Below are some frequently asked questions regarding Duo two-step login for Oregon State University. For additional documentation on Duo, explore the Duo knowledge base. If you do not see your question addressed here or you you have other comments, please contact us.

Why Mandatory?

Passwords are no longer enough: we need Duo Two-Step Login to protect our financial data, our student data and our research data, and also to protect the reputation of the University.  Each year, sophisticated “phishing” schemes and other tactics lead to hundreds of ONID accounts becoming “compromised” (accessible to unauthorized people), and that number continues to increase. Nationally, other universities have been adopting two-step login for several years, and it’s time for us to join them.  It’s our responsibility as good “digital citizens” to protect the data entrusted to our care.

In recent months, the rate of successful compromises of ONID accounts has dramatically increased at Oregon State. In the Fall of 2018, there was a 400% increase in compromised accounts, when compared to a prior three year average. Other universities across the country have responded to similar increases by requiring DUO, or similar two-step login processes, for all accounts. Because two-step protocols are the best means of reducing the success rate of the attacks, Oregon State will require all non-student ONID accounts to use this technology by May 22, 2019.

The recent increase of compromised accounts represents an unacceptable level of risk to institutional data and sensitive information. Because nearly everyone at OSU has access to non-public information, the best way to address this risk, and to protect the OSU community, is to make Duo two-step login mandatory for all ONID accounts.  Non-student accounts will become mandatory on May 22, 2019.  Student accounts will become mandatory during AY2019-2020. University-wide use of two-step login helps us protect against attempts to steal information entrusted to our care, including: financial data, student and employee records, and sensitive medical and human subjects data.  Without Duo, we are at much greater risk.

  • Attempts to change your paycheck direct deposit setting without your knowledge
  • Criminals attempting to commit identity fraud
  • Unauthorized access to read and send your email

Yes! Most of our peer institutions have already implemented mandatory two-step login (sometimes referred to as multifactor authentication) for their employees. Many have also made this type of security mandatory for students already or are beginning to do so. See the partial list below for details on what some other institutions are already doing.

University Employee Student
University of Arizona Mandatory Mandatory
Arizona State University Mandatory Student employee mandatory
Other students optional (except direct deposit)
Mandatory planning underway
University of California, Berkeley Mandatory Mandatory
University of California, Los Angeles Mandatory Mandatory
University of Colorado Boulder Mandatory for specific applications Mandatory for specific applications
University of Oregon Optional Optional
University of Southern California Mandatory Student employee mandatory
Not available for other students
Stanford University Optional Optional
University of Utah Mandatory Student employee mandatory
Other students optional
Washington State University Planned Planned
Purdue University Mandatory Mandatory
Colorado State University Mandatory Mandatory for specific applications
Iowa State University Optional Optional (December 2019 mandate)
North Carolina State University Mandatory  Student employee mandatory
Optional for other students
University of California, Riverside Mandatory Mandatory
University of Tennessee Optional  (Fall 2019 mandate) Optional  (Fall 2019 mandate)
Ohio State University Mandatory Mandatory
Pennsylvania State University Mandatory Optional
University of California, Davis Mandatory Optional (Fall 2019 mandate)
University of Florida Optional & Mandatory Optional
University of Illinois Mandatory Grads - Mandatory
Undergrads - Optional
University of Wisconsin Mandatory Optional (Q4 2019 mandate)
Two-step and Duo

Two-step login is a way to protect your account by requiring both something you know (password) with something you have (smartphone, tablet, or hardware token). FileWhat is Two-Factor Authentication? (2FA)

Duo Push is the easiest way to perform two-step login on your account.  Read more about Duo Push or watch the following video to see how easy it is. FileTwo-Factor Authentication with Duo Push

All users with ONID accounts can enroll and use Duo's two-step login.  This includes faculty, staff, students, associates, retirees and sponsored accounts.

Passwords are not enough. They can often be stolen, guessed, or hacked, and you may not even realize your password has been compromised. With Duo two-step login on your account, a compromised password doesn't have to mean a compromised account.

Yes. Online access to Direct Deposit, W2s, and 1098-T tax forms requires Duo access. Certain departmental systems may also require Duo for access. By the end of May, 2019, everyone with an ONID account (except students) will be required to use Duo for access to many important OSU systems. Student use will be required at a later date.

