Information Technology Services IT Security Office

  Coming April 15, 2018 (All Employees):
  2FA for Patriot Web and Banner-related applications


You'll find below the most frequently asked questions regarding 2FA at Mason. If you need additional support, please contact the ITS Support Center.

General Questions
What is 2FA?

Mason’s Two-Factor Authentication service is a higher-security login process, which provides a second layer of protection to a user’s identity, as well adding protection to data, systems, and services.

  • The first level (something you know)
    is the verification of the Mason NetID and Patriot Pass Password, and
  • The second level (something you have)
    is generally a smartphone, but other options are available.
Who needs to use 2FA?

All Mason employees will need to use 2FA to access applications where Central Authentication Services (CAS) are required to log in. 

All Mason employees who use the Cisco AnyConnect VPN to access Mason systems will need to use 2FA.

When do I need to use 2FA?

You will need to use 2FA any time you connect to an application that requires central authentication. 2FA is required even when connecting from a trusted wired network (most faculty and staff offices). 

You will need to use 2FA when you use the Cisco AnyConnect VPN. The VPN is typically needed to access specific applications or systems from off-campus locations, and sometimes via either wired or wireless on-campus wireless locations. Read more about Mason's VPN.

Supported Operating Systems
What operating systems are supported by Duo?

Mason follows Duo's recommendations about the best operating systems to use for 2FA. Duo currently supports:

  • iPhone & iPad — iOS 9.0 and greater.
  • Android — Android 5 and greater.
  • Windows Phone — Windows Phone 8 and greater.

More information about supported platforms is available on the Duo Guide.

Enrollment & Account Management
What if I don’t own a smartphone? Or I don’t want to install/add the Duo app on my smartphone?

Use of a smartphone is not required to use Duo. You can also enroll with your landline or office phone number. If you choose this option, you will receive a phone call where you will be asked to press 1 to confirm authentication. 

Can I use an international phone number?

Yes. These are the instructions to Enroll a non U.S. Phone Number.

Why do I need to enroll more than one device?

Enrolling a secondary device will allow you to access to 2FA if the primary device you registered is unavailable. An additional device or alternate email address will allow you to get a bypass email.

Can I unenroll or opt out of using 2FA?

No, it is required for all employees who log in to 2FA-enabled applications and services.

Is my smartphone compatible?

If you opt to use the Duo Mobile app you may run into an issue where your smartphone isn't supported. You can see the supported platforms on the Duo Guide

Duo no longer provides support for iOS8 and Android 4, aka Lollipop. Duo will still run if it is already installed on these devices, but there will be no more updates to the app and it will not be available for download from the app stores for devices running these versions.

If your smartphone is not supported you can still enroll your device as a mobile phone. This will allow you to receive 2FA authentication requests via phone call.

What should I do if I get a new smartphone?

If you get a new smartphone, you need to re-download the Duo mobile app. The instructions for downloading the mobile app and setting up your new device are found under Replacing a Smartphone.

Using 2FA with Web Applications
How do I log in to use 2FA with Web Applications?

You log into CAS-enabled applications by authenticating through your enrolled device. Using 2FA with Web Applications provides instructions.

How do I use 2FA with Web Applications?

When you log into an application which requires 2FA, you will be asked to use your enrolled device to finish authenticating. These are the instructions for using 2FA with Web Applications.

How do I enroll a device?

To enroll a device in 2FA, follow the instructions in the Enrollment Guide.

Do I have to authenticate the second factor every day?

No. You can use the 'Remember me for 7 days' function in Duo. You will not be asked for a second factor for 7 days when you are on the computer using the browser you authenticated from. These are the instructions for ' Remember me for 7 days.'

Using 2FA with Cisco AnyConnect VPN
How do I get the Cisco AnyConnect VPN Client?

Information on the VPN and Cisco AnyConnect installation instructions are found on the VPN information page.

I normally use 'auto-select' when I connect, what should I do now?

Auto-Select has been removed from the drop down list on Cisco AnyConnect VPN. You will need to login differently following the VPN Group information.

Why am I getting multiple requests from Duo?

If you do not reply to authentication request from Duo it will continue to reach you up to 6 times. If you login on Cisco AnyConnect VPN multiple times it will send you 6 requests each time until you respond. Sometimes it is best to wait 5 minutes until all the notifications stop before attempting to login again. 

Why did I not get a request from Duo Mobile?

Verify that you have notifications turned on for Duo Mobile by Duo Security app. If you do not have notifications turned on it will not popup and prompt you to approve.

Traveling with Duo
When outside the country, will I get an International push from Duo?

You must have a data or wireless internet connection in order to receive a push. However, with the Duo Mobile App on your phone you can tap the green key button to receive a 6-digit passcode. On the Cisco AnyConnect VPN you will type this information into the password field on Cisco AnyConnect VPN. For example: password,725495. This option will work even without an Internet connection and/or cellular service.

I’m in a location with poor cell coverage. How can I use 2FA?

In locations where cell coverage is not available, you can still use the 2FA Duo Mobile app to generate a passcode or alternate email address to get an emergency bypass code.

Emergency Access & Security
I don't have access to my enrolled devices, how can I get logged in?

Two methods exist to obtain emergency access. Please refer to the page on Emergency Access

Are there alternate methods for authentication?

Yes. The additional methods for authentication can be found under the Advanced Features section.