Faculty & Staff Two-Factor Authentication (2FA) FAQ

Summary

- How to authenticate from classroom or office
- How to get authentication token
- DUO notifications and notices

Body

Two-Factor Authentication (2FA) on Campus: What You Need to Know

Effective June 25, 2025, all BYU-Idaho on-campus devices will require Duo Two-Factor Authentication (2FA) when accessing web-based BYU-Idaho applications that use Single Sign-On (SSO) - such as Canvas, Workday, and the BYUI Website. 

Note: You will not need to use 2FA to sign in to the device  - only when logging into BYU-Idaho applications via the web browser. 

To avoid disruptions, please test your setup ahead of time and be sure to bring your phone or other authentication method with you to campus.

How can I test the new 2FA before June 25th?

To test the new 2FA system, try signing in to any BYU-Idaho protected website (like Canvas, the BYUI Portal, or Workday) from a device that is not connected to the BYU-Idaho network.

For example:

  • Use your phone with cellular data (not connected to BYUI Wi-Fi)
  • Or try logging in from home or another off-campus location

This will simulate the same experience you’ll have when 2FA is required on campus starting June 25. Be sure to have your phone or authentication device with you during the test.

 

Why is 2FA being implemented? 

2FA provides an extra layer of security to your account. Even if your password is compromised, 2FA helps prevent unauthorized access. Learn more: Why Do We Need Two-Factor Authentication?

 

How do I set up 2FA?

Setting up DUO 2FA is simple. Follow this guide: How-to: Setup, Install, Enroll, Activate DUO Mobile.

 

What if I don’t have a mobile device?

If you don’t have a smartphone, there are several alternative 2FA methods available: 

Supported Methods:

  • Biometric login (Face ID, Touch ID, Windows Hello, Android Biometrics)
  • WebAuthn FIDO2 security keys
  • YubiKey-generated passcodes
  • Hardware token codes

Hardware Token Option:

If you’re unable to use a mobile device,  employees can request a hardware token by contacting the IT Service Desk.

  • The first token will be provided by the university at no cost to you.
  • If the token is lost, or if you would like an additional one, you will need to purchase the replacement.
  • Note: This option is for employees only. Students will have to acquire a hardware token themselves. 

Temporary Solution:

If you’ve forgotten your device or are temporarily unable to use it, the IT Service Desk can issue a bypass code to allow short-term access.

Contact the IT Service Desk at (208) 496-1411 or use the Chat option at byui.edu/help

 

Can I use a security key with Duo?

Yes! You can use a DUO-compatible security key or hardware token.

  • Hardware tokens can be requested from the IT Service Desk free of charge. If lost or misplaced, you will be responsible for replacing it.
  • Tokens generate one-time passcodes and are valid as long as 2FA is required at BYU-Idaho.

See our guide: Security Keys and Duo

 

Will I need to do 2FA in classrooms or offices?

Yes—but only when accessing BYU-Idaho resources that require Single Sign-On (SSO). Starting June 25, 2025, you will be prompted for Duo 2FA when logging into SSO-protected services such as:

  • Canvas
  • Outlook
  • Workday
  • The BYU-Idaho Portal
  • Any other system that uses the Church Account sign-in page

You will not be prompted for 2FA when simply logging in to the computer itself (such as Windows or macOS). That means:

  • Logging into a classroom teaching station, lab computer, or office workstation with your BYUI credentials will not require 2FA
  • Accessing an SSO resource from that device (like opening Canvas or Outlook) will prompt a 2FA challenge

Tip: If you see the Church’s login screen while accessing a resource, that’s a good sign 2FA will be required.

 

How can I avoid phone disruptions during class?

Since your phone will be needed for 2FA, we recommend silencing your device or enabling Do Not Disturb before class or meetings.

How to Silence Your Phone or Enable Do Not Disturb

This will help avoid unnecessary disruptions during teaching or learning.  

 

What should I do if I get an 2FA request I didn’t initiate?

If you receive a Duo prompt that you didn't request:

  1. Deny the request immediately.
  2. Contact the IT Service Desk to report the incident to the Security Operations Center.
  3. Go to https://account.churchofjesuschrist.org/recovery and reset your Church password. 

This may indicate an attempted unauthorized login.

 

Need Help?

📞 Call: (208) 496-9009

💬 Chat: Visit byui.edu/help and use the chat bubble

Hours of Operation:

Monday–Friday: 7:30 AM – 8:00 PM

Saturday: 10:00 AM – 4:00 PM (Mountain Time)

Closed during weekly devotional, forum hour, and university holidays

Details

Details

Article ID: 11649
Created
Thu 10/13/22 2:12 PM
Modified
Tue 5/27/25 8:14 PM

Related Articles

Related Articles (1)

Why Do We Need 2-Factor Authentication?
- Purpose of 2-Factor Authentication
- What 2FA is helping to protect
- Safeguarding your account

Related Services / Offerings

Related Services / Offerings (1)

Duo Hardware Token Request