For multifactor authentication via Duo at CUIMC.

To help ensure that your login credentials (username and password) can't be used by someone else.  Requiring another piece of authentication via the Duo service means it is much less likely that your credentials can't be used by someone who obtained them through a phishing attack, data leak, virus/malware infection, etc.

Currently CUIMC VPN and some CUIMC department specific Citrix environments require MFA. Other services will be added in the future.  

CUIMC Duo is specifically for CUIMC related services and separate from CU. You will need to use the CUIMC enrollment form to set up a CUIMC account in Duo.  You will not need to re-install Duo; it will simply list both accounts within the Duo app.  

Duo is a security company that provides MFA services.  It is already being used at Columbia University as well as many other institutions and companies for MFA implementation.

It is not drastically different - you will still enter your username and password when logging in to CUIMC VPN - however there is now an additional, required "DUO Passcode" field that is used for your preferred Duo authentication method. 

Instructions are on the Using CUIMC VPN with Duo page.  The CUIMC IT website's VPN instructions also include detailed steps in the Connect to VPN on... pages, select the type of computer or device you are using to see them.

Yes, it is encouraged in case you cannot use the main device you selected when setting up Duo (e.g. forgot your cell phone at home or aren't near your desk). At the end of initial enrollment, or any time after you have already set up Duo, select the Add a new device link in the left of the enrollment form.

Once you have set up multiple devices, the order that they are listed in the enrollment form indicates the default (first one listed) and back up devices. 

To get your MFA prompt or call on a back up device, add its order number to the end of the authentication method.  For example, when logging in to CUIMC VPN with MFA, in the Duo Passcode field type "push2" instead of "push".  

While you can choose any method you prefer, Duo Push on a smartphone or tablet has received the best feedback for being fast and less likely to cause any issues. It also happens to be the most secure.

See this Duo Push: The Best Way to Authenticate page (PDF) for more detailed comparisons, or use the table below for a quick overview of available methods.


While using the Duo app on a smartphone is a popular option, you can also set it up to call a landline (or mobile number without the app) or install the app on a wifi-only tablet.

Log in to the enrollment form and select the My Settings and Devices link near the left.  For more help see Duo's My Settings & Devices guide.

You can contact the CUIMC IT Service Desk at extension 5-Help (212-305-4357), option 5. They will verify your identity and provide a temporary passcode to use for MFA.  Please also take time to Manage Your Devices in Duo so there are back up methods you can use without having to contact 5-Help.

Immediately contact the CUIMC IT Service Desk at extension 5-Help (212-305-4357), option 5, and we will lock your Duo account to prevent malicious activity. 

If you changed phones and hadn't set up a back up method to authenticate, such as a landline or passcodes, it will depend on whether the phone number changed.

If you now have a different phone number please contact the CUIMC IT Service Desk at extension 5-Help (212-305-4357), option 5.

If the phone number is the same one used when you enrolled in Duo you can select the Call Me option in Duo's Choose an authentication method prompt. After authenticating via the phone call you can select the My Settings & Devices link to remove the old phone/device and enroll the new phone for use with Duo Push. Select the CUIMC Duo Enrollment Form button on this page if needed to set it up.

If you have set up Duo and your CUIMC account on a smartphone or tablet, you can retrieve a one time use passcode from the Duo app without needing a wireless or cellular connection.

  1. When you are ready to login to CUIMC VPN, open the Duo app on your smartphone or tablet.
  2. Tap the key icon to the right of your CUMC account in the Duo app to reveal a 6 digit passcode.
  3. Enter the 6 digit passcode in the DUO Passcode field of the CUIMC VPN login window, along with your normal VPN credentials.

You can use the smartphone or tablet easily with both.  Open AnyConnect on it to login to CUIMC VPN and type push in to the DUO Passcode field.  You will see an overlay from the Duo app regarding the login request, simply tap it, then tap Approve.  The device will return to the AnyConnect CUIMC VPN login window and you can continue as usual to finish connecting.

You can have a passcode texted to your enrolled mobile number when you need to use MFA by typing sms into the VPN login window's DUO Passcode field.   

You can also have Duo send you a single use passcode by logging in to the enrollment form, selecting the Enter a Passcode option (you may need to cancel any default MFA prompt on the form first), then click Text me new codes in the lower right.  Please note that Duo for CUIMC only provides one passcode at a time, rather than a batch of passcodes.

Additional help is on the Duo website under the SMS Passcodes heading.

Please make sure you are entering the correct MFA notification type in the Duo Passcode field.  For example, if you type in "push" but have only enrolled to use a landline, you will not be notified.  For MFA on a landline you would need to type in "phone" instead.

The chart under the Which Duo MFA method should I use? FAQ above outlines what methods can be used with different device types.  

Smartphones and tablets using Duo also rely on cellular or wifi networks that may experience occasional delays.  If you entered "push" (and have already enrolled and set up the smartphone/tablet with your CUIMC Duo account) but do not get a prompt on your device, you can find Duo in the list of apps on the device, tap on it to open and see if a CUIMC MFA prompt appears.