To help ensure that your login credentials (username and password) can't be used by someone else. Requiring another piece of authentication via the Duo service means it is much less likely that your credentials can be used by someone who obtained them through a phishing attack, data leak, virus or malware infection, etc.

The services that require it are:

Other services will be added in the future.  

CUIMC Duo is specifically for CUIMC related services and separate from CU. You will need to use the CUIMC enrollment form to set up a CUIMC account in Duo.  You will not need to re-install Duo; it will simply list both accounts within the Duo app.  

Duo is a security company that provides MFA services.  It is already being used at Columbia University as well as many other institutions and companies for MFA implementation.

While you can choose any method you prefer, Duo Push on a smartphone or tablet has received the best feedback for being fast and less likely to cause any issues. It also happens to be the most secure. If you have concerns with installing the app or privacy please see Duo's Mobile Privacy Information.

The Duo Push: The Best Way to Authenticate page (PDF) also has more detailed comparisons, and you can use the table below for a quick overview of available methods.


It is not drastically different - you will still enter your username and password when signing in.


There is an additional required "DUO Passcode" field that is used for your preferred Duo authentication method.  Instructions are on the Using CUIMC VPN with Duo page.  The CUIMC IT website's VPN instructions also include detailed steps in the Connect to VPN on... pages when viewing the steps for your computer or mobile device type.

CUIMC Email and Office 365 Apps

When you initially open Outlook, or another of the Office 365 Apps or web portals (including Word, Excel, SharePoint, OneDrive, etc.) from off campus, after entering your email password you will either be sent your default authentication prompt from Duo or see a Duo menu to select an option. After approving the sign in via Duo, the program will open as usual. See Use CUIMC Email and Office 365 Apps with Duo for instructions.

It is only required if you are not directly connected to the campus network, via wired, secure wireless (Mercury), or CUIMC VPN. It also does not mean that you are prompted to sign in more frequently than you did before Duo was required, just that Duo must be used in addition to your account and password when you are off campus.
The time you remain signed in on a given computer, device, or app, can be referred to as a "session", which varies depending on what you are using.
Web browser sessions, where you are signed in to Web Outlook, SharePoint, or another Office 365 portal or website, will end after a period of inactivity or when the browser is closed.

The Outlook program or app on a computer, phone, or tablet, will typically store the session for a much longer time.

There is also a Remember me option you can check when signing in with Duo that will keep you from having to use Duo on the device again for the period of time indicated.

Yes, it is encouraged in case you cannot use the main device you selected when setting up Duo (e.g. forgot your cell phone at home or aren't near your desk). At the end of initial enrollment, or any time after you have already set up Duo, select the Add a new device link in the left of the enrollment form. 

Once you have set up multiple devices (see our How to Enroll steps or Duo's guide for help if needed), the order that they are listed in the enrollment form indicates the default (first one listed) and back up devices. 

To get your MFA prompt or call on a back up device:

Add its order number to the end of the authentication method.  For example, when logging in to CUIMC VPN with MFA, in the Duo Passcode field type "push2" instead of "push".  

CUIMC Email and Office 365 Apps
You will see a menu on screen when signing in where you can select your device and preferred authentication method for this sign in. If it immediately attempts any default method you do not want to use for this sign in, click the Cancel button that will appear in the bottom right.

While using the Duo app on a smartphone is a popular option, you can also set it up to call a landline (or mobile number without the app) or install the app on a wifi-only tablet.

If you use CUIMC VPN (as well as other services), log in to the enrollment form and select the My Settings and Devices link near the left. For detailed steps and more help, see our instructions here or Duo's My Settings & Devices guide.

If you enrolled when signing in to Office 365 and are not eligible to use CUIMC VPN, sign in to an Office 365 portal or app (such as Web Outlook) and select the Manage Devices link at the bottom of the Duo prompt. Full steps are on Duo's website.

