Skip navigation

Two-Factor Authentication (2FA) from Duo

Double up on security by protecting your applications and environments with two-factor authentication (2FA). It's the simplest, most effective way to verify that your users are who they say they are.

What is 2FA?

Two-factor authentication (2FA) is a specific type of multi-factor authentication (MFA) that strengthens access security by requiring two methods (also referred to as authentication factors) to verify your identity. These factors can include something you know - like a username and password - plus something you have - like a smartphone app - to approve authentication requests.

2FA protects against phishing, social engineering and password brute-force attacks and secures your logins from attackers exploiting weak or stolen credentials.

Why is 2FA Important?

Two-factor authentication (2FA) is the foundational element of a zero trust security model. In order to protect sensitive data, you must verify that the users trying to access that data are who they say they are. 2FA is an effective way to protect against many security threats that target user passwords and accounts, such as phishing, brute-force attacks, credential exploitation and more.

Let’s say you use a username and password to complete primary authentication to an application. That information is sent over the Internet (your primary network). You’ll want to use a different (out-of-band) channel to complete your second factor. Approving a push notification sent over your mobile network is an example of out-of-band authentication.

So why does it matter? If a remote attacker is able to tap into your computer via your Internet connection, they can steal your password, and your second form of authentication — if both are delivered over the same channel.

Without your physical device, remote attackers can’t pretend to be you in order to gain unauthorized access to corporate networks, cloud storage, financial information, etc. stored in applications.

By integrating two-factor authentication with your applications, attackers are unable to access your accounts without possessing your physical device needed to complete the second factor.

2FA Made Easy With Duo

We know the most effective security solution is one your users actually use.

Duo’s 2FA solution only requires your users to carry one device — their smartphone, with the Duo Mobile app installed on it. Duo Mobile is available for both iPhones and Android, as well as wearables like the Apple Watch.

With support for a large array of authentication methods, logging in via push notification is fast and easy with Duo Mobile. We strongly recommend using Duo Push or U2F as your second factor, because they're most secure and can protect against man-in-the-middle (MITM) attacks, but with Duo's flexibility and customizability, you'll be able to find the adaptive authentication method that meets the unique needs of your diverse user base.

Easy, Effective and Secure

Duo integrates to protect every point of access, from on-premises, to web-based, to cloud-based applications. Deployment is quick and easy, and the platform's user-friendly authentication experience and intuitive administrator dashboard make managing your security protocols a breeze.

Zero Trust Made Simple

Duo puts your organization on the fast-track to zero trust by securing the modern workforce. The simple, all-in-one platform lets you verify user identities, assess and act on the health of devices, set adaptive access policies, and protect users' productivity with modern remote access and SSO capabilities. Learn more about Duo's approach to zero trust here.

2FA For Every Business

At Duo, we believe every organization should have a 2FA solution, so we take pride in providing a simple, yet scalable, security platform that works. With three editions and a host of capabilities built in, you can choose the solution that's just perfect for your business. See editions and pricing here.

Learn More About 2FA

Need more information to get up to speed on 2FA basics and security industry terminology? We're here to help. Below, you'll find answers to your questions and resources to help you take the next steps toward a more secure workforce.

What are the Factors of Authentication?

Factors are the pieces of information a user can provide to verify their identity. 2FA is the most commonly used, but there are, in fact, five factors of authentication used by security professionals today.

Knowledge Factor

The knowledge factor verifies identity by requesting information only an individual user would know. The most common example of a knowledge factor of authentication is a password. A user’s password should be private only to them, allowing them to use it as a method to confirm their identity.

Possession Factor

Possession factors verify the identity of a user by requiring proof of information that only the user should possess. Tokens are a commonly used possession factor of authentication. These tokens generate a rotating passcode that users must physically carry on their person.

Duo Mobile combines the knowledge factor and possession factor of authentication to create the world’s most trusted 2FA platform. Two other possession factors of authentication are HMAC-based One-Time Password (HOTP) and Time-based One-time Password (TOTP). Both authentication methods generate temporary passwords from a physical device carried by the user. HOTP tokens expire once they are used while TOTP tokens expire if not used within thirty seconds.

