Skip to main content

Multi-factor authentication (MFA)

Multi-Factor Authentication (MFA), also referred to as two-factor authentication or two-step verification, is a critical tool for protecting the security of personal, academic, and professional systems. By requiring multiple forms of verification, MFA adds an extra layer of defense beyond just a password, making it much more difficult for unauthorized users to access sensitive information. While in the process of logging into a device, website, or system, a code or prompt is sent via text, email, or mobile app. The recipient must interact via another device, application, or interface to complete the process. In fact, even if you're not familiar with the term, MFA is common enough today that you are probably using it without even thinking about it. MFA is offered (or even required) for most online banking accounts, and it's available on every popular social media platform.

In a university setting, where users interact with everything from personal data, homework, and academic records to research and professional communications, MFA helps to ensure that important systems are secure. This additional security measure helps safeguard against phishing, hacking, and data breaches, helping to maintain the integrity and confidentiality of university operations

Make Your Accounts Safer with Multifactor Authentication (MFA)

Duo Security at CMU

Duo Security is CMU's primary service for providing MFA when logging into university services. With Duo MFA, your mobile phone is most commonly used as the second factor. Just install the Duo Mobile app, and you will receive a prompt on your mobile phone that you can use to verify that you are the person accessing your account. For additional information on how to set this up, please see our Duo Security MFA: Multi-Factor Authentication (MFA) Setup and FAQs article in the OIT Knowledge Base.

Frequently asked questions

    All current students, faculty, and staff at CMU are required to use MFA to access their accounts. Alumni are not licensed for Duo MFA. After graduation or separation from CMU, you will no longer receive MFA prompts once you are not a current student, faculty, or staff member.

    MFA is required not only for your protection, but for the protection of everyone else at CMU, so it's not possible to opt out of MFA. Scammers often use compromised CMU accounts to send phishing emails, since emails that stay within CMU's email system are subject to less spam scanning than external emails. This makes compromised accounts a security problem for everyone, not just for the account holder.

    You only need to use MFA to confirm your identity when you log into CMU's online services from off-campus locations. You won't be prompted to use MFA when you are connected to CMU's Wi-Fi or wired network. We set it up this way to eliminate as much inconvenience as possible, since we can be reasonably sure that you're not a major scammer if you're located on campus.

    By default, you will need to use MFA to confirm your identity each time you log in from off-campus. However, if you are on a trusted device, we recommend checking the Remember me for 30 days box on the MFA confirmation screen. That will prevent additional MFA verification on that device for 30 days.

    Note:The remember me check box is both device- and browser-specific. You will still receive MFA prompts on other devices (or on the same device if you use a different web browser), but you can check the remember me check box for those as well.

    Do not approve the request!

    Tap the Deny button on the Duo authenticator app. This will automatically send the information to the OIT Information Security Office for evaluation.

    Why did this happen?

    In most cases, it means that someone knows your GlobalID and password and is attempting to log in as you. The second factor is only triggered after the first factor has been verified, meaning the username/password must have been correct.

    Does this mean my account is compromised?

    No! It means that MFA protected your account, but you should immediately change your password to something unique and strong and change your security question.

    Being "on campus" means being connected to CMU's network over either Wi-Fi or a wired connection. This includes CMU's Mount Pleasant campus and some of CMU's satellite locations, but that depends on how their network is configured. Some things that seem like they might count as on campus do not. Notably, connecting to CMU's VPN network still requires MFA, as does using the Virtual Lab--even if you're accessing it from on campus

    We highly recommend using your smartphone unless it's absolutely impossible for you to do so. Using the Duo Mobile app allows you to confirm your identity by pressing a button from a simple, on-screen prompt. The app also provides a constantly changing code that you can use instead if your phone does not have an active internet connection for any reason. If using the Duo Mobile app truly isn't an option for you, contact the OIT Help Desk to discuss potential alternatives.

    Check out this OIT Knowledge Base article for multiple options.

    Absolutely. After you've enrolled your first MFA device, just set up a second phone or tablet for MFA by following our knowledge base article on adding or changing an MFA device (login required). While most people find that using one device for MFA is sufficient, it never hurts to have a backup in case your phone breaks. Just remember to keep your backup MFA device in a secure location!

    Note: If you have already set up the question and answer to your account security question, you have access to self-service options for your CMU Global ID account, including MFA configuration, which is found on our My Account site.

    Using the "push" method of verifying MFA (which sends a notification to your device for you to accept) uses only about two kilobytes (2KB) of data, which is an incredibly small amount. It would take about 500 MFA pushes to equal one megabyte (1MB), which is also a very small amount of data.

    Unfortunately, SMS ("short message service," the common standard for text messages) isn't as secure as it is commonly believed to be. Through social engineering, SIM jacking, or exploiting established vulnerabilities with SMS, text messages have been a weak link in the security chain for years. Because of these inherent vulnerabilities, CMU does not allow for SMS-based MFA confirmation.

    Only the Duo Mobile app can be used to receive MFA authorization push requests from Duo. Duo Mobile can act as an authenticator app for other services (but not the other way around), so you may prefer to add your other accounts to Duo Mobile. Unfortunately, using another app (e.g., Google Authenticator) for Duo is not supported.