Frequently Asked Questions

Click on a question below to expand and read answer. 


It’s called two-factor authentication because the user needs two factors to “authenticate” i.e. log in. Your password is an “authentication factor” i.e. it is used to confirm your identity. If I ask you to supply both a password and something else to prove your identity (the “second factor”), that’s two factor authentication.

Logging in to an ATM is 2fa: you must have the pin (the first factor) and you must have the ATM card (the second factor). If you don’t have both, you don’t log in.

The most common second factor in use today is a user’s smartphone. Most 2fa methods allow you to text a code to your smartphone, or install an app on your cellphone that prompts you to accept or deny a login.


2fa prevents attackers from using stolen passwords. While 2fa does not prevent users from giving away their passwords to an attacker, 2fa does prevent the attacker from using those passwords. The attacker might have your password (the first factor), but they don’t have your cellphone (the second factor) and thus cannot log in as you.


A&M-SA devotes considerable resources (training, technology) to prevent users from giving their passwords to attackers. Nevertheless, A&M-SA users, like users around the world, routinely divulge their passwords to attackers, typically in response to phishing emails.


Pretty much everybody. The US military, Google, Facebook, Twitter, Amazon, Ebay, all major banks and credit cards, and many many others: all offer or require 2fa.


It's a device that you can use as your second authentication factor.


  1. Any Internet-connected device that runs Android or iOS: iPhones, Android phones, iPads.
  2. Any device that can receive a phone call: not-so-smart cellphones, landline/deskphones.
  3. A select number of hardware tokens.

  1. Register your smartphone and set it as your primary device.
  2. Register your A&M deskphone as a backup device in case your smartphone is not available.

Yes, and ITS recommends that you enroll your A&M-SA deskphone as a backup Duo Device. But if you use your deskphone or other landline phone as your only Duo Device, then you will need to be sitting at that phone when Duo challenges you.


Yes, you can install Duo on multiple smartphones and on iOS devices (e.g. iPads).


No. Sorry.


Most of the scenarios below depend on whether you have alternate Duo methods: you registered another phone (mobile or landline) or a USB token, or you have a valid Duo passcode on you.

"I lost my smartphone or left it somewhere else"

If you have an alternate Duo method, use it.  This is why it’s a good idea to have a USB token on your keyring, or have some printed passcodes in your wallet/purse. If you have no alternate methods, contact that ITS Helpdesk at 210 784 4357.

"I got a new phone, but I have the same number"

If you change your phone but still have the same number, you can still authenticate via phone call to the new phone. If you have a Duo passcode or a registered USB token, you can use those too. HOWEVER, Duo Push authentications to the Duo Mobile app will not work until you do the following:

  • Download and install the Duo Mobile app on your new smartphone.
  • Go to duoportal.tamiusa.edu and log in with your username and password.
  • When the Duo prompt appears, choose "Call Me."  Duo will call your phone.  Follow the instructions.
  • Once you are on the screen called "My Settings and Devices," click on "Add another device"
  • At the next screen, choose "Mobile Phone" and click Continue
  • At the next screen, enter your mobile number. Duo will ask you to confirm that you're replacing an existing device. Check the box and click Continue
  • At the next screen, choose the phone type (Android, iOS, etc.)
  • At the next screen, click "I have Duo Mobile installed"
  • At the next screen, launch Duo Mobile app your phone, click the "+" in the Duo Mobile app, and hold it up to the barcode on the screen.
  • Your new phone is now enrolled in Duo!

"I've changed my number, but I have the same phone."

