Body
What is Multi-Factor Authentication (MFA)?
MFA adds a quick, second check beyond your password to confirm it’s really you. Even if someone learns your password, they can’t access your account without that second factor (such as an approval prompt or passcode).
Why is MFA important?
Cyberattacks like phishing and account takeovers are frequent and sophisticated. A single compromised account can be used to send malicious messages, access sensitive data, or disrupt services. MFA blocks most of these attempts by requiring something attackers don’t have: your second factor. Higher education institutions are not immune to these attacks.
What is Duo, and why is Dartmouth College requiring it?
Duo is Dartmouth’s MFA service provider. Duo Security is part of Cisco Systems, a widely trusted cybersecurity company. Duo helps verify that sign-in attempts are legitimate before granting access. There are several ways to enroll in Duo to participate in multifactor authentication, including the preferred Duo mobile app.
The mobile app provides a quick, simple approval step on your phone, making it fast to confirm legitimate sign-ins while blocking unauthorized attempts. It pairs your login with your registered device and your explicit approval, which adds strong protection with minimal friction. Onetime passcodes in the app work even without cellular or WiFi connectivity (industry best practice) and you can use either push approvals or app-generated passcodes, depending on what’s most convenient for you.
Do I really need Duo if I only use my alumni account occasionally?
Yes. In fact, infrequently used accounts are among the most commonly compromised — precisely because unusual activity is less likely to be noticed quickly. Duo protects your account whether you log in daily or once a year.
What devices and methods does Duo support?
Duo supports several verification methods, including a push notification via the Duo Mobile app (available on iOS and Android), a one-time passcode generated in the app, an SMS text message, or a phone call.
What if I get a Duo push notification that I didn't request?
Deny it immediately and do not approve it. An unexpected push means someone else may be attempting to access your account using your credentials. After denying, change your password right away and contact the Alumni Help Desk at 603-646-3202 or toll free 855-215-9024.
I enrolled in multi-factor authentication previously and haven’t needed it. What is changing?
On an exception basis, some alumni-facing systems were excluded from the overall standard of multi-factor authentication for Dartmouth logins. These systems now require multi-factor authentication for a consistent experience and protection against infiltration.
I'm traveling internationally. Will Duo still work?
Yes, in most cases. The Duo Mobile app generates passcodes offline, so it works even without cellular or Wi-Fi service. If you rely on SMS or phone calls, international delivery may be unreliable — we recommend switching to the app-based method before you travel. In order to comply with U.S. regulations, DUO blocks authentications from users who address originates in a country or region subject to economic and trade sanctions enforced by the U.S. Office of Foreign Assets Control.
OFAC restrictions relevant to Duo currently apply to the following countries or regions:
- Cuba (CU)
- North Korea (KP)
- Iran (IR)
- Sudan (SD)
- Syria (SY)
- Crimea region (43)
- Donetsk region (14)
- Luhansk region (09)
- Sevastopol region (40)
Blocked authentications will appear in the Authentication Log as “Restricted OFAC location.”
What happens if I lose my phone or get a new one?
Set up at least two MFA methods and keep a backup factor in a safe place. If you lose access to all factors, contact the Alumni Help Desk to re-verify your identity and restore access.
Can I use Duo on multiple devices?
Yes. Duo allows you to register more than one device to your account. Adding a backup device — like a tablet or landline — is strongly encouraged and takes only a few minutes through your account settings.
Is Duo collecting or storing personal data from my phone?
Duo stores only what’s needed to provide authentication—such as your NetID, the type of device you registered (e.g., iPhone or Android), and limited technical details like IP address or browser version. Duo does not monitor your device activity, access personal files, or track your browsing, and it does not share or sell user data. Dartmouth has reviewed and approved Duo under its privacy and security standard.
What if I don't have a smartphone?
You have options. You can receive verification via a standard phone call to a landline or cell phone, or request a physical hardware token from the Alumni Help Desk that generates one-time passcodes without needing a smartphone or internet connection.
How long does Duo remember my device? Do I have to approve every single login?
Depending on your account settings, Duo may offer a "Remember me for X days" option on trusted devices, meaning you won't be prompted on every login from the same browser and device. However, logging in from a new browser, device, or location will always trigger a Duo prompt.
What is a "MFA fatigue" attack and how do I protect myself?
MFA fatigue is when an attacker repeatedly sends you Duo push requests hoping you'll approve one out of frustration or habit. If you receive repeated push requests you didn't initiate, do not approve any of them. Deny all requests, change your password immediately, and report it to the Alumni Help Desk at 603-646-3202 or toll free 855-215-9024. Enabling number matching (above) also helps prevent this.
Who do I contact if I'm having trouble with Duo?
Reach out to the Alumni Help Desk, Support is available to help you set up, troubleshoot, or recover access to your account at any time.
Do strong passwords still matter if I use MFA?
Yes. MFA is a critical second layer, but unique, strong passwords (or a password manager) remain essential. Together, they significantly reduce the risk of account compromise.
Bottom line—why should I use MFA?
MFA provides a high-impact, low-effort safeguard against the most common and damaging account takeover threats. It protects both your personal data and institutional systems and reputation.