Multi-Factor Authentication (MFA) at CMU

Multi-factor authentication (commonly abbreviated to "MFA") describes a login process that requires a second factor in addition to your password. In most cases, that second factor is a text message you receive or an app installed on your phone. In fact, even if you're not familiar with the term, MFA is common enough today that you're probably using it without even thinking about it. MFA is offered (or even required) for most online banking accounts, and it's available on every popular social media platform.

For security purposes, all Global ID accounts at CMU are required to use multi-factor authentication when logging into most online services. All faculty and staff are already using MFA, and students are able to optionally enroll in MFA as of April 5, 2021. While MFA is currently optional for CMU students, it will be made a requirement sometime early in the Fall 2021 semester.

Duo Security logo in green

MFA is simple to enroll in and use

Enrollment in MFA is easy. After you log in to one of CMU's online services, you should see a Duo Security screen that invites you to enroll. You can continue with enrollment or defer until a later time. If you choose to enroll, just make sure you have Duo Mobile* installed on your smart phone, and provide your phone number when asked.

For detailed instructions, please review our MFA setup knowledge base article.

*Note: Be sure you have Duo Mobile installed (logo above), not Google Duo. These are very different apps. (Yes, we also wish these commonly used apps did not have such similar names.)


Frequently asked questions

"Authentication" in IT speak can usually be generalized just to mean "login," so multi-factor authentication (commonly abbreviated to "MFA") describes a login process that requires a second factor in addition to your account password. In most cases, this is done by using a smart phone app to confirm your identity after you enter your password. Many people are already experienced with MFA, even if they're not familiar with the term, since it is a common requirement for most online banking services. MFA is also a very common method for adding extra security to social media accounts.

Basically, having MFA on your CMU account just means that, after you log in like usual, you will occasionally use a smartphone app to confirm that the login was you. This prevents unauthorized access to your CMU account, even if someone gets their hands on your password. MFA is one of the most powerful security tools for preventing your account from being compromised.
These days, online accounts contain an increasing amount of personally identifiable information. At the same time, passwords have become increasingly easy to compromise through phishing, social engineering, or other common methods. Relying solely on a password to protect your account isn't always enough. Adding MFA to your account provides an additional layer of security to keep your account and data safe.

Consider all of the too-good-to-be-true messages you receive about walking dogs for unbelievable sums of money, or think about the last time you received a suspicious email claiming that your CMU account will be closed if you don't reply with your Global ID and password. Those are both common scams. Even if you fall for one of those scams, the scammer won't be able to access your CMU account with just your password if you already have MFA enabled.

Now consider how many of those phishing emails come from email addresses. The more accounts we secure with MFA, the fewer compromised accounts there are to deliver internal phishing messages.
All current students, faculty, and staff at CMU are required to use MFA to access their accounts. Faculty and staff have had MFA enforced since January 2021. Students are able to opt into using MFA beginning April 5, 2021. MFA will be required for students to access their accounts sometime during the Fall 2021 semester.

Note: Alumni are not licensed for Duo MFA. After graduation or separation from CMU, you will no longer receive MFA prompts once you are not a current student, faculty, or staff member.
MFA is required not only for your protection, but for the protection of everyone else at CMU, so it's not possible to opt out of MFA. Scammers often use compromised CMU accounts to send phishing emails to the rest of campus, since emails that stay within CMU's email system are subject to less spam scanning than external emails. This makes compromised accounts a security problem for everyone, not just for the account holder.
You will only need to use MFA to confirm your identity when you log into CMU's online services from off-campus locations. You won't be prompted to use MFA as long as you're connected to CMU's Wi-Fi or wired network*. We set it up this way to eliminate as much inconvenience as possible, since we can be reasonably sure that you're not a major scammer if you're located on campus. 

*Until you have enrolled in MFA, you will still encounter a screen inviting you to enroll each time you log in, even if you're connected to CMU's network.

By default, you will need to use MFA to confirm your identy each time you log in from off-campus. However, if you are on a trusted device, we recommend checking the "Remember me for 30 days" box on the MFA confirmation screen. That will prevent additional MFA verification on that device for 30 days.

Note: The "remember me" check box is both device- and browser-specific. You will still receive MFA prompts on other devices (or on the same device if you use a different web browser), but you can check the "remember me" box for those as well.
Setup is as easy as installing an app on your phone, and it only takes a few minutes. For instructions, please visit our MFA setup knowledge base article.
We highly recommend using your smartphone unless it's absolutely impossible for you to do so. Using the Duo Mobile app allows you to confirm your identity by pressing a button from a simple, on-screen prompt. The app also provides a constantly changing code that you can use instead if your phone does not have an active internet connection for any reason. If using the Duo Mobile app truly isn't an option for you, contact the OIT Help Desk to discuss potential alternatives.
First, we strongly recommend that you setup Duo Mobile on your new phone before wiping your old phone. That simplifies things dramatically, because that lets you use the old device to confirm your identity so that you can add the new device. With that in mind, just check out our knowledge base article on adding or changing an MFA device for step-by-step instructions.

Of course, it's easy to get caught up in the excitement of getting a new phone, so the OIT Help Desk can help out if you find yourself without a current MFA device.
Absolutely. After you've enrolled your first MFA device, just set up a second phone or tablet for MFA by following our knowledge base article on adding or changing an MFA device. While most people find that using one device for MFA is sufficient, it never hurts to have a backup in case your phone breaks. Just remember to keep your backup MFA device in a secure location!
Using the "push" method of verifying MFA (which sends a notification to your device for you to accept) uses only about two kilobytes (2KB) of data, which is an incredibly small amount. It would take about 500 MFA pushes to equal one megabyte (1MB), which is also a very small amount of data.
Unfortunately, SMS ("short message service," the common standard for text messages) isn't as secure as it is commonly believed to be. Through social engineering, SIM jacking, or exploiting established vulnerabilities with SMS, text messages have been a weak link in the security chain for years. Because of these inherent vulnerabilities, CMU does not allow for SMS-based MFA confirmation.
Being "on campus" means being connected to CMU's network over either Wi-Fi or a wired connection. This includes CMU's Mount Pleasant campus and some of CMU's satellite locations, but that depends on how their network is configured. Some things that seem like they might count as on campus do not. Notably, connecting to CMU's VPN network still requires MFA, as does using the Virtual Lab--even if you're accessing it from on campus.
Only the Duo Mobile app can be used to receive MFA authorization push requests from Duo. Duo Mobile can act as an authenticator app for other services (but not the other way around), so you may prefer to add your other accounts to Duo Mobile. Unfortunately, using another app (e.g., Google Authenticator) for Duo is not supported.