Known issues and troubleshooting for Two-Step Login (Duo) at IU

Important:
As of November 2, 2017, CAS logins for all IU students, faculty, staff, retirees, affiliates, and those with Academic (ACNP) status require Two-Step Login (Duo). On November 30, 2017, this will also include group or departmental accounts. IU Guest accounts do not require Two-Step Login. For more, see About using Two-Step Login (Duo) every time I log into CAS.

Following is information about known university-wide issues, troubleshooting steps, and common questions for Two-step login (Duo) at Indiana University.

On this page:


General issues and troubleshooting

Issue Description Workaround Last updated
Error message "Incorrect passcode. Please try again." after correctly using a passcode from a token

You may see the "Invalid Passcode" error for any of these reasons:

  • You haven't used your token for more than a month.
  • The token went out of sync after the button was pressed repeatedly over a short period of time or if the numbers generated were not used. This can happen if you keep it in your pocket or on a keyring.
  • You have the token upside down. When the token is right side up, you should only see digits (not letters), and the word "DUO" and the button should be on the left side.
  • You have multiple devices and attempted to use the token. If you have a phone, it should be your default device. To use the token, choose it from the drop-down box at the DUO prompt.
Attempt to log in three times in a row with a new code each time to resync your token to the Duo servers. If after the third attempt, it still fails, contact your campus Support Center. August 31, 2016

Device name has changed in the drop-down menu and in the two-step "My Devices and Settings" page

Device names in Duo are consistent across all accounts. If a device is used for both a personal account and a group account, the same device name appears and can be modified in both accounts. If someone changes the device name in a group account, that change will be reflected in the personal account's drop-down and "My Devices and Settings" page.

Device names should be descriptive of the device and its owner (e.g., username - device description), and should not be changed without reason.

October 11, 2017

U2F token is not appearing in the device list

Because U2F tokens are added to accounts differently, they don't appear on the default device list. This can also create an issue where the first device you've registered is a U2F token, and when accessing twostep.iu.edu, you will be prompted to enter the last four digits of your SSN.

This is expected behavior. You can manage your U2F token by clicking the link at the bottom of the "Your devices & settings" page. After you enroll a second device, you will no longer be prompted to enter the last four digits of your SSN to log into twostep.iu.edu.

October 11, 2017
iOS 8/Android 4 Duo Mobile support ended September 1, 2017 Duo Mobile support for Apple devices running iOS 8 or earlier and Android devices running Android 4 or earlier is no longer available. The Duo Mobile app is no longer available for download for these devices as of October 1, 2017. Push and app-generated passcode authentications will continue to function on previously installed apps. Duo authentication in the form of phone calls and SMS text messaging will also continue to be available for these devices without the Duo Mobile app. September 26, 2017
In iPhone or iPad, a gray box instead of the Duo Prompt displays Configurable content restrictions in iOS can prevent the Duo Prompt from displaying correctly. For help disabling content restrictions in iOS, see How do I resolve Duo Prompt display issues related to iOS content restrictions? September 25, 2017
Duo authentication prompt does not load when attempting to sign into Chrome with a Google at IU account The web page does not load the Duo authentication prompt and instead displays a blank space where the prompt should appear. N/A June 13, 2017
YubiKey 4 Nano is not recognized A YubiKey 4 Nano is connected to your computer, but it is not being recognized by Duo or other YubiKey-supported services. Check to make sure the device is inserted the correct way into your computer (e.g., unplug the device, turn it over, and plug it back in). June 9, 2017
In China, Duo Mobile for Android cannot be downloaded from the Google Play Store In China, the Google Play Store is not available. You can download the Android Duo Mobile app directly from Duo's website instead of using the Google Play Store.

To install the app, you will need to enable a "sideloading" feature in your Android device. Sideloading means installing an app from a source other than the Google Play store.

To enable sideloading in your Android device:

  1. From the Home screen, press Menu. Tap Settings, then Security, and then check Unknown sources.
  2. Download the Duo Mobile app directly.

    You will need to use your Android device's File Manager app to locate and install the downloaded app.
Note: Duo Mobile push notifications require Google Play Services. Google Play Services are not available in China, so you will have to "fetch" Duo Mobile push notifications by opening the Duo Mobile app and swiping down.
May 15, 2017
iOS 7 Duo Mobile support ending on March 1, 2017 Duo Mobile support for Apple devices running iOS 7 or earlier will end on March 1, 2017. Duo Mobile for iOS 7 will also be unavailable for download. Duo authentication in the form of phone calls and SMS text messaging will continue to be available for these devices. February 24, 2017
Blank or flashing screen appears when attempting to authenticate to Duo Using older versions Chrome with the LastPass extension may prevent the Duo interface from loading. Update Chrome to the latest version. February 3, 2017
Duo authentication prompt does not load The web page does not load the Duo authentication prompt and instead displays a blank space where the prompt should appear. Dragon NaturallySpeaking speech recognition software sometimes causes this issue. Temporarily disabling this software allows the Duo authentication prompt to load correctly. October 17, 2016
Changes not saved when renaming device If you click Back to login without clicking Save, your changes will not be saved. Follow the instructions in Renaming a device in Managing your Two-Step Login (Duo) devices and settings. September 6, 2016
"Undefined" error message If the Duo two-factor authentication screen displays an "Undefined" error when you are trying to send a login request, most likely your session timed out after staying idle for too long. Refresh the page or open a new browser window, and then try again. If the problem persists, contact your campus Support Center for help. September 6, 2016
Account is locked Your account may be locked after repeated failed login attempts. If your account is locked, contact your campus Support Center to request that it be unlocked. September 6, 2016
Error message "Denying unknown user" When using Duo to log into an Indiana University service, if you have not finished enrolling, you may see the error message "Denying unknown user." Try to complete the process to enroll your mobile device with Duo. August 18. 2016
If you use Two-Step Login (Duo) every time you log into CAS, the Duo screen cut is off during Office 365 account sign-in When signing into your Office 365 account using any Office desktop application for Windows, the Duo Authentication screen does not completely fit in the window and some options are cut off the screen. Press Tab on your keyboard to scroll down and view the rest of the Duo Authentication options. August 10, 2016

