Cisco Duo: FAQ

The error message "Not enrolled in Duo" means that you have not yet configured multi-factor authentication for your account, but you are trying to access a service that requires it.

Set up multi-factor authentication for your account and then try logging in again to the service where you received the error message.
Use the following instructions: Initial registration in Cisco Duo

You will receive the error message “You don't have an authentication option that would allow you to access this application” if you previously configured Cisco Duo, but all of your devices registered as second factors are no longer active. This can be caused, for example, by deleting the Duo Mobile application or resetting your smartphone to factory settings without first adding another device.

In this case, please contact our helpdesk.

The University of Cologne is introducing multi-factor authentication (MFA) to decisively counteract the risk of cyber attacks and to intensify the protection of data and devices.

This involves one or more independent factors that must be used in addition to the user name and password in order to increase protection against unauthorized access to services, software and data.

Multi-factor authentication (MFA) is implemented with Cisco Duo.

Cisco Duo is a system that includes several authentication options as a so-called second factor that can be used flexibly.

Cisco Duo offers various options for using a second factor:

• "Duo Mobile" app
• FIDO2 key: In certain web-based logins, a FIDO2 key (e.g. YubiKey, Titan Security Key or similar) can also be used as a second factor. As this procedure is only available in web-based logins, a FIDO2 key can only be added later via the device administration. If you would like to use a FIDO2-Key as your only second factor, please contact our helpdesk. If you would like to add a FIDO2 key to your account as the sole second factor, please contact our helpdesk. Please note that we cannot provide technical support on how your FIDO2 key works, only on the general setup process with Duo. Please have a look at our dedicated instructions on that topic.
• If you do not want to or cannot use an app or FIDO2 key, please contact the ITCC helpdesk.

No, Cisco Duo does not support the use of other authentication apps. The Duo Mobile app and Duo's service are designed to work together. Duo Mobile can replace other passcode-generating apps for third-party accounts, but other apps cannot replace Duo Mobile.

The following services require additional verification with Cisco Duo:

• VPN
• Matrix
• KLIPS 2.0

More services will be added in the future.

Currently, there is no destinction between groups of people at UoC (e.g. students and staff). For all services where using Cisco Duo is mandatory, everyone needs to use Cisco Duo regardless of their status group.

See also the question titled Which services are secured with Cisco Duo?

The “Second factor” refers to all authentication options (devices) that you have stored in Cisco Duo. You can view these in the self-service portal and add or remove new ones.

Initial registration for Duo is only possible via devices located on the UoC campus (not from home or on the move via VPN).

If you are not located in the Cologne area and therfor can not register on the Cmapus, please contact the ITCC helpdesk.
Be advised, it it forbidden to share your account credentials with anyone else according to our terms of use. Violating those terms will result in disabling your account.

Please refer to our initial setup guide. There you will find instructions on how to generate a QR code.

If you wish to add another device as a second factor to your existing device, for example because you are changing your smartphone, please refer to the device management instructions.

The same second factor applies to all services secured via Cisco Duo. Therefore, if you are already using Cisco Duo for VPN, you can easily use KLIPS as well, with no further steps.

We have described how to add another device as a second factor in these instructions:

Instructions: Device management - Add device

We have described how to remove a device as a second factor in these instructions:

Instructions: Device management - Remove device

Please contact the ITCC helpdesk.

If you haven't setup a second factor yet, you should start with our guide:

Initial registration in Cisco Duo

If you want to remove your old mobile device as a second factor, you can follow our instructions:

Instructions: Device management - Remove device

We have described how to add your new mobile end device as a second factor in these instructions:

Instructions: Device management - Add device

After you have logged in to the Slef Service Portal with your user name and password, please do not authenticate yourself via a second factor at first, but select "Manage devices" and only authenticate yourself in the next step. You can find step-by-step instructions here:

Instructions: Device management - Add device (step 1-4

Your telephone number is not required and therefore does not need to be entered. Select "I have a tablet" instead. You can find illustrated instructions here:

Instructions: Device management - Add device (step 6)

To use the Duo Mobile app on an end device as a second factor, at least one of the following requirements must be met:

• Android 12 or higher
• iOS 17.0 or higher
• iPadOS 17.0 or higher

The system requirements might change in the future. In case of doubt please check the corresponding PlayStore or AppStore.

The Duo Mobile app needs to be kept up to date, which is usually done through updates via the Play Store or App Store. After February 2nd, Duo Mobile can only be used in version 4.85 or later. Your current version is displayed at the bottom of the hamburger menu (top left) in the Duo Mobile app. Alternatively, you can also find the version in your system settings.

Your devices must be protected by a screen lock e.g. PIN, pattern, fingerprint etc. Otherwise your authentication attempts will be rejected. Authentication attemps from android devices not passing Google's Play Integrity checks (e.g. for unlocked bootloader or root access) will be rejected automatically.

Please contact our ITCC-Helpdesk.

Please contact the ITCC helpdesk as soon as possible or come to our information desk in person during our opening hours.

If you want to remove your old mobile device as a second factor, you can follow our instructions:

Instructions: Device management - Remove device

We have described how to add your new mobile end device as a second factor in these instructions:

Instructions: Device management - Add device

Yes, you may use your private smartphone to install and use Duo Mobile.

The Duo Mobile app collects some data that is required for secure operation. The following data can be viewed by authorized ITCC employees and is only viewed by them to process support requests or to assess individual account security. It is expressly not passed on to other university departments.

The data collected and transmitted by the app includes:

• Smartphone model
• Installed Android or iOS version
• Timestamp of the last connection to the server
• Data about your smartphone's security status
  • Integrity of the system/‘root access’ (devices that do not pass the Play Integrity check are rejected)
  • Encryption status (is the smartphone data encryption enabled? Current smartphones encrypt their owner's data by default)
  • Lock screen status (is the device always protected by PIN/password/pattern or similar or accessible to everyone? Devices without a configured lock screen are rejected for security reasons)
  • Status via biometric protection (is fingerprint/face recognition protection functions activated on the device?)
• Once you authorise one of your logins via Duo Mobile, the IP address of the smartphone is recorded at the time of authorisation
  • The IP address could be used to draw conclusions about your Internet service provider (i.e. mobile phone provider or provider of the Internet connection)

If you have any questions, please do not hesitate to contact us.

See the screenshot at the bottom of the page!

If you activate this option, you do not have to use a second factor for 9 hours when you log on again to a service secured by Cisco Duo. It is sufficient to log in to Shibboleth using a user name and password.

Please note: This only applies to the computer (browser) on which you have authenticated yourself using the second factor.

There are two different types of authentication depending on the intended use:

• “Duo Push": The Duo Mobile app displays a push notification on the mobile device set up, which you use to confirm your identity by clicking on ‘Approve’.
• “Duo Mobile Passcode": Cisco Duo shows you a temporary passcode, which you enter in the app

Eine Verlängerung können Sie bis zu fünf Mal bei den Kolleg:inenn der Universitäts- und Stadtbibliothek vornehmen. Die Möglichkeiten finden Sie auf der Webseite:

Ausleihe verlängern

Wenden Sie sich bitte per E-Mail an die Kolleg:innen der Universitäts- und Statdbibliothek.
Bei Verlust entstehen Kosten in Höhe von bis zu 60€.

Die Rückgabe Ihres Hardwaretokens kann zu den Öffnungszeiten bei den Kolleg:innen der Universitäts- und Statdbibliothek erfolgen.