Inherence Factor

Inherence factors of authentication verify the identity of a user by using attributes that would belong only to that user. Fingerprint scanning is the most obvious inherence factor used today.

Fingerprints are unique to individuals, so many organizations use them as a way to confirm who their users are. In addition to fingerprints, there are many other inherence factors used today: voice, handprints, face recognition, and more.

Location Factor

Location factors of authentication confirm the identity of a user based on their location in the world. If a user had registered an account in one country, for example, and suddenly there are login attempts from another, location factors could trigger and attempt to verify the identity of the new user. Many location factors are based on the IP address of the original user and compares the address to that of the new attempt to access information.

Time Factor

Time factors of authentication verify the identity of a user by challenging the time of the access attempt. This is based on the assumption that certain behaviors (like logging into a work computer) should happen within predictable time ranges. If an attempt to access a platform happens outside of the usual time range, the attempt can be challenged or terminated until a user can verify their identity.

What Threats Does 2FA Address?

The need for two-factor authentication has increased as companies, governments, and the public realize that passwords alone are not secure enough to protect user accounts in the current technical landscape. In fact, the average cost of data breaches today is over two trillion dollars annually. While 2FA protects against a multitude of threats, the most common threats include:

Stolen Passwords

A traditional password can be used by anybody who gets their hands on it. If a user writes down their password on a pad of paper, for example, that password can be stolen to gain access to an account. 2FA, by contrast, validates the user with a second device after a password is entered.

Phishing Attempts

Hackers will often send emails that include links to malicious websites designed to either infect a user’s computer or convince them to enter their passwords. Once obtained, a password can be used by whoever manages the hacking attempt. 2FA fights phishing by adding a second layer of validation after the password has been entered.

Social Engineering

Hackers will often simply manipulate users into giving up their passwords. By posing as an IT professional at the user’s company, they can earn the trust of the user before asking for login credentials. 2FA protects against this by validating the location and IP of every login attempt after a password has been entered.

Brute-Force Attacks

In a brute-force attack, a hacker randomly generates passwords for a specific computer until they land on the correct sequence. 2FA’s second layer of protection requires a login attempt to be validated before granting access.

Key Logging

Even if a user hasn't written down their password, hackers can use malware to track and copy a user’s password as they type. Hackers track every keystroke and store the password to be used later. The second layer of validation in 2FA lets a user ensure that the login attempt is their own, even if their password has been compromised.

What are the types of 2FA?

There are a number of different second factors that can be used to verify a user's identity. From passcodes to biometrics, the available options address a range of use cases and protection levels.

SMS 2FA

SMS two-factor authentication validates the identity of a user by texting a security code to their mobile device. The user then enters the code into the website or application to which they're authenticating.

Pros
  • Simplicity. SMS 2FA simply sends a confirmation code to a user's mobile phone. Just enter the code and gain access to your information.
  • Speed and access. If suspicious activity occurs, SMS 2FA sends a one-time password (OTP) to a user's device, so only the user with that device can log in and verify that their account hasn't been compromised. SMS 2FA is a quick way to validate the identity of a user.
  • Ubiquitousness. SMS 2FA is the oldest form of two factor authentication, so it has become a commonly accepted security protocol.
Cons
  • Phone number requirements. SMS 2FA requires that users disclose their phone numbers to a third party (the 2FA provider). This makes some people uncomfortable because it raises concerns around privacy, personal security, and being targeted for advertising.
  • Data network requirements. SMS 2FA requires a phone that can receive SMS messages. If a user's phone is missing or damaged, or if they cannot access their network, they may not be able to receive their security code.

TOTP 2FA

The Time-Based One Time Password (TOTP) 2FA method generates a key locally on the device a user is attempting to access. The security key is generally a QR code that the user scans with their mobile device to generate a series of numbers. The user then enters those numbers into the website or application to gain access. The passcodes generated by authenticators expire after a certain period of time, and a new one will be generated the next time a user logs in to an account. TOTP is part of the Open Authentication (OAUTH) security architecture.

Pros
  • Flexibility. This type of 2FA hinges on a QR code which generates a unique passcode. Once they have this code, a user can use it across multiple devices. By contrast, SMS 2FA is restricted to the device that receives the message. TOTP 2FA is more flexible and gives the user a wider ability to access their information.
  • Improved Access. Mobile authenticators are able to remember which accounts a user is trying to access — so the user can access their passcode at any time, even if they are not on a cellular or wifi network.

Cons

  • Reliance on devices. TOTP 2FA requires the user to have a device capable of reading the QR code to verify their identity. If the user misplaces their device or the QR code, or if it’s stolen, they will no longer be able to access their information.

Push-Based 2FA

Push-based 2FA improves on SMS and TOTP 2FA by adding additional layers of security, while improving ease of use for end users. Push-based 2FA confirms a user's identity with multiple factors of authentication that other methods cannot. Duo Security is the leading provider of push-based 2FA.

Pros
  • Phishing security. Other types of two factor authentication are susceptible to phishing attacks, but push-based 2FA combats that vulnerability by replacing access codes with push notifications. When they attempt to access their information, a push notification is sent to the user’s phone. The notification includes information about the login attempt, such as location, time, IP address, and more. The user simply confirms that the information is correct and uses their phone to accept the authentication request.
  • Ease of use. Once set up, push-based 2FA streamlines the authentication process. If the information sent through the push notification is correct, the user simply accepts the login attempt through their mobile device and is able to access their account.
  • Scalable. Push-based 2FA can easily be scaled for organizations needing to secure multiple users. The ease of use allows teams to onboard the software and train teams on how to use it efficiently. Since every access attempt is confirmed with a mobile device, there are no SMS codes to enter or QR codes to save.
Cons
  • Reliance on data access. Push-based 2FA sends its notifications through data networks like cellular or wifi networks. The user must have data access on their mobile device to use the 2FA functionality.
  • Reliance on user knowledge. Push-based 2FA fights phishing by allowing the user to validate the location and other details associated with the login attempt. Security breaches may occur in cases when the user doesn’t pay attention to or correctly read information like the IP address and login location.

U2F Tokens

U2F tokens secure two-factor authentication by using a physical USB port to validate the location and identity of a user attempting to login. To use a U2F token, a user inserts the token into their device and presses the button located on the top of the device. Once the token is activated, the user enters their PIN and gains access to their accounts.

Pros
  • Phishing protection. Since the user must physically hold, insert, and enter a code into the token, U2F protects a user's PIN from being phished.
  • Backup devices and codes. U2F tokens can be backed up across multiple devices, allowing users to replace their token or code if it is lost.
  • Ease of use. U2F tokens require little set up or technical knowledge to use.
Cons
  • Lack of support. U2F tokens are still relatively new to the 2FA world, which means that many currently existing technologies do not support it.
  • Requires a physical object. As a physical token, this security method is susceptible to being lost or damaged. If a token is misplaced, for example, it cannot be used to authenticate a user’s identity.

WebAuthn

Created by the FIDO (Fast IDentity Online) Alliance and W3C, the Web Authentication API is a specification that enables strong, public key cryptography registration and authentication. WebAuthn (Web Authentication API) allows third parties like Duo to tap into built-in biometric authenticators on laptops and smartphones, letting users authenticate quickly and with the tools they already have at their fingertips.

Pros
  • Convenience. All you need is a supported web browser, operating system and a strong, built-in biometric authenticator like TouchID to enable a secure, phishproof authentication method.
  • More secure. WebAuthn is one of the more secure 2FA methods available today. It allows web applications to trust a strong biometric authentication as a credential that is specific only to that service — which means no more shared passwords. We now have a secure means to generate, store and utilize a credential whose attributes are unknown to the user and thus can’t be stolen and exploited.
Cons
  • Lack of support. Because WebAuthn requires biometric verification to allow access, it can only integrate with devices equipped with some kind of biometric authenticator. These are becoming more common as new devices are released, but older devices will need an additional USB-based security key, to be able to use WebAuthn.
  • Complex account recovery. In the modern workplace, work doesn’t stop when a security issue arises. Perhaps an employee loses their phone, or someone reports an unauthorized access attempt. Security measures help control these threats, but employees are expected to be back up and running and working as normal shortly after the incident. Many 2FA solutions make this relatively easy — a systems administrator can help with account recovery. Biometric authenticators, however, make this process more difficult, because they are so tied to the identity of a single user. For that reason, it’s still recommended that users have another out-of-band form of authentication to fall back on, should they lose access to their biometric authenticator.

Which industries use 2FA?

Endpoint security concerns are becoming a bigger focus for many industries — no matter which applications users are accessing, protecting credentials is important to the security of the larger business. Learn how various verticals are using 2FA to stay ahead of security threats:

Healthcare

Healthcare organizations are concerned about securing patient data and personally identifiable information (PII). They also need to meet a number of compliance requirements, including HIPAA, PCI DSS, HITRUST, Joint Commission standards and NIST standards.

The healthcare industry must also securely enable their clinicians and physicians to access patient data, at any time, anywhere - sometimes from their own personal devices. Duo’s 2FA solution allows them to secure this data beyond traditional firewalls. Physicians, accountants, and third-party vendors can access their necessary information securely.

Read more about one enterprise healthcare CISO’s journey with Duo.

Banking

The banking industry uses 2FA to protect against the many hacking attempts made on their internal and clients’ systems. Duo’s push-based authentication system has helped many large banks improve their resiliency against such attacks.

It is important for security teams to know which users and devices are accessing their systems. Two-factor authentication allows the finance industry to secure remote devices and authenticate every login attempt.

Read more about how Level One Bank successfully implemented Duo’s 2FA solution.

Social Media

Social media platforms and agencies use 2FA to protect the personal data of billions of users worldwide. To protect these users, social media companies like Facebook use Duo’s push-based authentication to shield their developers from hacking attempts when working on the company’s internal networks.

2FA also makes security easier for social media companies by simplifying the access process for developers. Duo’s cloud-based 2FA solution protects developers, and users in turn, by eliminating the need for hardware and software installation.

Read more about how Facebook implemented Duo’s 2FA solution.

Travel

The travel industry requires a 2FA solution to allow their remote employees to perform their duties from anywhere in the world. Traditional security protocols like firewalls aren't sufficient when users need access beyond the security perimeters.

Duo’s 2FA technology helps the travel industry implement true Bring Your Own Device (BYOD) policies. Duo Beyond lets travel companies understand the security health of every device accessing the network. Companies can then monitor potential security threats from remote devices.

Read more about how Kayak.com uses Duo’s 2FA technology to secure user endpoints.

Government

Current IT modernization initiatives are challenging government agencies to implement big changes to their infrastructure at an uncomfortable pace, as they look to accommodate the shift to cloud and mobile. An ideal security solution needs to account for both protecting users and rolling out on a realistic but still workable timeline.

2FA technology assists federal agencies as they put forward zero trust policies for the millions of end users who need access. Two-factor authentication provides a balance between strong security and usability.

Read more about how Duo helps federal government agencies achieve zero trust here.

Retail

With an annual U.S. GDP totalling $2.5 trillion, the retail industry is comprised of more than 3.6 million retail establishments. As the nation’s largest employing industry, remote attacks have become increasingly more prevalent and difficult to prevent.

Similarly, security solutions are becoming increasingly important for retail as information technology adjusts to a perimeterless environment. 2FA allows retail companies to authenticate the identities of users accessing their networks through remote desktops and personal mobile devices.

Read more about how 2FA combats the security risks facing the retail industry.

Media

The media industry spans across radio, television, social media, film, and more. 2FA helps media companies by allowing users to access the data necessary to meet publishing deadlines.

