skip to main content

Authentication & Authorization Services

Two-Factor Authentication

Two-factor Authentication Options

Duo supports a wide variety of two-factor authentication options. While this flexibility is nice for customers, this can create uncertainity about which option is best. Following is a summary of the different options.

Device Recommendations

The best choice of device for a person depends on how the person will be using two-factor authentication:

Guide for choosing a primary Two-Factor Device
Two-Factor AuthN Usage Recommended Device
use Duo Two-Factor Authentication only at work on a PC or laptop primary device: Yubikey token
set up a mobile or office phone as a backup device
regularly access applications from a mobile device primary device: Duo App (either Push or Passcode) installed on mobile device
set up home or office phone as backup device
IT professional who regularly logs into Unix or Linux servers or use RDP to connect to Windows servers primary device: Yubikey is your friend
Please be aware that SCP and RDP gateways frequently require Dup Push, so set up Dup App on mobile phone as a backup.

Device Overview

Mobile Phone-based Authentication

With this option, the person's mobile phone serves as the second security token (i.e. what you have). Mobile phones can be used in a variety of ways:

  • If the phone is a smartphone, an application can be installed on the phone. Once activated it performs the functions normally provided by a security token.
  • use Short Message Service (SMS) messaging
  • interactive telephone call
Two-Factor Authentication using Duo Mobile App Push Notification

Device Requirements

Works only on smart phones and tablets.

  • iOS devices must use iOS 6.0 or above
  • Android devices must use 2.3.3 (Gingerbread) or above

Set up Requirements

  1. Install Duo Mobile app on device.
  2. Register device.

Usage Limitations

Internet connectivity is required, so there may be locations/situations where use of this option is not viable or functional (airplanes, basements).

Financial Cost

None.

Two-Factor Authentication using Duo Mobile App Passcode

Device Requirements

Works only on smart phones and tablets.

  • iOS devices must use iOS 6.0 or above
  • Android devices must use 2.3.3 (Gingerbread) or above

Set up Requirements

  1. Install Duo Mobile app on device.
  2. Register device.

Usage Limitations

No limitations. This works anywhere, even in places where you don't have an internet connection or can't get cell service.

Financial Cost

None.

Two-Factor Authentication using SMS Passcode

Device Requirements

Any smart phone, tablet, or cell phone able to receive text messagess.

Set up Requirements

  1. Register device.

Usage Limitations

Cell service required.

When this option is selected, Duo sends a set of 10 passcodes for an SMS request. Users have to use the passcodes in the order given, requiring them to keep up with where they are at in their set.

SMS may be used with either Self-Service Password Reset or as a Duo Two-Factor Authentication option. It cannot be used for both. We recommend using SMS for Self-Service Password Reset rather than for Duo Two-Factor Authentication.

Financial Cost

Users are billed by their carrier for passcodes received by SMS the same way they are billed for any other text message. The specific cost to the user is based on the user's carrier plan.

Duo charges the university telephony credits for each SMS message it sends to users. The number of credits charged will vary depending on where the user is at the time the SMS message is sent. For users within the domestic U.S., an SMS costs the university one credit (one cent).

Two-Factor Authentication using Phone Call

Device Requirements

Any phone able to receive a phone call.

Set up Requirements

  1. Register device.

Usage Limitations

Cell service required.

Financial Cost

Users are billed by their carrier for phone calls the same way they are billed for any other phone call. The specific cost to the user is based on the user's carrier plan.

Duo charges the university telephony credits for each phone call. The number of credits charged will vary depending on where the user is at the time the phone call is sent. For users within the domestic U.S., a phone call costs the university two credits (two cents).

USB Token-based Authentication

A USB token is a specific type of hardware token designed to include a Universal Serial Bus (USB) connector. A USB port is standard equipment on today's computers. The token plugs into a computer's USB port. With this option, the person's token serves as the second security token (i.e. what you have).

Two-Factor Authentication using Yubikey Token

Device Requirements

Any computer with a USB port.

The Yubikey Neo token can also be used with smart phones equipped with Near Field Communication.

Set up Requirements

  1. Purchase token through the SELL.
  2. Go to Identity Management Office to register device.

Usage Limitations

Unless the Yubikey Neo token is purchased, the token can only be used with a computer equipped with a USB port.

The Yubikey Neo token can also be used with smart phones if the smart phone is equipped with Near Field Communication.

Internet connectivity is also required.

Financial Cost

Texas A&M departments are required to pay for the token.

Yubikey tokens are available from the SELL.

Two-Factor Authentication using U2F Token

Device Requirements

Any computer with a USB port.

Set up Requirements

  1. Purchase token.
  2. Register device.

Usage Limitations

U2F tokens currently only work for authenticating to web applications from the Chrome browser.

Financial Cost

Users or their departments are required to pay for their U2F token.

These tokens are available for purchase only through external vendors like Yubico or Amazon. Texas A&M departments are required to pay for the token.

Landline Phone-based Authentication

A landline phone is also an option for two-factor authentication. This option restricts the user to a specific phone in a particular location, making it much less flexible than tokens or mobile phones that can be taken anywhere.

Two-Factor Authentication using Landline Phone Call

Device Requirements

Any phone able to receive a phone call.

Set up Requirements

  1. Register phone number.

Usage Limitations

Landlines require you to be in a particular physical location. Phone service must be operational.

Financial Cost

Users are billed by their carrier for phone calls the same way they are billed for any other phone call. The specific cost to the user is based on the user's carrier plan.

Duo charges the university telephony credits for each phone call. The number of credits charged will vary depending on where the user is at the time the phone call is sent. For users within the domestic U.S., a phone call costs the university two credits (two cents).