether accessed via the desktop agent/client or the web interface (gateway.colostate.edu).

    GlobalProtect is the first application to use the Duo Universal Prompt. The process for authenticating is different than the standard Duo Prompt:

    After you have logged in with your NetID and password, Duo will automatically select your default authentication method. The screenshots below show one user with the security key as their default and another user with the Duo Push as the default.

    Duo prompting the user to use their security key to authenticate Duo Prompt indicating to the user to take action on their default two-factor authentication device

    To use a different authentication method, click “Other options”.

    A list of authentication methods that the user has set up is provided to use for two-factor authentication

    Once you have authenticated with your selected method, you will be logged in to the application.