Duo Two-Factor Authentication (2FA) Policy

Duo Two-Factor Authentication (2FA) Policy


Two-factor authentication (2FA) adds a second layer of security to Medaille College’s network accounts. This second form of authentication helps to prevent unauthorized access to an account, even if the password is compromised. Medaille College currently uses a product called Duo for two-factor authentication.

Duo provides a second form of authentication via mobile device app or hardware token. The mobile device app is recommended. Medaille College users must use at least one (1) registered method of two-factor authentication in Duo in order to log into a protected Medaille system
or application.

Using Duo for two-factor authentication is mandatory for all Medaille systems and applications protected by Duo.


Under direction of the President, the Chief Information Officer and the President’s Cabinet are to ensure compliance with this policy. The Vice Presidents, Directors, and other members of management will implement and support this policy in their respective areas.


This policy applies to all Medaille faculty and staff members, as well as external entities who use Medaille systems and applications that are protected by Duo two-factor authentication.


1. Two-factor authentication adds a second layer of security to a Medaille Network Account. Some services and websites refer to this second layer of security as two-factor authentication, 2FA, two-step authentication, two-step verification, or login verification. This second form of authentication helps to prevent unauthorized users from accessing an account, even if the password is compromised.

2. The Duo Mobile app is available for phones and cellular-capable devices, both Apple and Android. It is available for free at both the Apple App Store and Google Play Store. It allows the user to say “Yes” or “No” to any attempted login to their account for Duo protected services, thereby providing a second factor of authorization for these services.

3. A hardware token is a small device that can generate a passcode to use as a second factor of authorization to services protected by two-factor authentication.


1. Medaille College requires all faculty and staff members, as well as outside affiliates, to use either the Duo Mobile app or a hardware token as a method of two-factor authentication.

2. Hardware tokens may be obtained by employees as governed by the rules listed below:

a. Cellphone or tablet PUSH notifications are the most secure, and therefore recommended, method to use Duo 2FA. All Medaille faculty and staff are encouraged to use their personal cellphone or tablet to receive PUSH notifications from the Duo app.

b. Full-time faculty and full-time staff members who own technology that is too dated to install or run the Duo app will be given a hardware token by submitting the Duo Token Request form, found on the IT website.  If, for some reason, full-time faculty and staff members do not want to install Duo on their phone or tablet, they may buy a token for $60. Remember, the PUSH notification is the most secure method and does not cost anything to run on your phone or tablet.

c. Medaille adjunct professors and part-time staff who have a phone or tablet that is too old to run the Duo app or who refuse to install the Duo app, will be provided a token after filling out the Duo Token Request Form and submitting a $60 security deposit to the Business and Finance Department. Please note that payment will be returned to you upon return of the token.

3. If you lose your hardware token, there will be a $60 charge to obtain a new one.

4. Tokens must be returned to the Medaille College IT Department or the Human Resources Department if your employment ceases at Medaille College, per the rules on the Token Request Form.


Violators of this policy may be subject to the removal of system access or disciplinary action, up to or including, termination of employment at Medaille College.