Troubleshooting Duo Issues

Common Issues


  • Operating Systems

    Available in: Duo Access and Duo Beyond

    The operating systems policy settings allow you to control which operating systems and versions are allowed to access your applications when protected by Duo's browser-based authentication prompt, while also encouraging users running older operating systems to update to the latest version.

    The default settings allow access, authentication, and enrollment from browsers on all Duo supported operating systems, mobile platforms, and versions with no warnings. You may block all versions of any of the OS platforms listed in the policy editor: Mac OS X (macOS), Windows, iOS, Android, Linux, Chrome OS, BlackBerry,and Windows Phone. Duo offers more granular blocking options for the Mac OS X, Windows, iOS, and Android operating systems, like blocking access below a certain version and warning the user that they need to update to an approved version instead of blocking access outright.

    Scroll down in the policy editor to see all OS options.

    Enable the "Warn users if their version is below ..." option to show a warning notification during authentication or enrollment from an out-of-date operating system. The user may disregard the warning and continue with authentication. For example, you may choose to warn users with Windows versions "below 8.1". A user accessing your application from a Windows 8 PC sees a warning at the bottom of the Duo prompt. Clicking "Let's update it" provides the user with information on how to update the operating system. Users can proceed past the warning by clicking "Skip".

    Enabling any operating system restrictions block users from completing authentication or new user enrollment from that disallowed OS (or OS version). To continue the previous example, choosing to block (instead of warn) users with Windows versions "below 8.1" prevents authentication or enrollment for any user trying to access your application from a Windows 8 computer. Users can't proceed past the out-of-date software notification.

    If you select "Block all versions" for "Windows" in the policy editor, then users accessing your application from any version of Windows are blocked.

    The Android and iOS mobile platforms can also be restricted to a minimum allowed version or blocked entirely. Blocking any version of a mobile OS platform, e.g. iOS or Android, not only restricts access to resources from browsers on those OS platforms or versions, but also prevents use of Duo Mobile to Duo Push requests or generate usable passcodes on devices running the restricted OS. If you were to block iOS versions "below 9.0" then any users with Apple devices running iOS 8.0 or lower can no longer use Duo Push or app generated passcodes. If a user has other additional activated devices running a different mobile platform, the functionality of the other devices is not affected.

    When a mobile device operating system or version is restricted users see a message in the browser-based Duo Prompt.

    Duo Mobile also notifies the user that the mobile platform or version is not allowed when attempting to approve the Duo Push request.

    Passcodes from a hardware token or received via SMS are allowed, as are phone call authentications, but entering a passcode generated by Duo Mobile on any device running the restricted platform results in an error stating that platform is not permitted.

    As an example scenario, if you select "Block all versions" for the "Windows Phone" platform then your iOS, Android, and BlackBerry users continue to receive and approve Duo Push requests, and can also authenticate with SMS passcodes, application passcodes, hardware tokens, or over the phone. Your Windows Phone users can only use SMS passcodes to authenticate, approve a login via phone call, or use a hardware token passcode. If you wanted to completely prevent any use of Windows Phone to approve authentications, you'd also need to disable the "Phone callback" and "SMS passcodes" options in the Authentication Methods policy setting. Keep in mind that disabling phone and SMS authentication affects authentication for all users, no matter what mobile OS they use.

  • I need to reactivate Duo Mobile.
    If you get a new phone you'll need to re-activate Duo Mobile. You may enroll your new device yourself using Duo's device management portal if self-service is enabled. Otherwise, ask your administrator to send you a new activation link.

    Choose your platform on the left for specific activation instructions.
  • I have stopped receiving push notifications on Duo Mobile.
    You may have trouble receiving push requests if there are network issues between your phone and our service. Many phones have trouble determining whether to use the WiFi or cellular data channel when checking for push requests, and simply turning the phone to airplane mode and back to normal operating mode again often resolves these sort of issues, if there is a reliable internet connection available. Similarly, the issue may be resolved by turning off the WiFi connection on your device and using the cellular data connection.

    Check the time and date on your phone and make sure they are correct. If the date and time on your phone are manually set, try changing your device's configuration to sync date and time automatically with the network.

    If neither of these suggestions work, then the simplest resolution is to contact your administrator to request re-activation of Duo Mobile. If your administrator has enabled Duo's device management portal, you can log in with a passcode generated by the Duo Mobile app and send a new activation link to your phone. See the Manage Devices guide for instructions.
  • I lost my phone
    Contact your administrator immediately if you lose your phone or suspect that it's been stolen. He or she will disable it for authentication and help you log in using another phone or hardware token.

    While it's important that you contact your administrator if you lose your phone, remember that your password will still protect your account.
  • My hardware token stopped working
    Contact your administrator if your token stops working or if you can't log in with the passcodes it generates.

    Your token can get "out of sync" if the button is pressed too many times in a row and the generated passcodes aren't used for login. In some cases this can happen by accident if the token is stored next to other objects in a pocket, backpack, etc. Your administrator will ask you to generate three passcodes in a row and can attempt to resynchronize the token.