By securing IT infrastructures across companies and state lines, Duo’s two-factor authentication technology gives media companies the ability to validate users' identities whenever a login is attempted. The push-based nature of 2FA reduces the friction and frustration that has historically plagued efforts to secure user endpoints.

Read more about how Duo’s 2FA solution helped American Public Media manage security across many companies.

Higher Education

Higher education institutions manage vast amounts of sensitive user data involving finance, healthcare, PII, and more. This valuable data has historically made institutions prime targets for hacking and malicious breaches of security.

Colleges and universities use 2FA to secure the mobile devices and personal computers of students, faculty and staff. Securing these devices helps combat malicious actors by authenticating the identity and location of every login attempt.

Read more about how Duo’s 2FA technology helped the University of Michigan.

Ridesharing

With a heavy focus on rider safety, ridesharing apps are dependent on the security of the mobile devices accessing their network. To make it even more challenging, ridesharing apps serve an international and decentralized marketplace of users and drivers across hundreds of languages.

2FA technology helps ridesharing companies secure the endpoint devices of their employees regardless of location. Ensuring user identity is a mission critical objective for technology companies and 2FA assists this goal by authenticating employees before they gain access to internal information systems.

Read more about how Duo’s 2FA solutions helped Lyft scale a zero-trust security solution.

Energy

Energy companies often need to secure data on sensitive projects across the world. 2FA technology helps them protect financial, logistical, and human resource systems by securing user endpoint devices.

Ensuring endpoint security allows projects to continue on schedule without risking security breaches. 2FA also helps energy companies by securing the devices of third-party contractors who often need IT system access while operating beyond the perimeter of traditional firewalls.

Read more about how Duo’s 2FA product helped AmeriGas accomplish its goals.

Frequently Asked Questions About 2FA

Have questions about how 2FA works? Wondering how 2FA can help secure your accounts and applications? We've got answers.


Who uses 2FA?

Two factor authentication is used across many industries that require user authentication and device trust, beyond usernames and passwords. 2FA technology is often championed by an organization’s security team, Chief Information Security Officer, or information technology team, but it affects departments throughout the business. Below is a list of the top five industries where 2FA is a crucial information security strategy:

  • Healthcare: Due to the incredibly sensitive personally identifiable information protected by hospitals and other healthcare organizations, two factor authentication is commonly used to secure user accounts (doctors, patients, administrative staff).
  • Finance: Financial institutions use 2FA to protect against data breaches and to comply with the growing security demands of users and auditors. The highly sensitive and valuable data protected by financial firms makes them prime targets for cyber criminals.
  • State & Federal Government: Both state and federal governments are under constant threat of cyber attacks. In response, governments are implementing two factor authentication in addition to traditional passwords. With 2FA, a hacker would have to capture an end user’s mobile device, even if their password is compromised.
  • Education: Educational institutions from elementary schools to universities implement 2FA solutions to protect the data of their students and staff. Students, teachers, and administrators log into sensitive web portals with 2FA in addition to the traditional passwords.
  • Law Enforcement: Two factor authentication is used by government agencies of all sized — from the FBI, and CIA, down to local police departments in order to protect sensitive data. Law enforcement administrators can confirm the location, IP address, and username of any user attempting to log into their networks. This is another layer of protection against potential external threats.

How effective is 2FA?

2FA protects against phishing, social engineering and password brute-force attacks and secures your logins from attackers exploiting weak or stolen credentials. This dramatically improves the security of login attempts. 2FA has also been shown to block nearly all automated bot-related attacks.

About 81% of confirmed data breaches in the Accommodations industry involved stolen credentials. – Source: Verizon 2018 Data Breach Investigations Report

Which authentication method is best?

At Duo, we recommend push-based, U2F, and biometric authentication, because these make it very difficult for an attacker to pose as an authorized user.

Push-based 2FA: Most push-based authentications can't be approved unless a user's phone is unlocked. This requirement makes push-based 2FA more secure than passcode-based 2FA, which often delivers a code that can be seen on lock screens or other SMS-enabled devices. With push-based 2FA, simple security measures like a passcode or biometric identification go a long way, protecting applications with a layer of information only device owners would possess.

U2F: With U2F-based 2FA, users initiate an authentication request and then approve it by tapping a USB device attached to their laptop, desktop, or smartphone. Unlike traditional security tokens, U2F devices are tamper-proof. Each device is associated with only one user, preventing imposters from posing as a trusted user, even if the device is lost or stolen.

Webauthn: Like U2F-based authentication, Webauthn-based authentication requires users to approve access requests via a mechanism that’s attached to their device. Webauthn, however, takes this principle even further by tapping into users’ built-in biometric authenticators, negating the need for both passcodes and physical hardware. With Webauthn, the world of information security moves one step closer to true password-less authentication.

What's the difference between 2FA and MFA?

Two-factor authentication (2FA) is a subset of multi-factor authentication. There are as many potential factors of authentication as there are ways to confirm a user’s identity (location, fingerprints, face, security keys), and any security protocol that involves three or more is considered MFA. 2FA is the most common and easily accessible subset of MFA that requires two factors of authentication.

How will 2FA improve my technical infrastructure?

2FA often reduces the need for device-specific or application-specific security tools, like MDMs. With 2FA, companies are able to protect a broader scope of information and technical environments, allowing them to consolidate and/or forego solutions that may not be adding to the overall security landscape. Reducing total cost of ownership is an ongoing initiative for many companies, especially when it comes to IT, and protecting more information with 2FA can drive progress toward that goal.

At Duo, we recognize the value of streamlining technical infrastructure, so we’ve built broad application and device coverage right into our 2FA solution. Learn more about how Duo helps make life easier for IT administrators.

Can I use 2FA in a hybrid environment?

The short answer is: “yes.” Most companies need to protect both cloud-based and on-premesis applications, so it’s smart for 2FA vendors to accommodate both types.

However, that doesn’t mean all 2FA vendors can protect all applications. Some are tailored to specific productivity tools or require additional drivers or software to protect a greater breadth of information. Duo’s 2FA solution is designed to work with the broadest range of applications and devices — so no matter what you need to protect, Duo can help.

How do I make sure my users keep their devices updated?

Rigorous device health standards are an essential part of any effective security framework. To truly be secure, every single device that requests access to an application should meet your organization’s security standards. But depending on the complexity of your security protocols, it can be difficult to ensure every device has the latest operating system, has screenlock enabled, is properly encrypted — the list goes on.

Some 2FA solutions build in the option for device health checks, so administrators can warn users that unless they update their software or change their device settings, they’ll be unable to access the services they need. Duo’s self-remediation features are designed specifically to not only warn or block users based on device health, but to help users comply with security regulations without needing to get an IT professional involved.

The easier it is for users to meet security standards, the more likely they are to keep their devices compliant — saving administrators a lot of headaches over time.

What if a user loses their mobile device?

2FA relies on users to have a device with which to authenticate. If that smartphone or laptop is lost or stolen, there’s a heightened risk that unauthorized entities will be able to access your important data. So, generally, users should be aware of their devices’ locations at all times, and they should be cautious about letting others use their devices.

That’s not a security guarantee, though — we’ve all lost (or thought we lost) a device or two somewhere along the road. It happens. Fortunately, 2FA technology can actually make it easier to protect the information to which those devices have access. Security solutions that install directly onto users’ devices (MDMs, etc.) can often lock or shut down devices remotely, protecting mission-critical information even when a user doesn’t physically have their device with them. Duo works similarly, but it doesn’t require installation of any additional drivers or software. Users can easily self-enroll in 2FA via an app on their devices, so no matter where in the world they travel or what technology they use, your information stays secure.

What is a user access policy?

A user access policy is a specific set of rules that determine whether or not a user can access an application. For example, your company might have a policy that only users with a certain level of security clearance can access mission-critical information. A good 2FA solution will allow administrators to set these rules granularly, ensuring that only the right people, with the right devices and the right credentials, are accessing each individual application.

