Authenticating with Duo

Created by Dave Hart, last modified on 2024-01-29


NCAR Duo Authentication is export-controlled. Taking the app on your phone to Cuba, Iran, Syria, North Korea, or Sudan is strictly prohibited.

Page contents


Logging in with Duo two-factor authentication (2FA) requires you to enter a CIT password and then use a Duo-configured device to confirm your identity.

Best practice recommendation: Use a screen lock on your mobile device to increase security.

Four ways of logging in with Duo:

  1. Push notification (preferred)
    The app sends a request (a "push" notification) to your phone or tablet, asking you to approve or deny the login request.

  2. Rolling passcode
    When you can't receive a push notification, enter both your CIT password and a numerical passcode from the Duo app, separated by a comma. Example: password,passcode

  3. Phone callback
    Enter your CIT password and the word "phone," separated by a comma, then follow instructions you receive in a phone call. Example: password,phone

  4. Duo/YubiKey 4
    Some NCAR/UCAR staff use Duo authentication with a YubiKey 4 token. After inserting the token in your USB port, enter your CIT password and a comma, then lightly touch the gold button on your token. Example: password,[touch button]

The examples below use the push notification method of authentication. See How to Use Append Mode for more information on other methods.

Other YubiKey users

Individuals who use YubiKey tokens can contact the NCAR Research Computing help desk to ask to be enrolled to use Duo 2FA instead.

When a Duo account is activated for someone who has a YubiKey token, the token is disabled immediately and must be returned.

Getting started with Duo

To get started, contact the NCAR Research Computing help desk to request enrollment (and to get a CIT password if you don't already have one).

CISL will send you a link for setting up a Duo account.

During setup, Duo asks some questions about the device you want to use. Smartphone and tablet users are asked to download this free Duo Mobile app.

Green Duo logo linked to the apps download page

When your setup is complete, follow the instructions below to log in to the system, such as Cheyenne, the NCAR virtual private network, or others that accept Duo 2FA.

Logging in with Duo

HPC and SSH logins

To log into a system like Derecho:

  • Enter your ssh command.
  • Enter your CIT password where a token response is requested.

[2024-01-26 14:28.23] [bjsmith.cisl-deerwood] > ssh -X


The Duo App will send a "push" notification to your phone or tablet, asking you to approve or deny the login request.

When you approve the request, you will be logged in.

Other application logins

Duo authentication with other systems is somewhat different. Logging on to the NCAR virtual private network (VPN) is one example.

You will:

  • Enter your username.
  • Enter your CIT password.
  • You may get an automatic Duo Push, or select Send Me a Push from the Duo screen.

The Duo App will send a push notification to your phone or tablet, asking you to approve or deny the login request.

When you approve the request, you will be logged in.

Duo selection window

Duo Device Portal

The Duo Device Portal is where you can change device settings, add new devices (a new smartphone, tablet or landline), or update your preferred contact methods.

You can also choose to have Duo send you a push automatically after you enter your CIT password. Look for "When I log in" after you sign in to the portal.

Changing smartphone

When you replace your smartphone and need to use it to authenticate, use one of the following methods to get your new phone up and running with Duo Mobile:

Recommended: Duo Instant Restore, a feature for recovering Duo-protected accounts.


  • Go to the Duo Device Portal.
  • Choose Call Me. Even if your phone number hasn't changed, Duo needs to call your new phone to complete the setup process.

For additional information, see the following links or contact the NCAR Research Computing help desk for assistance: