Information Technology Services IT Security Office
Note: Two-factor authentication (2FA) is mandatory for Mason employees
to access the Cisco-AnyConnect VPN


You'll find below the most frequently asked questions regarding 2FA at Mason. If you need additional support, please contact the ITS Support Center.

General Questions
What is 2FA?

Mason’s Two-Factor Authentication service is a higher-security login process, which provides a second layer of protection to a user’s identity, as well adding protection to data, systems, and services.

  • The first level (something you know)
    is the verification of the Mason NetID and Patriot Pass Password, and
  • The second level (something you have)
    is generally a smartphone, but other options are available.
Who needs to use 2FA?

All Mason faculty and staff who use the Cisco AnyConnect VPN to access Mason systems will need to use 2FA.

When do I need to use 2FA?

You will need to use 2FA when you use the Cisco AnyConnect VPN. The VPN is typically needed to access specific applications or systems from off-campus locations, and sometimes via either wired or wireless on-campus wireless locations. Read more about Mason's VPN.

2FA WILL NOT be required when connecting to resources from a trusted wired network (most faculty and staff offices).

Enrollment & Account Management
Can I use an international phone number?

Yes. Instructions to enroll using an international phone number can be found here.

Why do I need to enroll more than one device?

It’s important to enroll more than one device in 2FA in case you don't have access to the primary device you registered.

For example, if you accidentally leave your cell phone at the office, you can use your backup device or alternate email address to log in on Cisco AnyConnect VPN.

Can I unenroll or opt out of using 2FA?

All Mason faculty and staff members are required to use 2FA to log in to the Cisco AnyConnect VPN. Faculty and staff members will not be able to unenroll without losing access to the Cisco AnyConnect VPN.

Is my smartphone compatible?

If you opt to use the Duo Mobile app you may run into an issue where your smartphone isn't supported. You can see the supported platforms on the Duo Guide

If your smartphone is not supported you can still enroll your device as a mobile phone. This will allow you to receive 2FA authentication requests via phone call.

Using 2FA with Cisco AnyConnect VPN
How do I get the Cisco AnyConnect VPN Client?

Information on the VPN and Cisco AnyConnect installation instructions are found on the VPN information page.

I normally use 'auto-select' when I connect, what should I do now?

Auto-Select has been removed from the drop down list on Cisco AnyConnect VPN. You will need to login differently following the VPN Group information.

Why am I getting multiple requests from Duo?

If you do not reply to authentication request from Duo it will continue to reach you up to 6 times. If you login on Cisco AnyConnect VPN multiple times it will send you 6 requests each time until you respond. Sometimes it is best to wait 5 minutes until all the notifications stop before attempting to login again. 

Why did I not get a request from Duo Mobile?

Verify that you have notifications turned on for Duo Mobile by Duo Security app. If you do not have notifications turned on it will not popup and prompt you to approve.

Traveling with Duo
When outside the country, will I get an International push from Duo?

You must have a data or wireless internet connection in order to receive a push. However, with the Duo Mobile App on your phone you can tap the green key button to receive a 6-digit passcode. On the Cisco AnyConnect VPN you will type this information into the password field on Cisco AnyConnect VPN. For example: password,725495. This option will work even without an Internet connection and/or cellular service.

I’m in a location with poor cell coverage. How can I use 2FA?

In locations where cell coverage is not available, you can still use the 2FA Duo Mobile app to generate a passcode or alternate email address to get an emergency bypass code.

Emergency Access & Security
I don't have access to my enrolled devices, how can I get logged in?

Two methods exist to obtain emergency access. Please refer to the page on Emergency Access