The ultimate goal of a user access policy should be to grant access to as few users as possible. This means thinking critically about very general authorization parameters. It’s likely that some applications will require more stringent protection than others, and that some devices will be more trustworthy than others — so access policies should take these factors into account. For example, applications that contain sensitive personal information may require a user to have both the correct security clearance and have their device firewall enabled. In contrast, collaboration tools like calendars may be accessible to more users and may not require that users' devices meet such specific criteria.

What is adaptive authentication?

The premise of adaptive authentication is that users circumstances are constantly changing — they move between networks, they change their device settings, they require additional application access, etc. — so authentication rules should constantly be adjusting to keep up.

A good adaptive authentication solution will allow users to set risk-based access policies over several dimensions:

  • By user or group of users and their roles and/or responsibilities.
  • By authentication method. Allow authentication only via approved methods. For example, users authenticating via push notification are granted access; users authenticating with SMS are not.
  • By application. For example, a company might want to enforce the use of the more secure MFA methods (push notification, U2F, etc.) for high-risk applications and services.
  • By geographic location. Restrict access to company resources in any geographic location.
  • Set conditional policies for certain locations. For example, a company may want to require 2FA in certain locations, but not in others.
  • By network information. Where the user/device is coming from (set of IP ranges); block authentication attempts from anonymous networks like Tor, proxies and VPNs.

Because adaptive authentication is only becoming more and more important, Duo makes it easy to set and monitor security policies based on any of these dimensions — and with Duo’s intuitive administrator dashboard, administrators can do it all from a single, central control panel. Duo also integrates with existing technology, like Active Directory or Azure-AD, and can leverage them to apply policy at a group level.

Can I limit access to some applications but not others?

With a good adaptive authentication solution, yes! And as the security industry evolves, it becomes ever more important to do so. Remember, the goal of a security policy is to limit access to as few people as possible — and that concept applies at the application level, too. To truly reduce the possibility of a breach, each user should be able to authenticate to as few applications as possible, and their level of access should be based on the information they need to access.

How does 2FA protect BYOD?

  • Open wifi networks: 2FA protects against attempts to steal or phish your username and password via an open wifi network.
  • Man-in-the-Middle attacks: 2FA doesn’t allow hackers to spoof push notifications to your personal device even if your password is compromised by a man-in-the-middle attack.
  • One password across many accounts: 2FA gives you an added layer of security via push notifications even if you have used the same password across multiple accounts.
  • Malware email attachments: Even if you fall prey to malware attachments, you can protect your login credentials by confirming every login attempt accessing your accounts.
  • Cloud storage: 2FA gives cloud users the ability to validate every login attempt with their personal devices, no matter where in the world they are. This becomes chokepoint that organizations can use to secure their data in the cloud.

How does 2FA work when my users are traveling?

In most cases, 2FA should work exactly the same way when you are traveling, as it would when you are at home. You enter your password, validate the login attempt with your push notification, and hit accept. There are two situations when two factor authentication won’t work when traveling, however:

First, you will not be able to receive push notifications if you lose cell or wifi connection while traveling. Some wireless carriers may not have service in the area you are visiting, so be sure to confirm so before you travel.

The second issue that may cause 2FA to not work while traveling is if you lose your phone. Even with your password and username, you will be locked out of applications if you cannot receive a push notification with your phone.

The zero-trust approach to security posits that location-based trust is no longer enough to prevent unauthorized access to applications and information. The traditional “perimeter,” defined by known networks and environments, is being negated by BYOD and remote work — in the modern workplace, employees expect some freedom to work from different locations and use the devices they’re most comfortable with. The zero trust model addresses these potential security issues by establishing trust for every access request — regardless of location. It enforces adaptive controls, and continuously verifies trust. Trust levels are dynamic and change to adapt to your evolving business. This approach can help prevent unauthorized access, contain breaches and reduce the risk of an attacker's lateral movement.

