You are here: American University Information Technology IT Security Multi-Factor Authentication
Improving Account Security Use Multi-Factor Authentication and strong passwords to secure your data
Have you ever been the victim of a phishing attack or received an email pretending to be from a colleague after their account was compromised? AU relies on Duo Multifactor Authentication (MFA) to protect our account holders from unauthorized access to their accounts and account data. All Faculty, Staff, and Students must enroll a device to use Duo.
American University requires use of Multi-Factor Authentication (MFA) on AU systems, including Outlook/Office 365. This security standard helps all users to prevent unauthorized access to email and data, and reduces phishing attacks within the AU community. See how MFA fits into the process for authenticating to AU systems.
Additionally, we are expanding the requirement to use Duo across other AU systems and services including the VPN.
New to American University?
- Learn how to use Duo Multi-Factor Authentication at American University by viewing An Introduction to Duo Security, below.
- Enroll your device using our guide for first-time users (login not required).
An Introduction to Duo Security
Two-factor authentication adds a second layer of security to your logins. Verifying your identity using a second factor (like your phone or other mobile device) prevents anyone but you from logging in, even if they know your password.
Existing American University account holders
All AU account holders must keep their account in good standing for it to remain active.
- Make sure your password recovery options are setup in AU's Self-Service Password Reset tool.
- Passwords must be reset once a year. Be sure to reset yours if it's expiring soon.
- Review any devices and phone numbers you have enrolled in Duo. You can add more than one device. If you've changed phones, don't forget to activate Duo Mobile on your new phone.
Travelers and international account holders
Duo is accessible in over 100 countries, allowing AU Faculty, Staff, and Students to authenticate to AU systems even while located outside of the United States. For the most consistent experience, the Duo Mobile app offers the most reliable means of authenticating while traveling abroad.
International Students
International students, in many cases, will perform their initial enrollment in Duo while still in their home country. This is a requirement for accessing many AU resources, even before arriving in the United States.
Travelers
Whether you are traveling to or from the United States, if you intend to access AU resources while traveling abroad, plan your device management in advance. You cannot enroll new devices in Duo, without your existing device present. Consider the need to:
- Bring your Duo-enrolled device with you
- Setup an alternate device before departing
- Setup a new phone or swap SIM cards after arriving
For more complete information on these options, see KB0019083: Duo Travel Guide.
Additional Considerations
SMS- and call-based authentication are less recommended for our travelers, due to the inherent need to re-enroll a new phone number in each new country. The Duo Mobile app can be installed on one device, and carried with you from country to country without ever needing to re-enroll.
Regions with noteworthy advisories on using Duo are as follows:
If you find yourself traveling and unable to authenticate or register a new device, the OIT Help Desk has several methods that they can use to provide you access to your AU accounts. The OIT Help Desk can be reached at helpdesk@american.edu or 202-885-2550.
Popular Topics
Duo Multifactor Authentication - Tips and Best Practices
Install Duo Mobile
Installing Duo Mobile on a personal smartphone offers the most flexible and secure method of authenticating to any of AU's Duo-protected systems. Duo Mobile receives a device notification (often referred to as a "push notification") when an access attempt is made that users only need to acknowledge from their phone. After installing Duo Mobile, the "Push" option will appear during your logins and is the ideal choice for authentication, especially in areas/instances where SMS or Phone Call options are not available.
Activate Duo Mobile
Enroll Multiple Devices
Users may have multiple devices enrolled in Duo at once. Consider enrolling multiple alternate devices to better accommodate different access scenarios (though only enroll devices you trust).
- Do you frequently access Duo-protected systems from a MacBook?
Enroll your TouchID in Duo. - Do you switch between a laptop and a tablet?
Install Duo Mobile on a Tablet to enroll it in Duo.
Stay Authenticated
By default, your web browser will keep you authenticated to Duo-protected systems for up to 8 hours, or until you close your web browser; whichever comes first. Keeping your web browser open on your computer will help prolong your access, without requiring you to reauthenticate.
Review Your Enrolled Devices Regularly
Multi-Factor Authentication technology is growing and changing to better accommodate users, and you may find that you have access to new authentication methods that better suit your needs. You may also need to add/enroll newly acquired devices, or entirely remove old devices that have been replaced or are no longer in use.
Update or manage your Duo devices
Prepare to Travel
If you plan on traveling or studying abroad, be proactive and review our Duo Travel Guide for all the necessary considerations.
Gmail Information
Still using an AU Gmail Account?
Students and Alumni still using their AU-sponsored Gmail account need to setup Google's Multi-factor Authentication on Gmail.
- Google refers to their MFA as "2-Step Verification" or "2SV", and is different than Duo MFA.
- Follow Google's instructions on setting up 2-Step Verification for your AU Gmail account
Help protect your account with 2-Step Verification
2-step verification adds a second layer of security to your logins. Verifying your identity using a second factor (like your phone or other mobile device) prevents anyone but you from logging in, even if they know your password.