Duo Two-Factor Authentication


Duo Universal Prompt

Princeton uses the Duo Universal prompt as a second layer of security for your Princeton account.  Duo verifies your identity using a second factor (like your phone or other mobile device).  This prevents anyone but you from logging in, even if they know your password. See the Duo Universal Prompt (external link) for more information and instructions.

When you log in to a Princeton application for the first time, the Duo enrollment process will start automatically.  When setting up Duo, it is best to perform this process on a computer or laptop, and have your intended mobile device with you.  We recommend installing the Duo Mobile app on your mobile phone for the best experience.  

  1. From a computer, log in to a Princeton application e.g. Path to Princeton, your Princeton email or TigerHub.  
    The Duo Enrollment process will start and you will be guided through the setup process.
  2. When prompted, select the Recommended methods for verification.
  3. Download the Duo app to your device.
  4. Activate Duo on your device.

The Duo Universal Prompt can now be used to manage and enable Duo devices instead of the existing Princeton Duo Portal. The Princeton Duo Portal will be retired during the summer of 2022.

New Account first-time Duo enrollment

First-time Enrollment in Duo (external link)

Download the Duo App

Add Duo Mobile App (external link)

Scan QR code OR email activation code

We recommend that you Scan the QR code.  Alternatively, you can select email activation code as long as it is an email account you can access from your device.  Use your Princeton email account if possible, but you may input a personal email account you can access from your device.

 

Scan QR Code or Email Activation code

 

Difficulties scanning the Duo QR Code?  Try email activation code or please,  Contact Information Technology. We can send you an activation link instead. 

Enable Cookies & Trust Browser (90 Days)

Note:  Be sure you have cookies enabled on your device.  Safari users may also need to enable cross-site tracking. See below for instructions.

Safari Enable Cookies & Cross-Site Tracking

iOS:  iOS users, if you receive the message "You need to enable cookies in order to remember this device," you likely have "block cross site tracking" and/or "block all cookies" turned on in Safari.  To fix this:

  1. Navigate to Settings.
  2. Tap Safari.
  3. Scroll down to Privacy and Security.
  4. Disable Prevent Cross-Site Tracking (Swipe the toggle left so that it is black, not green).
  5. Disable Block all Cookies (Swipe the toggle left so that it is black, not green).

Manage cookies and website data in Safari

Chrome Enable Cookies

Clear, enable, and manage cookies in Chrome (external link)

Trust Browser Remember Browser 90 Days

Push Yes, trust browser to remember the device and browser for 90 days. At the end of 90 days, you will have to select Trust Browser again when prompted.

Trust this browser screen with buttons

Check for a Duo Push

You may also check Trust browser on the Check for a Duo Push screen. 

Check for Duo Push

Forget Browser

If you don't want to trust that browser again, uncheck the Trust browser box before you approve the Duo Push or phone call request or enter a passcode.

Add/Change Device(s) after initial enrollment

Once you have enrolled in Duo, you have access to a secure, personalized device management portal where you can add, change or remove devices.  The device management portal is accessed via your routine log in and Duo prompt screens. 

  1. Log in to a Princeton Application.
  2. On the Check for a Duo Push screen, click the Other options link.
  3. On the Other options to log in screen, navigate to Manage devices at the end of the list.
    Other Options Login Manage Devices
  4. Click Manage devices.
  5. You will be asked to verify your identity, like you do for a normal Duo verification process. Select your verification e.g. Duo Push and verify.
  6. You will see a message, "sending you to the devices page," and will be taken to the Duo Device Portal which looks like this:

For full steps on accessing Duo Device Management read Add or Manage Devices After Enrollment (external link).

Add a Backup Method

  1. Log in to a Princeton Application.
  2. Click the Other options link on the Check for a Duo Push (authentication) page to view your list of available methods.
  3. Navigate to Manage devices at the end of the list.
  4. Click Manage devices to enter the device management portal.
  5. You will be asked to verify your identity, like you do for a normal Duo verification process. Select your verification e.g. Duo Push and verify.
  6. You will see a message, "sending you to the devices page," and will be taken to the Duo Device Portal.
  7. Select the Add a device tile.
  8. On the Select an option window, select the desired backup method.

