Duo Authentication Methods

All users must set up at least one Duo authentication method. If you are unsure about which method to use, IMSS recommends starting with Duo Mobile Verified Push, which is secure, broadly compatible, and free to use with your modern iOS or Android mobile device. Below is a list of Duo authentication methods supported at Caltech.

Duo Mobile Verified Push

Duo presents a 3-digit code on your screen and "pushes" a login request to the Duo Mobile app on your iOS or Android phone or tablet. You review the request on your mobile device and enter the code to approve the log in. There is no cost to use the Duo Mobile Verified Push authentication method, but you must own a compatible smart phone or tablet device. Most modern iOS and Android devices are compatible.

• How to use Duo Mobile Verified Push

Platform Authenticators

Platform authenticators are authentication methods built into your device. Platform authenticators must be on the same device you are using to access a system protected by Duo. If your device has one of these features, you can set it up to work with Duo at the Duo Device Management Portal.

• How to use Touch ID
• How to use Windows Hello

Platform authenticators are only supported in browser-based applications. They can not be used in command-line or Windows login authentications.

Roaming Authenticators

Roaming authenticators can move from one system you use to another. If you are considering purchasing one of these devices in order to use it as a roaming authenticator, note that it must be compatible with the WebAuthn standard. If you own a compatible roaming authenticator, you can set it up to work with Duo at the Duo Device Management Portal.

• How to use YubiKey Security Key

Roaming authenticators are only supported in browser-based applications. They can not be used in command-line or Windows login authentications.

YubiKey Security Key vs YubiKey Passcode

A YubiKey is a hardware device that can be used as a second-factor option with Duo. Different models exist and offer a variety of capabilities. Some YubiKey devices can function only as a security key, while others can function as a passcode generator or as a security key. For more information on the difference, see:

• YubiKey Security Key vs YubiKey Passcode

YubiKey Passcode

A YubiKey is a USB security key device that generates passcodes for Duo. This is an alternate option for those who do not have or prefer not to use their smartphone or tablet device with Duo. There may be a cost to purchase the YubiKey device, but there is no cost to use a YubiKey with Duo at Caltech.

• How to use YubiKey passcode

In order to use a YubiKey as a passcode generator, it must be a multi-protocol YubiKey that supports OTP (for example, a YubiKey 5 and not a YubiKey Security Key).

Duo Mobile Passcode

The Duo Mobile app generates passcodes. When prompted by Duo, the user manually types in the displayed passcode. This method is now considered less secure than some of the alternatives, and is also less convenient. It is not recommended when alternatives are possible.

• How to use Duo Mobile passcode

Hardware Token Passcode

A hardware token is a physical device that generates passcodes and displays them on a screen. When prompted by Duo, the user manually types in the displayed passcode. This method is now considered less secure than some of the alternatives, and is also less convenient. It is not recommended when alternatives are possible.

• How to use hardware token passcode

No Longer Supported

These second-factor options are no longer considered secure and are not supported by IMSS.

• Phone call
• SMS
• Duo Mobile Push without a verification code (exception: Duo for Windows login, where the verification code is not supported yet)