Duo, Single Sign-On, & Two Factor Authentication

Phone call and text message sign-in are being retired. If you currently sign in by phone call or text, see Getting Ready for the Duo Sign-In Changes to switch to a stronger method.

What is Duo?

Duo is the Single Sign-On (SSO) and two-factor authentication service that secures most campus resources, including Gmail, Box, and Banner. It protects students, faculty, and staff from phishing and other identity-based attacks.

What is two-factor authentication?

Two-factor authentication (2FA) confirms your identity using two things: your password, plus something physical you have or are, such as your phone, your computer's fingerprint or face sensor, or a security key. If someone steals your password, they still cannot log in without that second factor.

Your authentication methods

  • Duo Push (recommended): Approve a notification in the Duo Mobile app and enter the 3-digit verification code shown on your screen. Works on any iPhone, Android phone, or iPad over Wi-Fi or cellular data.
  • Touch ID or Windows Hello (no phone needed): Approve sign-ins with the fingerprint, face, or PIN you already use to unlock your computer. Touch ID works on a Mac, and Windows Hello works on a Windows PC, in the Chrome or Edge browser. This method is set up per computer, and it does not work in Firefox. For step-by-step setup, see Getting Ready for the Duo Sign-In Changes.
  • Security key or passkey: A hardware security key or a passkey saved on your device. The most phishing-resistant option, and it works with no internet connection. See Setting Up a Security Key.

Setting up Duo (new users)

  1. Log into an Emerson resource that uses Duo, such as gmail.emerson.edu, with your Emerson email and password.
  2. At the Welcome to Duo Security screen, click Get started.
  3. At First, add a device, choose your method. We recommend Touch ID or Windows Hello (on your computer, in Chrome or Edge) or Duo Mobile for phones. You can also use a Security key.
  4. For Duo Mobile, install the app from the App Store or Google Play, then scan the QR code shown on screen (open the app, tap +, and point your camera at the code).

You can add more devices later, and we recommend setting up a second method as a backup.

Using Duo Push

When you sign in, a 3-digit code appears on your screen. Open the Duo Mobile app, tap the login request, and enter that code to confirm it is really you. This ensures that only you can approve your own sign-ins.

Only approve a request you started. If you receive a Duo notification, code, or call you did not initiate, deny it and contact the Help Desk immediately.

Managing your devices

To add, remove, or update a device at any time:

  1. Open a private or incognito browser window and go to gmail.emerson.edu, then log in.
  2. At the Duo prompt, click Other options.
  3. Click Manage devices and verify your identity.
  4. Click Add a device and follow the prompts.

We recommend registering more than one device so you are never locked out if one is lost or unavailable.

How "Trust this browser" works

After you authenticate, your browser remembers you for that application for up to 30 days, so you are not prompted every time. Trust is applied per application: the first time you sign into each application on a device, you complete Duo once for that application, then it remembers you independently. This limits the damage if one account is ever compromised.

Clearing your browser cache, or signing out of an application (for example, "Sign out of all accounts" in Gmail), will require you to authenticate again. Emerson lab and classroom computers wipe their profiles nightly, so they always require Duo.

Using Duo internationally

Methods that do not depend on a US phone number work anywhere in the world:

  • Duo Push works over Wi-Fi, so you can use it abroad even without cellular service.
  • Touch ID, Windows Hello, and security keys work locally on your device with no internet connection at all.

Frequently asked questions

What happens if I get a new phone?

Touch ID, Windows Hello, and security keys are tied to your computer or key, not your phone, so they keep working. To restore Duo Mobile on a new phone, install the Duo Mobile app, then go to Manage devices > Add a device > Duo Mobile and follow the prompts. If you have a registered backup method such as a security key, Touch ID, or Windows Hello, use it to verify your identity, then add the new phone.

If you have a new phone, a new number, and no backup method, contact the Help Desk at (617) 824-8080. We will verify your identity, remove the old device, and help you set up the new one.

What if I am locked out or have no available method?

Email helpdesk@emerson.edu from your Emerson account or the personal email we have on file, or call (617) 824-8080 during business hours. We will verify your identity and help you regain access, and we strongly recommend using that opportunity to add a second method.

What if I have no internet or cell reception?

Touch ID, Windows Hello, and security keys work with no connection at all, so they are the best choice when you may be offline. Duo Push works over Wi-Fi. If you know you will be offline, such as on a flight, log into the applications you will need in advance and choose Remember me for 30 days. We recommend this before time-sensitive events such as course registration.

Why is Duo asking me for a bypass code?

When Duo detects an unusual sign-in, it may require a more secure method in a process called step-up authentication, which uses Verified Duo Push. This can happen when you connect from a new network, appear to travel an unrealistic distance in a short time, or receive many push requests quickly. If you cannot complete the step-up, email helpdesk@emerson.edu to verify your identity and request a short-term bypass code, then add Duo Mobile, Touch ID, or Windows Hello so this does not happen again.

Can I register multiple devices?

Yes, and we recommend it. With a backup method, you can still sign in if your primary device is lost, broken, or out of battery. Add devices any time through Other options > Manage devices > Add a device.

How does this work with a shared mailbox or drive?

In most cases you should not share passwords. For Google Drive, share a folder with specific people instead of sharing an account. For Gmail, set delegates so each person signs in with their own account and Duo, then opens the shared mailbox. Password sharing for your personal Emerson account is not permitted.

Students use the lectern computer to present and Duo wastes class time. What can I do?

Have students connect their own laptops to the laptop station, or cast wirelessly in rooms that support it, rather than logging into the lectern computer. Alternatively, collect links to student projects in a shared Google Doc ahead of time and present from your own authenticated session.

I am getting a "System Error" telling me to contact the Help Desk.

This usually happens when your computer's IP address changes between loading the page and submitting your password, which Duo treats as a possible hijacked session. It is often caused by a VPN or by how your ISP routes your connection. Turn off any third-party VPN and try again. If you need a VPN to reach Google or other services from outside the US, use Emerson's VPN instead, which routes traffic back to Boston.

 Have any questions?

Contact the Help Desk at (617) 824-8080 or submit a ticket.

Articles in this section