Users reliant on SMS or phone 2FA lose self-enrollment once those options are disabled; an admin must then enroll them manually by using a bypass code or an admin‑initiated activation link.
What changes once SMS & phone calls are disabled?
When SMS and phone call authentication are turned off, users who used these methods:
Admins must provide a temporary access method (bypass code or admin‑initiated activation link) so the user can enroll Duo Mobile or Hardware Security Key.
How to enroll users in Duo Mobile after SMS and phone calls are Disabled
Option 1 — Use a Duo Bypass Code (Recommended)
This is the most reliable method for users who cannot authenticate via SMS or Phone.
Admin Steps:
-
Locate User: Log into the Duo Admin Panel, go to Users, and select the specific user.
-
Generate Code: Scroll to the "Bypass Codes" section and click Generate Bypass Code.
-
Secure Delivery: Send the code to the user securely (e.g., via Password Pusher).
User Steps:
-
Install App: Download Duo Mobile from the App Store or Google Play.
-
Login: Access your Duo-protected application. When prompted for 2FA, select Enter a Passcode.
-
Authenticate: Enter the bypass code provided by the Admin.
-
Register Device: Once logged in, go to My Settings & Devices > Add a device and choose Mobile phone.
-
Sync: Scan the QR code displayed on the screen with your Duo Mobile app camera to complete enrollment.
-
Option 2 — Resend a Duo Mobile Activation Link
Use this method if the user already has a smartphone listed in the Duo Admin Panel, but the app is not activated, or the "Duo Push" option isn't working.
Admin Steps:
-
Search User: In the Duo Admin Panel, go to Users and select the affected user.
-
Verify Device: Scroll to the Phones table.
-
Send Link: Under the device settings, click Send Duo Mobile Activation Link.
-
Choose Method: Select Send Link via SMS (this will work even if 2FA-via-SMS is disabled, as it is a setup link, not a login code).
User Steps:
-
Open Message: Open the SMS text message from Duo on your phone.
-
Activate: Tap the link within the message. It will automatically open the Duo Mobile app and link your account.
-
Confirm: Once the app shows your organization’s account, you are ready to receive Pushes for future logins.
Option 3 — Admin Manually Adds the User’s Smartphone
Use this method if the user is entirely new to Duo or has never had a phone number associated with their account.
Admin Steps:
-
Access User Profile: In the Duo Admin Panel, go to Users and select or search for the user.
-
Add Device: Click the Add Phone button.
-
Enter Details: * Input the user's mobile phone number.
-
Finalize: You must now complete the process by using either Option 1 (providing a bypass code) or Option 2 (sending an activation link) so the user can link their app to this new record.
User Steps:
-
Coordinate: Stay in contact with your Admin to receive either your one-time bypass code or your SMS activation link.
-
Follow Setup: Refer to the "User Steps" in Option 1 or Option 2 above to finish linking your device to the Duo Mobile app.
Enroll Hardware Security Key After SMS and Phone Calls are Disabled
Users reliant on SMS or phone 2FA lose self-enrollment once those options are disabled; an admin must then enroll them manually by using a bypass code or an admin‑initiated activation link.
What changes once SMS & phone calls are disabled?
When SMS and phone call authentication are turned off, users who used these methods:
Admins must provide a temporary access method (bypass code or admin‑initiated activation link) so the user can enroll Duo Mobile or Hardware Security Key.
The two valid admin‑provided methods are:
-
Bypass code (most reliable)
-
Admin‑initiated WebAuthn enrollment link
Option 1 — Enroll Hardware Security Key using a Duo Bypass Code (Recommended)
Use this method if the user needs to register a physical security key (like a YubiKey) and cannot use SMS or Phone calls to authenticate.
Admin Steps:
-
Locate User: In the Duo Admin Panel, navigate to Users and select or search for the user.
-
Generate Code: Click the Generate Bypass Code button.
-
Secure Delivery: Provide the code to the user securely. You may use Password Pusher to ensure the code expires after it is read.
User Steps:
-
Start Login: Log into any Duo-protected application.
-
Enter Bypass: When the Duo prompt appears, select Other options (or Enter a Passcode) and type in the bypass code provided by your admin.
-
Access Settings: Once logged in, click on Settings or Add a new device within the Duo prompt.
-
Select Key: Choose Security Key (YubiKey, etc.) from the list of device types.
-
Register Key: * Insert your Security Key into your computer’s USB port.
-
Complete: The Duo prompt will confirm that the registration is successful. You can now use this key for future logins.
Option 2 — Admin‑initiated enrollment link
Admin Steps:
-
Select User: In the Duo Admin Panel, go to Users and select the specific user.
-
Initiate Link: Scroll to the Security Keys section and click Add or Send enrollment link.
-
Delivery: Duo will automatically email a unique, time-sensitive enrollment link to the user’s email address on file.
User Steps:
-
Open Email: Access your email and click the enrollment link sent by Duo. This will open the Duo setup portal in your web browser.
-
Prepare Hardware: When prompted, insert your Security Key (YubiKey) into the USB port.
-
Register: Follow the on-screen prompts and tap the gold sensor/button on the key when the browser asks for permission.
-
Confirm: Once the screen says "Enrollment Successful," your hardware key is linked and ready for use.
Note: This method is highly efficient because it bypasses the need for the user to authenticate with a code or phone call during the setup process.
Additional Resources
For more support and self-help articles and resources, visit our ITS Ticketing Service Catalog at help.maricopa.edu or you can call the District Information Technology Service support line directly at 480-731-8632