Use Two-Step Login (Duo) with a group account

On this page:

Before you begin

For important details about using Two-Step Login (Duo) with a group or departmental account, see Best practices for group accounts.

Each person who uses a group account needs to enroll a Duo device for that account. Note the following:

  • You don't need a separate device for each account you access (whether it's a personal or group account), as the app supports multiple usernames per device.
  • Single-button hardware tokens also support multiple usernames, as long as only one of them is listed as primary. Each token should belong to one person, who can use the same token to access all group accounts to which they have access; tokens should not be shared between different people who have access to the same group account.

Enroll a device for the account owner

To set up Duo for use with a group or departmental account, the account owner should do the following:

  1. In a browser in which you have not logged in using IU Login, go to Duo Self-Service Portal. Log in using your group account credentials.
    If your group account is new, be aware that it can take up to 24 hours before it is fully active and ready for use.
  2. When you see the "Protect Your Indiana University Account" screen, enroll a device for Duo. For step-by-step instructions, choose the type of device you'd like to enroll:

    If you need to have a single-button hardware token added to a group or departmental account, the account owner needs to visit a Support Center in-person location with a photo ID.

    If your mobile device is already enrolled in a group account and you wish to add your token as a secondary device, visit a Support Center in-person location with a photo ID and your primary Duo authentication device. A Support Center consultant will verify your identity and that you can log into the account. After these two verifications, the consultant will add your token to the group account.

Enroll subsequent devices

Each person besides the account owner who needs to log in using the group account should enroll their own Duo device using the same instructions as for a personal account. However, someone whose device is already enrolled for the group account must be present to complete the required Two-Step Logins for the person attempting to enroll a device.

For step-by-step instructions, see Manage your Two-Step Login (Duo) devices and settings.


With the transition to Duo Universal Prompt, group account logins will behave differently than before. With group accounts, when a Duo push is the most secure authentication method for an account, the default push-enabled device will receive a push notification the first time someone logs into it with a new browser. To choose a different device, select Other options. Select a different device to receive the push notification or choose a different authentication method.

Your browser will remember your last-used authentication method in the future unless you are using an incognito window, clear your cache and cookies, or log in using another browser or device.

This is document aobp in the Knowledge Base.
Last modified on 2024-06-14 11:48:24.