Duo Authentication for macOS Logon
Duo Authentication for macOS Logon prompts for secondary approval when you log in to your Mac.
Logging Into macOS with Duo
Once installed, Duo authentication is required for new console logons, but not when unlocking the screensaver or you're already logged on and just waking the system from sleep.
After entering your macOS username and password, an authentication request will automatically be pushed to the Duo Mobile app on your phone.
If auto-push is disabled or if you click the Cancel button on the Duo Prompt, you can select a different device from the drop-down at the top (if you've enrolled more than one) or select any available factor to verify your identity to Duo:
- Duo Push: Send a request to your smartphone. You can use Duo Push if you've installed and activated Duo Mobile on your iOS or Android device.
- Phone Call: Perform phone callback authentication.
- Passcode: Log in using a passcode generated with Duo Mobile, received via SMS, generated by your hardware token, or provided by an administrator.
To have a new batch of SMS passcodes sent to you click the Send me new codes button. You can then authenticate with one of the newly-delivered passcodes.
Duo Authentication for macOS does not support remembered devices at this time.
Offline Access for macOS
Offline access for Duo macOS Logon helps you log on to macOS systems securely even when unable to contact Duo’s cloud service. You can activate Duo Mobile for offline access on iOS or Android.
If your organization allows you to use this feature, you'll see the offline activation prompt after successful Duo two-factor authentication when you log in while the system is online and able to contact Duo's service. Check with your organization's Duo administrators or Help Desk to verify availability of Offline Access on your workstation.
Activating Offline Access with Duo Mobile
To activate Duo Mobile for offline access:
- Select Duo Mobile Passcode and click Activate Now to begin setting up offline access (or click Enroll later to set it up another time).
- Scan the activation QR code using the Duo Mobile app installed on your iOS or Android device. Tap Add in the app and then tap Use QR code to begin adding the account by scanning the QR code shown by Duo for macOS.
- Enter a name for the new Mac Offline access account in Duo Mobile and tap Save to continue.
- Tap the new Mac Offline account you just added for your macOS computer in the Duo Mobile account list to generate a six digit passcode.
- Enter the passcode from Duo Mobile (without a space) into the offline activation screen on your computer and then click the Enroll button to finish setting up offline access.
- If enrollment completes successfully click Proceed to finish setting up offline access and finish logging in to the computer.
Authenticating with Offline Access
Once you’ve activated offline access for your account, when your computer isn’t able to contact Duo’s cloud service you’ll automatically be offered the option to login with an offline code after successfully submitting your macOS username and password during system logon.
If you activated Duo Mobile, tap the entry for your Mac Offline account in Duo Mobile to generate a passcode, enter it into the Duo prompt, and click Login.
The offline two-factor authentication prompt shows you how many remaining offline logins you have left, or the last day you’ll be allowed to authenticate using offline access (depending on which option your organization's administrator chose when enabling offline access in Duo).
Once you reach the offline access number of uses or number of days limit, the Duo prompt informs you that you must complete online authentication to Duo before you can log in again with an offline passcode. Offline access refreshes when you perform an online Duo authentication.
A user who does not activate Duo offline access on the macOS system while it's online may not log in while disconnected from the internet. Make sure to complete offline activation as part of the Duo login process the next time the computer has internet access.
Reactivating Offline Access
If you need to add the Mac Offline account to Duo Mobile on a different phone than you originally used for activation, you can do this from the online Duo MFA prompt.
IMPORTANT: Only one phone may be activated for offline access at a time. Activating offline access on another phone invalidates the previously activated phone.
If you restored the Duo Mobile accounts on your phone with Duo Restore, reactivating offline access won't reconnect the offline account that was restored. Instead, a second account for offline access will be created. Avoid confusion by deleting the restored offline access account before performing reactivation from the online Duo for macOS MFA prompt.
- With the macOS computer connected to the internet, log in with your username and password.
- Click the Replace/Reconnect an offline device link on the left side of the Duo prompt to begin. If your Duo for macOS Logon application is configured to automatically send a push request to your phone, you can cancel the authentication in progress and click the link on the left (don't approve the request on your phone).
- Next, you’ll need to complete Duo authentication. Click on an available method and approve the login request.
- Continue the activation process by scanning the QR code with Duo Mobile on the replacement phone and entering the verification code when prompted, just like the first time you activated an offline access device.