Information Technology Services IT Security Office
Note: Two-factor authentication (2FA) is mandatory for Mason employees
to access the Cisco AnyConnect VPN

ADVANCED FEATURES

Duo offers a multitude of ways to use 2FA. What you have completed during the initial enrollment is recommended and supported by ITS. Some of the below features are not supported by ITS. Basic information is provided and you can find more information on the Duo Guide.

Additional Authentication Methods

How to use Multiple Devices

Additional Device Options - Not Currently Supported by ITS

Additional Authentication Option for Smartphone and Tablet

If you are on a smartphone or tablet and you prefer not to receive push notifications through the Duo Mobile App then you can use passcode instead. Passcode are generated through the Duo Mobile App but do not require you to have data or wireless internet connection on your device. 

Generating a Duo Mobile App Passcode

  1. On your enrolled smartphone or tablet open the Duo Mobile App.
  2. Beside the name George Mason University tap on the green key.
  3. You will see a 6-digit passcode.

You can generate another passcode at anytime as it will only display for a short time. Generating a new password will invalidate any previously generated passcodes.

Using the Duo Mobile App Passcode

If you need more information about Cisco AnyConnect VPN go to vpn.gmu.edu.

  1. Open Cisco AnyConnect VPN on your computer.
  2. Type vpn.gmu.edu or your VPN Group URL and click connect.
  3. Begin logging into Cisco AnyConnect VPN with your Mason NetID.
  4. For the password you will use your Patriot Pass Password followed by a comma and the passcode on your phone.
  5. For example: password,725495
  6. After you complete the authentication you will then be logged in on Cisco AnyConnect VPN.

Append Mode

If you using multiple devices when providing your 2FA you can use Append Mode. Append mode allows you to specify what device you would like the authentication request to be sent to. If you have multiple devices of the same type registered you can add a number to the end of the device names. For example, push2 will send a login request to your second phone, phone3 will call your third phone, etc.

More information about this feature can be found in the Duo Guide.

If your Second Device is a...
Enter... Duo Response
  • Smartphone with Duo Mobile App
User: Mason NetID
Password: Password,push2
Automatic Duo Push via Duo Mobile App on 2nd device
  • Smartphone without Duo Mobile App
  • Mobile Phone
  • Landline
User: Mason NetID
Password: Password,phone2 
Automatic Phone Call on 2nd device

If you are unable to access any of your devices, you may request an Emergency Bypass Code that will be sent to the alternate email that you used during enrollment

Bypass Code (Non-Emergency)

If you know you will not have access to your 2FA enrolled device, you may request a bypass code for use in lieu of an enrolled device. Bypass codes are reusable and valid for 7 days.

Requesting a Bypass Code

  1. On a web browser go to the 2FA webpage, 2fa.gmu.edu. Click 2FA Account Login on the bottom right.
  2. Login with your Mason NetID and Patriot Pass Password.
  3. Complete the second factor authentication with your previously enrolled device.
  4. On the Management Options page click Request Bypass Codes.
  5. Click Generate Bypass Code.
  6. You will then see a bypass code and the expiration date/time.
  7. Request Bypass Code with Expiration
  8. Record or print the information

Using the Bypass Code

If you need more information about Cisco AnyConnect VPN go to vpn.gmu.edu.

  1. Open Cisco AnyConnect VPN on your computer.
  2. Type vpn.gmu.edu or your VPN Group URL and click connect.
  3. Begin logging into Cisco AnyConnect VPN with your Mason NetID.
  4. For the password you will use your Patriot Pass Password followed by a comma and the bypass code you were given.
  5. For example: password,725495
  6. After you complete the authentication you will then be logged in on Cisco AnyConnect VPN.

Yubikey

Only a Yubikey will work with 2FA. Other tokens (such as Vasco tokens) will not work with 2FA. To complete the setup for a Yubikey you will need to first setup the Yubikey and enroll the Yubikey. Then you can use it to access the Cisco AnyConnect VPN. ITS does not support Yubikeys. We recommend using a smartphone as your Duo device unless your department requires you to use a Yubikey.

Setting up the Yubikey

Following these steps will erase all accounts from your Yubikey.

  1. On your computer, download and install the Yubikey Personalization Tool from the Yubico website.
  2. Once the program is installed, insert your Yubikey into a USB port.
  3. Wait until the light on the Yubikey is a solid green. (If your computer prompts you to set up a new keyboard, close the window and continue to step 4.)
  4. Open the Yubikey Personalization Tool.
  5. Select Yubico OTP Mode.
  6. Click on the Quick button.
  7. Select Configuration Slot 1.
  8. Uncheck Hide Values.
  9. Click the Write Configuration button.
  10. If you are warned about overwriting the values in slot 1, click Yes.
  11. If you are asked to save a log file, you can save it or cancel.
  12. Leaving the Yubikey Personalization Tool open, continue to Enrolling the Yubikey.

Enrolling the Yubikey

  1. On a web browser go to the 2FA webpage, 2fa.gmu.edu. Click 2FA Account Login on the bottom right.
  2. Login with your Mason NetID and Patriot Pass Password.
  3. Complete the second factor authentication with your previously enrolled device.
  4. On the Management Options page click Enroll a Yubikey.
  5. From the Yubikey Personalization Tool, copy the Serial Number (in Dec or Decimal format), the Private Identity, and the Secret Key into the appropriate slots.
  6. Click on Enroll Device.
  7. Congratulations, your Yubikey is enrolled!

Using it with Cisco AnyConnect VPN

If you need more information about Cisco AnyConnect VPN go to vpn.gmu.edu.

  1. Plug your Yubikey into a USB slot on your computer (if it is not already).
  2. Open Cisco AnyConnect VPN on your computer.
  3. Type vpn.gmu.edu or your VPN Group URL and click connect.
  4. Begin logging into Cisco AnyConnect VPN with your Mason NetID.
  5. In the password box, type use your Patriot Pass Password followed by a comma then press the button on your Yubikey.
  6. For example: password, *press button on Yubikey*
  7. Cisco AnyConnect VPN will begin connecting automatically.
  8. Once the authentication is complete, you will be connected to the Cisco AnyConnect VPN.

If you are unable to access any of your devices, you may request an Emergency Bypass Code that will be sent to the alternate email that you used during enrollment.