Once you enroll in Duo, you need to perform one more password change, and that password will never expire.  You may need to change it for other reasons, but it will no longer expire annually.

Installing Duo

Go to duo.oregonstate.edu and click the “Sign up for Duo” button and follow the steps on screen.  The Duo Guide provides instructions on enrollment and an overview of how Duo works.

The Duo Mobile app is available for Android 6.0 and newer, and for iOS 10.0 and newer. Duo Mobile also works with the Apple Watch. Duo hardware tokens can be used in addition to, or instead of, the Duo Mobile app. See below for more information about Duo hardware tokens.

Yes you can. In fact, if you have more than one device, we strongly recommend it. It provide you with options if something unfortunate happens to one of your devices. You can register more than one smartphone or tablet. You can register one hardware token for your account.

Instead of a smartphone (or other mobile device), you can use a Duo hardware token.  See the Hardware Token page for more information about Duo hardware tokens.

No.  Deleting the Duo app will not unenroll you from Duo.  Deleting the app, without a secondary device registered, will lock you out of your ONID account.  Reinstalling the Duo app will not grant access until it is re-registered to your account, which will require a Duo authentication.  

If you deleted the app and need to reactivate it on your phone, use Device reactivation.

Android: Launch the Play Store app and search for “Duo Mobile”. Choose the Duo Mobile app from Duo Security, Inc., (not Google Duo). Download and install the application.

iOS: Launch the App Store app and search for “Duo Mobile”. Choose the Duo Mobile app from Duo Security, Inc. (not Google Duo.) Download and install the application.

Duo hardware tokens are small devices (about the size of a car key fob) which can be used with Duo instead of a mobile device. See the Hardware Token page for detailed information about how to obtain a Duo hardware token.

Using Duo

You can generate a passcode by opening the Duo app and tapping the entry for Oregon State University.  A six digit code will be displayed.  You can enter the six digit code onto the OSU Login two-step screen by selecting the passcode option.  Additionally, a hardware token may be used to generate the six digit code.

Changing your SIM card will not impact your Duo use because the app is tied to the device's hardware security module (HSM).  You will still be able to use your phone with Duo.

Open the Duo app and the push notification should be waiting there.  Read more about troubleshooting Push notification issues for iOS and Android

You should report all Duo Push messages that you did not generate.  This may be a sign of someone attempting unthorized access to your account, and your password may be compromised.  Deny the push notification and then confirm that it’s a fraudulent attempt.  You should change your ONID password if this occurs.

Currently it does not; however, we expect that VPN will require Duo in the future.

Yes. Using a device for two-step login comes with the obligation to take reasonable precaution to protect it. Such precautions normally include the use of a password or a PIN to unlock the phone, as well as maintaining current versions of your device's operating system and Duo Mobile.

Excessive consecutive authentication failures, including missing push notifications or entering invalid passcodes, will cause your account to be locked for 30 minutes.

If you have a secondary device registered, such as a tablet or hardware token, you can still use that device to access your account. If you get a new phone with same phone number, you can use the Device Reactivation to activate it.

If you do not have a secondary device, and do not have a new phone with the same phone number, you will need a bypass code to access your account.  

If your phone number is the same, you can use Device Reactivation to activate the new phone.

If your phone number has changed, and you do not have a secondary device with which to Duo, you will need a bypass code to register the new phone. Please see this article (https://oregonstate.teamdynamix.com/TDClient/KB/ArticleDet?ID=60763) for the procedure to activate your new phone. 

In order to receive a bypass code, you need to have your identity verified.  This is typically done with photo ID in person or via a video chat.  Your ID cannot be verified by email.

The IS Service Desk can generate a bypass code for any user.  You can contact the IS Service Desk by visiting them in Milne 201 or by calling 541-737-8787.  It is strongly recommended that you call or visit in person.  If you are unable to call or visit, you may also submit a ticket, but it may take longer to resolve your issue.

In addition, you can receive a bypass from a local IT support group if it is on the following list:

  • Athletics
  • Ag (Roots)
  • CASS
  • CEOAS
  • CGRB
  • Client Services
  • Business
  • Engineering
  • Forestry
  • HMSC
  • MU
  • OCSC
  • CoSINE (College of Science & Liberal Arts)
  • Student Health Services (SHS)
  • University Housing and Dining (UHDS)
  • VetMed
  • OSU Foundation