Known issues and troubleshooting for Two-Step Login (Duo) at IU


With the transition to Duo Universal Prompt, group account logins will behave differently than before. With group accounts, when a Duo push is the most secure authentication method for an account, the default push-enabled device will receive a push notification the first time someone logs into it with a new browser. To choose a different device, select Other options. Select a different device to receive the push notification or choose a different authentication method.

Your browser will remember your last-used authentication method in the future unless you are using an incognito window, clear your cache and cookies, or log in using another browser or device.

On this page:


This addresses known university-wide issues, troubleshooting steps, and common questions for Two-Step Login (Duo) with IU Login at Indiana University.


At this time, UITS does not recommend that you use Microsoft's new Outlook. For feature comparisons with the new application, see Getting started with the new Outlook for Windows.

General issues and troubleshooting

Issue Description Workaround Last updated
Error message "Incorrect passcode. Please try again." after correctly using a passcode from a token

You may see the "Invalid Passcode" error for any of these reasons:

  • You haven't used your token for more than a month.
  • The token went out of sync after the button was pressed repeatedly over a short period of time or if the numbers generated were not used. This can happen if you keep it in your pocket or on a keyring.
  • You have the token upside down. When the token is right side up, you should only see digits (not letters), and the word "DUO" and the button should be on the left side.
  • You have multiple devices and attempted to use the token. If you have a phone, it should be your default device. To use the token, choose it from the drop-down box at the DUO Prompt.
Attempt to log in three times in a row with a new code each time to resync your token to the Duo servers. If after the third attempt, it still fails, contact your campus Support Center. August 31, 2016
Support for iOS 11 and Android 7 has ended Duo has ended support for iOS 11 and Android 7. Devices running these OS versions and older will not receive Duo Mobile updates. Furthermore, after February 2, 2021, it will not be possible to download and install Duo Mobile from the Apple Store or Google Play Store. UITS recommends updating the operating system to a supported version. If that is not possible, and if Duo Mobile already installed, it will continue to function. Also, it will still be possible to receive authentication texts and calls. November 30, 2020
When using Safari on macOS 10.14 or later, Duo Remember Me functionality gives error message If you don't disable "Block all cookies" and "Prevent cross-site tracking", you'll see an error message that states: "You need to enable cookies in order to remember this device". Uncheck Block all cookies and Prevent cross-site tracking in Safari. May 27, 2020
When using iOS, Duo Remember Me functionality gives error message Apple has intentionally designed iOS WKWebView to limit the ability to issue and read browser cookies, and Duo Remember Me therefore does not work. This is by design, and no workaround exists. July 10, 2020
USB security key displays twice in Security Center If a user enrolled a USB security key when Chrome was the only browser supporting them, and later enrolled the USB security key through the Security Center while in either the Firefox or Opera browsers, then the USB security key may show up twice in the list of enrolled devices in the Security Center. To prevent this behavior, if a USB security key is enrolled with the Chrome browser, use the USB security key to complete a Two-Step Login in the Chrome browser and complete the prompts to upgrade the token. September 12, 2019
iOS 9/Android 5 Duo Mobile support ended April 1, 2018 Duo Mobile support for Apple devices running iOS 9 or earlier and Android devices running Android 5 or earlier is no longer available as of April 1, 2018. The Duo Mobile app is no longer available for download for these devices as of June 1, 2018. Push and app-generated passcode authentications will continue to function on apps installed before June 1, 2018. Duo authentication in the form of phone calls and SMS text messaging will also continue to be available for these devices without the Duo Mobile app. January 16, 2018

Device name has changed in the drop-down menu and in the two-step "My Devices and Settings" page

Device names in Duo are consistent across all accounts. If a device is used for both a personal account and a group account, the same device name appears and can be modified in both accounts. If someone changes the device name in a group account, that change will be reflected in the personal account's drop-down and "My Devices and Settings" page.

Device names should be descriptive of the device and its owner (for example, username - device description), and should not be changed without reason.

October 11, 2017
In iPhone or iPad, and in macOS 10.15 (Catalina) or higher, the Duo Prompt is replaced with a gray box or otherwise does not display correctly Content restrictions can prevent the Duo Prompt from displaying correctly. For help disabling content restrictions in iOS or macOS, see How do I resolve Duo Prompt display issues related to iOS or macOS content restrictions? November 1, 2019
YubiKey 4 Nano is not recognized A YubiKey 4 Nano is connected to your computer, but it is not being recognized by Duo or other YubiKey-supported services. Check to make sure the device is inserted the correct way into your computer (for example, unplug the device, turn it over, and plug it back in). June 9, 2017
In China, Duo Mobile for Android cannot be downloaded from the Google Play Store In China, the Google Play Store is not available. You can download the Android Duo Mobile app directly from Duo's website instead of using the Google Play Store.

To install the app, you will need to enable a "sideloading" feature in your Android device. Sideloading means installing an app from a source other than the Google Play store.

To enable sideloading in your Android device:

  1. From the Home screen, press Menu. Tap Settings, then Security, and then check Unknown sources.
  2. Download the Duo Mobile app directly.