If you changed your number, but still have the same phone, you can still authenticate via the following alternate methods:

  • Duo Push to the same phone
  • Call to another registered phone (e.g. your deskphone)
  • Passcodes
  • Registered USB token

HOWEVER, "Call Me" to the old cell number and SMS texting of new passcode batches to the same phone will not work until you do the following:

  • Go to duoportal.tamiusa.edu and log in with your username and password.
  • When the Duo prompt appears, authenticate with either a Duo Push, a passcode, or a USB token. If you have none of these, then you will need to contact that ITS Helpdesk at 210 784 4357 and have them delete your Duo account.
  • Otherwise, once you are on the screen called "My Settings and Devices," click on "Add another device"
  • At the next screen, choose "Mobile Phone" and click Continue
  • At the next screen, enter your mobile number and click Continue
  • At the next screen, choose the phone type (Android, iOS, etc.)
  • At the next screen, click "I have Duo Mobile installed"
  • At the next screen, launch Duo Mobile app your phone, click the "+" in the Duo Mobile app, and hold it up to the barcode on the screen.
  • Your new phone is now enrolled in Duo!
  • Go back to the "My Settings and Devices" screen, click on "Device Options" button next to the old phone number, and delete.

"I have a new phone with a new number."

If you have a new phone with a new number, then the next question is whether you have any of the following items:

  • Another registered phone (landline or cell);
  • A registered USB token, or;
  • A valid Duo passcode.

If you have none of these, then you will need to contact the ITS Helpdesk at (210) 784-4357 so they can delete your Duo account. You can then restart the Duo enrollment process from the start. If you DO have one of the items above, then:

  • Install the Duo Mobile app on your new phone.
  • Go to duoportal.tamiusa.edu and log in with your username and password.
  • When the Duo prompt appears, choose one of the items from the list above and authenticate.
  • Once you are on the screen called "My Settings and Devices," click on "Add another device"
  • At the next screen, choose "Mobile Phone" and click Continue
  • At the next screen, enter your mobile number. Duo will ask you to confirm. Check the box and click Continue
  • At the next screen, choose the phone type (Android, iOS, etc.)
  • At the next screen, click "I have Duo Mobile installed"
  • At the next screen, launch Duo Mobile app your phone, click the "+" in the Duo Mobile app, and hold it up to the barcode on the screen.
  • Your new phone is now enrolled in Duo!

It’s the specific method Duo uses to communicate with the selected Duo Device (e.g. smartphone or deskphone). There are a number of Duo Methods, and some work with some Duo Device types, and some do not:

Duo Method Device Requirements Notes
Push Any device that 1) has the Duo Mobile app installed and 2) is connected to the Internet The most commonly used option because it is the quickest and most convenient.
Call Any device that can receive a phone call If you pay for incoming calls, you'll pay for these calls.
SMS Passcodes Any device that can receive SMS text messages If you pay for incoming text messages, you'll pay for these text messages
Authenticator Passcodes Any device that has the Duo Mobile app installed Device does not need to be connected to the Internet, or able to receive calls, or able to receive text messages.

Duo Method: Push. This method only works with devices that 1) have the Duo Mobile app installed and 2) are connected to the Internet. When you use this method, your smartphone will chirp and ask you to approve or deny the login request. This is far and away the most convenient and popular method.

Duo Method: Call. This methods works with any device that can receive a phonecall. Your phone will ring and an automated voice will ask you to press any key to approve the login.

Duo Method: Passcode. This is actually two different methods.

  • Authenticator Passcodes works with any device that has the Duo Mobile app installed. The device does not need to be connected to the Internet or be able to receive text messages. When you choose this method, the Duo Window will ask you to enter a 6-digit code. Launch the Duo Mobile app on your device, and tap on the entry for Texas A&M University – San Antonio. A six-digit code should appear e.g. 047 412. Enter this number into the Duo Window.
  • SMS Passcodes works with any device that can receive text messages. Duo will text you a set of one-time passcodes that you can enter. See https://guide.duo.com/other-phones for more information under the "SMS Passcodes" section

Remember Me is a checkbox on the Duo Window.

