Don’t be haunted by application fees! Undergraduate students can apply for free all month long.
Apply NowMulti-factor authentication (MFA)
Multi-Factor Authentication (MFA), also referred to as two-factor authentication or two-step verification, is a critical tool for protecting the security of personal, academic, and professional systems. By requiring multiple forms of verification, MFA adds an extra layer of defense beyond just a password, making it much more difficult for unauthorized users to access sensitive information. While in the process of logging into a device, website, or system, a code or prompt is sent via text, email, or mobile app. The recipient must interact via another device, application, or interface to complete the process. In fact, even if you're not familiar with the term, MFA is common enough today that you are probably using it without even thinking about it. MFA is offered (or even required) for most online banking accounts, and it's available on every popular social media platform.
In a university setting, where users interact with everything from personal data, homework, and academic records to research and professional communications, MFA helps to ensure that important systems are secure. This additional security measure helps safeguard against phishing, hacking, and data breaches, helping to maintain the integrity and confidentiality of university operations
Duo Security at CMU
Duo Security is CMU's primary service for providing MFA when logging into university services. With Duo MFA, your mobile phone is most commonly used as the second factor. Just install the Duo Mobile app, and you will receive a prompt on your mobile phone that you can use to verify that you are the person accessing your account. For additional information on how to set this up, please see our Duo Security MFA: Multi-Factor Authentication (MFA) Setup and FAQs article in the OIT Knowledge Base.
Frequently asked questions
Who is required to use Duo MFA at CMU?
All current students, faculty, and staff at CMU are required to use MFA to access their accounts. Alumni are not licensed for Duo MFA. After graduation or separation from CMU, you will no longer receive MFA prompts once you are not a current student, faculty, or staff member.
I'd rather not use MFA; can I just accept the security risks?
MFA is required not only for your protection, but for the protection of everyone else at CMU, so it's not possible to opt out of MFA. Scammers often use compromised CMU accounts to send phishing emails, since emails that stay within CMU's email system are subject to less spam scanning than external emails. This makes compromised accounts a security problem for everyone, not just for the account holder.
When do I need log in using MFA?
You only need to use MFA to confirm your identity when you log into CMU's online services from off-campus locations. You won't be prompted to use MFA when you are connected to CMU's Wi-Fi or wired network. We set it up this way to eliminate as much inconvenience as possible, since we can be reasonably sure that you're not a major scammer if you're located on campus.
How often do I need to use MFA?
By default, you will need to use MFA to confirm your identity each time you log in from off-campus. However, if you are on a trusted device, we recommend checking the Remember me for 30 days box on the MFA confirmation screen. That will prevent additional MFA verification on that device for 30 days.
Note:The remember me check box is both device- and browser-specific. You will still receive MFA prompts on other devices (or on the same device if you use a different web browser), but you can check the remember me check box for those as well.
What should I do if I receive a Duo request when I am not actively logging into something?
Do not approve the request!
Tap the Deny button on the Duo authenticator app. This will automatically send the information to the OIT Information Security Office for evaluation.
Why did this happen?
In most cases, it means that someone knows your GlobalID and password and is attempting to log in as you. The second factor is only triggered after the first factor has been verified, meaning the username/password must have been correct.
Does this mean my account is compromised?
No! It means that MFA protected your account, but you should immediately change your password to something unique and strong and change your security question.
What counts as being "on campus" for MFA purposes?
Being "on campus" means being connected to CMU's network over either Wi-Fi or a wired connection. This includes CMU's Mount Pleasant campus and some of CMU's satellite locations, but that depends on how their network is configured. Some things that seem like they might count as on campus do not. Notably, connecting to CMU's VPN network still requires MFA, as does using the Virtual Lab--even if you're accessing it from on campus
Do I have to use my smartphone for this?
We highly recommend using your smartphone unless it's absolutely impossible for you to do so. Using the Duo Mobile app allows you to confirm your identity by pressing a button from a simple, on-screen prompt. The app also provides a constantly changing code that you can use instead if your phone does not have an active internet connection for any reason. If using the Duo Mobile app truly isn't an option for you, contact the OIT Help Desk to discuss potential alternatives.
How do I change devices or add a new device for MFA?
Check out this OIT Knowledge Base article for multiple options.
Can I use multiple devices with Duo Mobile?
Absolutely. After you've enrolled your first MFA device, just set up a second phone or tablet for MFA by following our knowledge base article on adding or changing an MFA device (login required). While most people find that using one device for MFA is sufficient, it never hurts to have a backup in case your phone breaks. Just remember to keep your backup MFA device in a secure location!
Note: If you have already set up the question and answer to your account security question, you have access to self-service options for your CMU Global ID account, including MFA configuration, which is found on our My Account site.
How much data does it take to use Duo Mobile?
Using the "push" method of verifying MFA (which sends a notification to your device for you to accept) uses only about two kilobytes (2KB) of data, which is an incredibly small amount. It would take about 500 MFA pushes to equal one megabyte (1MB), which is also a very small amount of data.
Can I instead receive a text message with a code?
Unfortunately, SMS ("short message service," the common standard for text messages) isn't as secure as it is commonly believed to be. Through social engineering, SIM jacking, or exploiting established vulnerabilities with SMS, text messages have been a weak link in the security chain for years. Because of these inherent vulnerabilities, CMU does not allow for SMS-based MFA confirmation.
Can I use another authenticator app instead of Duo Mobile?
Only the Duo Mobile app can be used to receive MFA authorization push requests from Duo. Duo Mobile can act as an authenticator app for other services (but not the other way around), so you may prefer to add your other accounts to Duo Mobile. Unfortunately, using another app (e.g., Google Authenticator) for Duo is not supported.