Skip to main content

Duo multi-factor authentication - FAQ

General FAQ

Why do I have to use Duo multi-factor authentication (MFA)? 

Requiring MFA when logging into Buff Portal and MyCUInfo will better secure personal and financial data on our campus. The U.S Department of Education and payment service providers now require these safeguards to protect financial data and educational records. We need to be sure our campus is doing everything it can to reasonably protect information and adhere to the requirements of the government and our service partners.

What's the difference between Duo MFA and Microsoft MFA? 

Duo MFA and Microsoft MFA are similar applications that are used to authenticate to different systems. At this time, our campus uses Microsoft MFA only for Microsoft-hosted applications. Duo MFA will be used for other services at CU Boulder including Buff Portal, MyCUInfo, Grouper, Marketing Cloud, Oracle Identity Manager, Research Computing services, and others. 

When will Duo MFA be turned on for Buff Portal and MyCUInfo? 

Duo MFA will be implemented for Buff Portal and MyCUInfo on January 9, 2024.

Do I have to use Duo when working on campus?

Yes. Services that require Duo MFA (including Buff Portal and MyCUInfo) will always require you to authenticate whether you're on or off campus.

How frequently will I have to use Duo when logging in?

Duo has an 8-hour time out, per session. So, if you access one service in a web browser (like Buff Portal) and then within the same browsing session and 8 hour time limit you access another service that requires Duo (like MyCUInfo) in the same browser you will not be required to authenticate with Duo a second time. If you switch to a different web browser, you will be prompted to authenticate again. 

I'm already enrolled in Duo MFA to access employment information in MyCUInfo, do I need to enroll again? 

Yes. Employees who already use Duo to access certain resources in MyCUInfo are required to enroll with the CU Boulder instance of Duo. OIT is working with the CU System Office to remove their instance of Duo from MyCUInfo soon after this deployment, so employees will not need to manage two different Duo enrollments.

If you are already using the CU Boulder instance of Duo to access Grouper, Aurora, Oracle Identity Manager or use Research Computing services, there’s nothing you need to do before January. Not sure if you're enrolled? Visit the Duo multi-factor authentication enrollment website to test authentication and check your settings. 

Can I use Yubikeys or other FIDO2 tokens with Duo?

FIDO2 tokens are physical devices that provide a second factor during the multi-factor authentication process. They may be a good option if you are unable to use a mobile phone for MFA. Follow our Register a Yubikey for OTP or Duo - enroll a security key tutorials to enroll one of these devices. 

Please note that it is your responsibility to purchase, configure, and keep track of your token. 

If you decide to use the DUO security key option for your second factor of authentication and leverage Yubikey or FIDO2 tokens, it is highly recommended to register a backup method, such as a phone, in addition to your token in case you misplace it.

Are there other languages available in Duo if English isn’t my first language?

While the interface is in English, translation services like Google Translate may assist users in navigating the interface. Duo also has help guides in over a dozen languages at In the lower left hand corner of the screen (on desktop browsers! Locations may vary for mobile device users), look for the black menu box to select your preferred language from the available options.

New enrollments

How do I enroll in Duo MFA?

Duo has several options available to enroll and authenticate. 

I was previously using my child’s IdentiKey to log into Buff Portal to view course information and make tuition payments. How can I do that now that Duo MFA has been rolled out?

CU Boulder has methods for parents and guardians looking to check in on information for their dependents. For tuition payments, you can set yourself up as an authorized payer. Learn about the process and set-up on the Authorized Payer Access page.

For viewing academic information typically available to students, you can use the CU Guest Access feature.

What if I do not have an Android or iOS device?

Select the option to enter a phone number then choose between receiving a phone call or text message to authenticate. Follow our Duo enroll and set up with a phone number tutorial to enroll a phone number. 

Is it possible to add another device to my Duo account?
  • Go to the Duo multi-factor authentication enrollment website and log in with your IdentiKey username and password.
  • When prompted, click Other Options
  • Select Manage Devices 
  • You'll have to authenticate with your current device before you can add a new one. 
  • Click Add a device and follow the prompts to add a new authentication method. 
  • After adding a new device, we recommend visiting the Duo multi-factor authentication enrollment website with a new browser or with a private/incognito window to force authentication to verify success. 

Follow our instructions for managing devices for screenshots of this process. 


What if I can't log in or if I replace or lose my device?

Visit the Duo multi-factor authentication enrollment website at any time to view your settings, re-register the app, or add a new device.

Troubleshooting tips: 

  1. Go to the Duo Two Factor Enrollment website and log in with your IdentiKey username and password.
  2. If Duo pushes an authentication request that doesn't show up in your app, click Other options and select a different authentication method. 
  3. If none of the options available work for authentication, contact the IT Service center at 303-735-4357 or for a one-time bypass code to change your settings. 
What do I use for my second password for Custom VPNs?

If prompted to enter a second password, type push. This will cause DUO to send a push notification to your device.

If you would like to use a Yubikey for one-time password (OTP) use, follow our Register a Yubikey for OTP or Duo - enroll a security key tutorials to enroll.

I am already enrolled in Duo, but I can’t seem to get to the Manage My Devices view. It just keeps saying I’m successfully authenticated.

If you previously selected Trust This Device, Duo by default will do exactly that while you have a valid Duo session and not take you into the second-factor screen, which is where you can select to manage devices. As a workaround until your session expires, you can open an Incognito Window then visit and you should be able to access the manage devices screen as per usual.

I am getting an error message from Safari when I try to enroll using my iphone. How can I enroll on iOS devices and avoid this error?

If you receive this type of error message, you are likely on an old version of iOS and you don't have the app installed. To successfully enroll, install the app first or update your device to the newest version of iOS. Alternatively, visit the Duo multi-factor authentication enrollment website on a computer and enroll, then test access using your phone.