When the checkbox is checked, and if you successfully authenticate via Duo, Duo will not challenge you for seven days on that computer and with that browser. For example, if I sit at computer A, launch Firefox, go to Blackboard, check “Remember Me,” and successfully authenticate via Duo, then I will not be challenged by Duo again for 7 days, as long as I am on Computer A and using Firefox. I can even log into other protected applications (e.g. email) without being challenged.

But if I switch from Firefox to Chrome, I might be challenged before the 7 days are up. Likewise, if I attempt to log into a protected application on Computer B, I might be challenged before the 7 days are up. For the nerds out there, remember-me is based on browser-side cookies, which explains this behavior.


2fa is so good at improving security that the Texas A&M University System purchased Duo for all A&M institutions – A&M-SA must pay for Duo whether we use it or not. And we must use it - the System has made it a policy that all A&M institutions must implement 2fa (TAMUS Regulation 29.01.03, Section 5.1)


Yes, the Duo information is stored on Duo's servers in the cloud.


Duo stores your username and information about the devices you use to authenticate, e.g. cellphone number. It does not store your passwords or any other personal information.


Yes. TAMUS and A&M-SA have two different Duo installations. You don’t need to install the Duo app again, but you will need to go through the enrollment process for A&M-SA.


Passcodes are an excellent emergency backup method for getting past Duo when you’ve lost/forgotten your primary device (e.g. mobile phone). You generate ten passcodes at a time.  Each passcode can be used only once.  You can generate another batch of ten at any time, which invalidates any unused passcodes from the previous batch. 

Process for generating ten SMS Passcodes:

  1. Make sure you have your smartphone or other registered device with you.
  2. Open a browser on any device.  Preferably, use a private/incognito browser session.
  3. Go to duoportal.tamusa.edu.
  4. Enter your username and password, if required.
  5. You should get the Duo prompt screen with three green buttons (Send Me a Push, Call Me, Enter a Passcode).
  6. Click on the green “Enter a Passcode” button.
  7. Click on the blue “Text me new codes” button at the bottom of the screen.
  8. You will receive a text message on your smartphone.  It will have ten 7-digit codes on it.  The first code begins with 1, the second with 2, and so forth until the tenth code which begins with 0.
  9. Write these codes down on a piece of paper and keep that paper secure in your handbag/wallet/etc.

Using Passcodes

When you are prompted by Duo and you don’t have your smartphone:

  1. Click on “Enter a Passcode”
  2. Enter the next available passcode from your paper
  3. Cross that passcode off on the paper.

IMPORTANT

  • Each code can be used only once. 
  • As you use the passcodes, cross them off on your paper. 
  • If and when you get down to the last one or two passcodes, re-do the process for generating 10 SMS passcodes (above), so you don’t run out.  This will invalidate any unused passcodes from the previous batch.
  • Call the Helpdesk at 210 784 4357 for assistance, or if these instructions are incorrect.

Which tokens can I buy/use?

If you already have a USB token, then it will work with Duo if it supports the Universal Second Factor (“U2F”) protocol. Examples include the $20 Yubico Security Key, the $16 Feitian ePass, and the $8 HyperFIDO mini. If you don’t already own a U2F USB token, we recommend the $8 HyperFIDO mini.  It can be used to secure not only Duo, but also your Facebook, Google, Dropbox and Twitter accounts. 

How Do I Use My USB Security Token?

One-time setup:

  1. Plug the token into a USB port on your computer.
  2. Launch Chrome on that computer.  (Yes, it has to be Chrome if you want to register a U2F token).
  3. Go to duoportal.tamusa.edu, log in, and Duo-authenticate. 
  4. Click on the “Add another device” link.
  5. Choose “Security Key” and click “Continue.” 
  6. Click “Continue”.
  7. A little light on your token should start flashing.  On the HyperFIDO mini, push the little button on the token’s end.  On the Feitian/Yubico, press your finder against the metal flashing plate.
  8. Your USB token has been registered with Duo. 

Now, when you get the Duo challenge screen, you will see an option to login with your security key. Plug the key in and tap it.