Group account issues and troubleshooting

Issue Description Workaround Last updated

Requesting multiple Duo tokens

IT Pros or group account owners may decide that members of their group accounts need a separate token for each account.

Each person may be issued one Duo token by the Support Center, and this token can be added to all accounts the person has access to. IT Pros and group account owners do not need to request batches of tokens to have on hand for their users.

October 13, 2017

Users cannot register Duo tokens themselves

To register a Duo token, you need to request the token from the Support Center, and the Support Center must verify your user ID before attaching the token to your account. Account owners and IT Pros do not have access to add Duo tokens to any accounts, including group accounts they own. The group account owner and Duo token holder must come to a walk-in location to register the Duo token to any group accounts. Both will have to provide a photo ID. The Support Center will then add the Duo token to the desired group accounts. October 13, 2017

Seeing multiple Indiana University accounts in your Duo Mobile app

Any device enrolled as a tablet will be required to scan a new QR code for each additional account when activating the Duo Mobile app. This will result in multiple "Indiana University" entries displayed in the Duo Mobile app.

Each account will be named "Indiana University" by default. To avoid confusion with multiple accounts, users should edit the name of a new account immediately after adding it. The account name can be edited by holding your finger on the account in the list, then selecting "Edit Account" from the menu that appears.

October 13, 2017

All users can make changes in the account's "Duo Devices and Settings" control panel

All users added to a group account can edit devices in the account's "Duo Devices and Settings" control panel. This includes adding and deleting devices, changing a device's name, modifying the device's settings, and setting a new default device.

This is expected behavior in Duo. IT Pros should implement best practices for maintaining the number of people who have access to the group account, and they should ensure that only those who need access to the group account have devices in the device list.

October 13, 2017

The only device enrolled is a U2F token, and enrolling another device requires the last four digits of an SSN

twostep.iu.edu does not recognize a U2F token as a default device, so if the token is the sole device, the site will act as though there are no devices enrolled.

The account owner should set up a second non-U2F device, or be present when the next person attempts to set up a device so that the account owner can provide the last four digits of their SSN.

October 11, 2017

The device list is not sorted in a logical order

Users cannot sort the device list, and the devices have generic names (e.g., Apple iOS or Google Android).

The device list cannot be sorted. Devices can be renamed, but this will not sort them any differently. IT Pros and account owners should implement best practices when naming devices (e.g., username - iPhone); however, users should be aware that their devices will be renamed for all accounts in Duo, including their personal accounts. Additionally, there is nothing to prevent any user from changing a device name back without the knowledge of the group account owner.

October 13, 2017

Repeated push notifications being sent to the wrong device

The first device on the list will be the first device everyone sees. This will likely result in several other users mistakenly sending push notifications to this device.

For group accounts, users should consider using a passcode instead. It doesn't matter what device is selected in the drop-down menu; a passcode generated from any device associated with the account will work.

It's a very bad idea to set any phone as the default device for a group account and enable automatic push notifications. Users who attempt to do this may not realize that their phones will receive an automatic push notification every time anyone tries to access the group account.

October 13, 2017

The owner of the group account left IU

If the owner of a group account is the only person with a device enrolled and leaves IU without transferring ownership (see About transferring ownership of a group or departmental account), then no one else will be able to log into that group account.

Ensure that all group accounts are properly transferred to new owners before employees leave IU; see About transferring ownership of a group or departmental account.

October 11, 2017

For help, contact your campus Support Center.

This is document bfnf in the Knowledge Base.
Last modified on 2017-10-17 14:40:54.

  • Fill out this form to submit your issue to the UITS Support Center.
  • Please note that you must be affiliated with Indiana University to receive support.
  • All fields are required.

Please provide your IU email address. If you currently have a problem receiving email at your IU account, enter an alternate email address.

  • Fill out this form to submit your comment to the IU Knowledge Base.
  • If you are affiliated with Indiana University and need help with a computing problem, please use the I need help with a computing problem section above, or contact your campus Support Center.

Please provide your IU email address. If you currently have a problem receiving email at your IU account, enter an alternate email address.