For more detailed step-by-step instructions read Add Another Device/ Verification Method (external link).

Add a New Device

You will need to use your original device OR your backup method to setup a new device/ phone.   

New Phone - have old device with a Duo registered phone number or can use a backup

  1. Log in to a Princeton Application.
  2. Click the Other options link on the Check for a Duo Push (authentication) page to view your list of available methods.
  3. Navigate to Manage devices at the end of the list.
  4. Click Manage devices to enter the device management portal.
  5. You will be asked to verify your identity, like you do for a normal Duo verification process. Select your verification e.g. Duo Push and verify.
  6. You will see a message, "sending you to the devices page," and will be taken to the Duo Device Portal.
  7. Select the Add a device tile.
  8. On the Select an option window, select the desired backup method.

For more detailed step-by-step instructions read Add Another Device/ Verification Method (external link).

New Phone Same Number - don't have old device or a backup

  1. Log in to a Princeton Application.
  2. Click the Other options
  3. Select Phone Call or Text Message Passcode.
  4. Approve the call or enter the passcode.
  5. Navigate to Manage devices at the end of the list and repeat the step above.
  6. Follow instructions Reactive Duo Mobile for an Existing Device (external link)

Other Scenarios

Please contact Information Technology in the following cases. For security, we will ask you to present a form of identification, such as your drivers license, to support this process. 

Duo Hardware Token

If you do not have access to a mobile device or phone, you may select a Duo Hardware Token. The token will generate a passcode which you input to verify your identity. Token does not require wireless or data connection.

How to Get a Token

There is no charge for the initial token.

Contact the oitstore@princeton.edu to request a DUO Hardware Token. The OIT Store Staff will process your request and register a token to your account.

Pick up Duo Hardware Tokens at 112 Frist Campus Center in the Tech Clinic. Hours for the Tech Clinic can be found here. Princeton ID is required. 

You are personally responsible for a $50 replacement fee if the initial token is lost.

How to Use a Token

Hardware Token Passcode (external link)

Forgot/Lost my Phone or Token

If you forgot your phone or token, Contact Information Technology We will provide you with a temporary Bypass code.

Reactivate Duo Mobile for Existing Device

Reactivate Duo Mobile for an Existing Device (external link)

Devices that Don't Support Duo

Applications and devices that don't support the inline Duo Prompt or a secondary passcode field can use append mode. You'll enter both your password and an authentication method into the password field.  You'll enter both your password and an authentication method into the password field.  Read Append Mode (external link)

Troubleshooting General

Solve Duo Common Issues (external site)

iPhone Troubleshooting

You are "Stuck" on Duo Window after Clicking Approve

Issue: After you click Approve, Duo does not take them to the Trust Browser screen (like it used to in old Duo).  To the user Duo push will appear to "get hung up" and not connect to the application. 

Suspected Cause:  The Trust Browser window is not automatically opening as it should.  We are seeing this issue with the TigerSafe app.

Resolution Option 1: Swipe Up

  1. Swipe up from the bottom of your screen to view the open windows and applications on your iPhone.
  2. You should see a Trust Browser window. 
  3. Press Trust Browser.  Once you do this, you will not have to perform this step again for 90 days.
  4. Swipe up again, and find the application window, for example the COVID Testing Kit window.

Resolution Option 2: Type the URL into a Browser

Instead of using an application on your phone, use your browser to navigate directly to the application. 

For example if you are having issues with TigerSafe, navigate to your browser and type in the direct URL:

iPhone Focus (Do Not Disturb) Turned On

Confirm if you have "Focus" turned on, specifically, Do Not Disturb.  Do Not Disturb BLOCKS Duo notifications. Turn off Do Not Disturb.

Unexpected Duo Notification

If you receive a Duo push or phone notification that you did not expect or initiate, tap Deny.  DO NOT Approve. Tap Deny and immediately Contact Us. An unexpected Duo prompt could be a hacking or ransomware attempt.

Duo Access denied message

In order to comply with U.S. regulations, Duo blocks authentications from users whose IP address originates in a country or region subject to economic and trade sanctions.  Read this article from Duo for more information: Why am I seeing the message “Access denied. Duo Security does not provide services..." (external link)