At Duo, we help businesses secure their workforces using a zero trust approach. This model can seem complex, because it up-ends traditional perimeter based security — but achieving zero trust can be done in just 5 steps:

  1. Establish Trust in User Identities
  2. Gain Visibility into Devices & Activity
  3. Ensure Device Trustworthiness
  4. Enforce Adaptive & Risk-Based Policies
  5. Enable Secure Access to All Apps

For more on zero trust and how this approach can enable a more secure workforce, visit our zero trust page.

How do I increase 2FA adoption in my organization?

Get to know the numbers: 2FA technology exists to protect against the growing threat of cybersecurity breaches worldwide. According to a study by the University of Maryland, there is a hacking attack every 39 seconds. Knowing the how and why 2FA can impact your business is an important first step.

Work with stakeholders: Adopting two factor authentication requires buy-in from the entire company, but the decisions are often made by a select group. This group can be comprised by executives, your security team, your IT team, and anybody else who has a say in the adoption process. Understand who the important stakeholders are and work with them to magnify your impact.

Communicate the risks and benefits: once you know who needs to be on board with your adoption plan, frame the issue in terms that are important to each member. The company’s CEO will have different priorities than the head of IT, for example. Knowing what is important to each stakeholder will go a long way in seeing your 2FA adoption through.

Understand the logistics: Rolling out a complete 2FA adoption will take time and involve some logistical challenges. Keeping your end goal in mind while navigating the process will help you see the adoption process through. Are your employees hesitant to download the 2FA app? Is your security team bogged down with work? Be sure to understand the potential roadblocks on your way to 2FA adoption.

How are other companies using 2FA to secure their information?

2FA technology has helped companies across many industries secure their user endpoints. Take a look at our extensive case study page to see how.

How-To's For Users

Help your users get up and running with Duo.


How Do You Enable 2FA?

Two-factor authentication is simple to set up. There are seven simple steps to going live with 2FA.

  • Hit Set Up
  • Choose Your Authentication Device Type
  • Enter Your Phone Number
  • Choose Platform
  • Install Duo Mobile
  • Activate Duo Mobile
  • Configure Device Options

Read our Guide to Two-Factor Authentication Enrollment to get started.

Can You Disable 2FA?

Yes, admins can disable any authentication method for users or administrators. For example, since NIST recommends SMS 2FA deprecation, some may not want to allow end users to authenticate via SMS.

In the Policies section of the Duo Admin Panel, you can choose the authentication methods from the global, application, and group policy level. More information is available in our documentation.

How can I get a 2FA Code?

For all application integrations, Duo uses HOTP, or HMAC-based one-time password (OTP) to generate passcodes for authentication.

Duo Mobile allows users to generate event-based passcodes that are valid until they have been used. Duo also supports the use of most HOTP-compatible hardware tokens for two-factor authentication.

Read more about 2FA basics.

What if I get locked out?

Duo Mobile's restore functionality lets you back up Duo-protected accounts and third-party OTP accounts (such as Google or Facebook) for recovery to the same device or to a new device. You can use this back up functionality to recover your account.

What are the system requirements for 2FA?

Please reference our docs section for information regarding our minimum system requirements.

Can I use 2FA on an older mobile phones?

Android: the current version of Duo Mobile supports Android 7.0 and greater. Duo recommends upgrading to the most recent version of Android available for your device. We cannot ensure compatibility of Duo Mobile with custom variants or distributions of Android.

iPhone: The current version of Duo Mobile supports iOS 11.0 and greater. Support for older Duo Mobile versions on iOS 10.0 ended July 28, 2019.

What if I don’t recognize the location shown?

If you do not recognize the location shown by your 2FA push notification, do not click allow. If you do, the potentially malicious login attempt will have access to your account. If you suspect anything, deny the login attempt and speak with your organization’s system administrator.

Can I set up 2FA of multiple devices?

Yes, you can set up 2FA on multiple devices. You can also use a landline or tablet, or ask your administrator for a hardware token. Duo lets you link multiple devices to your account, so you can use your mobile phone and a landline, a landline and a hardware token, two different mobile devices, etc.

Can I turn off 2FA after I have turned it on?

Please reference the managing devices section of our guide.

How do I remove 2FA?

Please reference the managing devices section of our guide.