    You will need to use your Android device's File Manager app to locate and install the downloaded app.
Note: Duo Mobile push notifications require Google Play Services. Google Play Services are not available in China, so you will have to "fetch" Duo Mobile push notifications by opening the Duo Mobile app and swiping down.
May 15, 2017
Blank or flashing screen appears when attempting to authenticate to Duo Using older versions Chrome with the LastPass extension may prevent the Duo interface from loading. Update Chrome to the latest version. February 3, 2017
Duo authentication prompt does not load The web page does not load the Duo authentication prompt and instead displays a blank space where the prompt should appear. Dragon NaturallySpeaking speech recognition software sometimes causes this issue. Temporarily disabling this software allows the Duo authentication prompt to load correctly. October 17, 2016
Changes not saved when renaming device If you click Back to login without clicking Save, your changes will not be saved. Follow the instructions in Renaming a device in Manage your Two-Step Login (Duo) devices and settings. September 6, 2016
"Undefined" error message If the Duo two-factor authentication screen displays an "Undefined" error when you are trying to send a login request, most likely your session timed out after staying idle for too long. Refresh the page or open a new browser window, and then try again. If the problem persists, contact your campus Support Center for help. September 6, 2016
Account is locked Your account may be locked after repeated failed login attempts. If your account is locked, contact your campus Support Center to request that it be unlocked. September 6, 2016
Error message "Denying unknown user" When using Duo to log into an Indiana University service, if you have not finished enrolling, you may see the error message "Denying unknown user." Try to complete the process to enroll your mobile device with Duo. August 18. 2016
The Duo screen cut is off during Microsoft 365 account sign-in When signing into your Microsoft 365 account using any Office desktop application for Windows, the Duo Authentication screen does not completely fit in the window and some options are cut off the screen. Press Tab on your keyboard to scroll down and view the rest of the Duo Authentication options. August 10, 2016

Group account issues and troubleshooting

Issue Description Workaround Last updated

Requesting multiple Duo tokens

Local UITS support people or group account owners may decide that members of their group accounts need a separate token for each account.

Each person may be issued one Duo token by the Support Center, and this token can be added to all accounts the person has access to. Local UITS support people and group account owners do not need to request batches of tokens to have on hand for their users.

October 13, 2017

Users cannot register Duo tokens themselves

To register a Duo token, you need to request the token from the Support Center, and the Support Center must verify your user ID before attaching the token to your account. Account owners and local UITS support people do not have access to add Duo tokens to any accounts, including group accounts they own. The group account owner and Duo token holder must come to a walk-in location to register the Duo token to any group accounts. Both will have to provide a photo ID. The Support Center will then add the Duo token to the desired group accounts. October 13, 2017

Seeing multiple Indiana University accounts in your Duo Mobile app

Any device enrolled as a tablet will be required to scan a new QR code for each additional account when activating the Duo Mobile app. This will result in multiple "Indiana University" entries displayed in the Duo Mobile app.

Each account will be named "Indiana University" by default. To avoid confusion with multiple accounts, users should edit the name of a new account immediately after adding it. The account name can be edited by holding your finger on the account in the list, then selecting "Edit Account" from the menu that appears.

October 13, 2017

All users can make device and settings changes in the account's Duo Control Panel

All users added to a group account can edit devices in the account's Duo Control Panel. This includes adding and deleting devices, changing a device's name, modifying the device's settings, and setting a new default device.

This is expected behavior in Duo. Local UITS support people should implement best practices for maintaining the number of people who have access to the group account, and they should ensure that only those who need access to the group account have devices in the device list.

October 13, 2017

The device list is not sorted in a logical order

Users cannot sort the device list, and the devices have generic names (for example, Apple iOS or Google Android).

The device list cannot be sorted. Devices can be renamed, but this will not sort them any differently. Local UITS support people and account owners should implement best practices when naming devices (for example, username - iPhone); however, users should be aware that their devices will be renamed for all accounts in Duo, including their personal accounts. Additionally, there is nothing to prevent any user from changing a device name back without the knowledge of the group account owner.

October 13, 2017

Repeated push notifications being sent to the wrong device

The first device on the list will be the first device everyone sees. This will likely result in several other users mistakenly sending push notifications to this device.

For group accounts, users should consider using a passcode instead. It doesn't matter what device is selected in the drop-down menu; a passcode generated from any device associated with the account will work.

It's a very bad idea to set any phone as the default device for a group account and enable automatic push notifications. Users who attempt to do this may not realize that their phones will receive an automatic push notification every time anyone tries to access the group account.

October 13, 2017

The owner of the group account left IU

If the owner of a group account is the only person with a device enrolled and leaves IU without transferring ownership (see Transfer ownership of a group or departmental account), then no one else will be able to log into that group account.

Ensure that all group accounts are properly transferred to new owners before employees leave IU; see Transfer ownership of a group or departmental account.

October 11, 2017

For help, contact your campus Support Center.

This is document bfnf in the Knowledge Base.
Last modified on 2024-04-15 17:04:56.