You can contact the CUIMC IT Service Desk at extension 5-Help (212-305-4357), option 5. They will verify your identity and provide a temporary passcode to use for MFA.  Please also take time to Manage Your Devices in Duo so there are back up methods you can use without having to contact 5-Help.

Immediately contact the CUIMC IT Service Desk at extension 5-Help (212-305-4357), option 5, and we will lock your Duo account to prevent malicious activity. 

If you changed phones and hadn't set up a back up method to authenticate, such as a landline or passcodes, it will depend on whether the phone number changed. 

  • If you now have a different phone number and do not have a back up method please contact the CUIMC IT Service Desk at extension 5-Help (212-305-4357), option 5.
  • If the phone number is the same one used when you enrolled in Duo, you can select the Call Me or Enter a Passcode option in Duo's Choose an authentication method prompt. For detailed help using these methods please see our instructions here.

After authenticating via the phone call you can select the My Settings & Devices link to remove the old phone/device and enroll the new phone for use with Duo Push. Select the CUIMC Duo Enrollment Form button on this page if needed to set it up, or see Duo's My Settings & Devices guide for more help.

If you have set up Duo and your CUIMC account on a smartphone or tablet, you can retrieve a one time use passcode from the Duo app without needing a wireless or cellular connection.

  1. When you are ready to sign in to VPN (or other service requiring CUIMC Duo MFA), open the Duo app on your smartphone or tablet.
  2. Tap your CUMC account in the Duo app to reveal a 6 digit passcode (you may have to tap Show next to the passcode first if it is hidden).
  3. Enter the 6 digit passcode appropriate field of the sign in screen. 

Yes, it is easy to use CUIMC Duo regardless of where you are.

If you are somewhere where you do not have a cellular signal or data plan, the Duo Mobile app on your smartphone or tablet can generate a passcode for you to use.

If you have a signal and data plan, using Duo is as easy as tapping the Approve button on your phone or tablet when you choose Duo push as your authentication method.

To comply with economic and trade sanctions by the U.S. Office of Foreign Assets Control (OFAC), Duo blocks access from countries or regions subject to economic and trade sanctions. If a computer or mobile device connects using an "IP" (network) address from one of the areas, it will not be able to reach or use the program: Cuba, Iran, North Korea, Syria, and the regions of Crimea, Luhansk, Donetsk, and Sevastopol. 

Those in one of the blocked regions will see the error "Access denied. Duo Security does not provide services in your current location." if using a web-based application; otherwise it may only show a login failed message. For the most current information please see Duo's website.

You can use the smartphone or tablet easily with both. After signing in to the service and selecting to send your device a Duo Push, you will see an overlay from the Duo app (usually at the top of the window) regarding the log in request. Simply tap it, then tap Approve. The device will return to the CUIMC service's sign in to complete it and connect.

You can have a passcode texted to your enrolled mobile number when you need to use MFA by:

  • VPN - typing sms into the VPN login window's DUO Passcode field
  • Other services - when signing in you will see a Duo prompt. If it attempts a default method such as Duo push, click Cancel in the bottom right first, then select Enter a Passcode. Then click Text me new codes in the bottom right to receive a text message with a one time use passcode.

Please note that Duo for CUIMC only provides one passcode at a time, rather than a batch of passcodes.

Additional help is on the Duo website under the SMS Passcodes heading.

When using CUIMC VPN, please make sure you are entering the correct MFA notification type in the Duo Passcode field.  For example, if you type in "push" but have only enrolled to use a landline, you will not be notified.  For MFA on a landline you would need to type in "phone" instead.

The chart in the Which Duo MFA method should I use? FAQ above outlines what methods can be used with different device types.  

Please check to make sure that any do not disturb or notification settings on your device are not blocking the Duo prompts.

Smartphones and tablets using Duo also rely on cellular or wifi networks that may experience occasional delays. If you entered "push" (and have already enrolled and set up the smartphone/tablet with your CUIMC Duo account) but do not get a prompt on your device, you can find Duo Mobile in the list of apps on the device, tap on it to open and see if a CUIMC MFA prompt appears.