Duo Authentication Methods
All users must set up at least one Duo authentication method. If you are unsure about which method to use, IMSS recommends starting with Duo Mobile Verified Push, which is secure, broadly compatible, and free to use with your modern iOS or Android mobile device. Below is a list of Duo authentication methods supported at Caltech.
Duo Mobile Verified Push
Duo presents a 3-digit code on your screen and "pushes" a login request to the Duo Mobile app on your iOS or Android phone or tablet. You review the request on your mobile device and enter the code to approve the log in. There is no cost to use the Duo Mobile Verified Push authentication method, but you must own a compatible smart phone or tablet device. Most modern iOS and Android devices are compatible.
Platform Authenticators
Platform authenticators are authentication methods built into your device. Platform authenticators must be on the same device you are using to access a system protected by Duo. If your device has one of these features, you can set it up to work with Duo at the Duo Device Management Portal.
Platform authenticators are only supported in browser-based applications. They can not be used in command-line or Windows login authentications.
Roaming Authenticators
Roaming authenticators can move from one system you use to another. If you are considering purchasing one of these devices in order to use it as a roaming authenticator, note that it must be compatible with the WebAuthn standard. If you own a compatible roaming authenticator, you can set it up to work with Duo at the Duo Device Management Portal.
Roaming authenticators are only supported in browser-based applications. They can not be used in command-line or Windows login authentications.
YubiKey Security Key vs YubiKey Passcode
A YubiKey is a hardware device that can be used as a second-factor option with Duo. Different models exist and offer a variety of capabilities. Some YubiKey devices can function only as a security key, while others can function as a passcode generator or as a security key. For more information on the difference, see:
YubiKey Passcode
A YubiKey is a USB security key device that generates passcodes for Duo. This is an alternate option for those who do not have or prefer not to use their smartphone or tablet device with Duo. There may be a cost to purchase the YubiKey device, but there is no cost to use a YubiKey with Duo at Caltech.
In order to use a YubiKey as a passcode generator, it must be a multi-protocol YubiKey that supports OTP (for example, a YubiKey 5 and not a YubiKey Security Key).
Duo Mobile Passcode
The Duo Mobile app generates passcodes. When prompted by Duo, the user manually types in the displayed passcode. This method is now considered less secure than some of the alternatives, and is also less convenient. It is not recommended when alternatives are possible.
Hardware Token Passcode
A hardware token is a physical device that generates passcodes and displays them on a screen. When prompted by Duo, the user manually types in the displayed passcode. This method is now considered less secure than some of the alternatives, and is also less convenient. It is not recommended when alternatives are possible.
No Longer Supported
These second-factor options are no longer considered secure and are not supported by IMSS.
- Phone call
- SMS
- Duo Mobile Push without a verification code (exception: Duo for Windows login, where the verification code is not supported yet)