InCommon is operated by Internet2


About            Participants            Join InCommon

Multifactor Authentication

Duo Security





Subscriber List

Why Two-Factor? (links to Duo website)

Duo Security Program FAQ

Licensing and Pricing

I'd like to take Duo for a test drive before signing up for a site-wide license. How can I do that?

Anyone can directly sign up for the Duo Security Personal plan, which allows for up to ten users at no cost. This is perfect for limited testing and evaluation purposes.

Do I need to be an InCommon participant to sign up for Duo?

Yes, to sign up for a Duo site license through InCommon, you must be an InCommon participant. You are not required to take advantage of any other InCommon program (Federation, Certificates, or Assurance), but you do need to join InCommon.

My institution is an Internet2 member. Do we qualify for the InCommon Duo program?

Being an Internet2 member gives you a 10% discount on the cost of a Duo site license, but you also need to be an InCommon participant to sign up for Duo. The InCommon Participation Agreement is key to the administration of this program.

Do I have to be a member of Internet2 to participate in the InCommon Duo program?

No, you are not required to be an Internet2 member to sign up for Duo, but Internet2 members receive a discount when they sign up for a Duo site license.

Only part of our campus wants Duo. Can we license just a subset of our campus community?

There is no option for licensing Duo for a particular subset of your campus (such as your School of Law) or for a particular type of user (such as administrative users). The Duo licensing program is a campus-wide site license, so in general, most schools have a choice of two options:

  1. All university faculty and staff (excluding hospital staff)
  2. All university faculty, staff and students (excluding hospital staff)

The fee in each case will vary with the size (based on IPEDS student count) of your school.

The Duo rate card talks about "telephony credits." What are those?

Duo provides a wide range of options when it comes to authenticating a user login. We expect that most Duo users will prefer to use either Duo Mobile or Duo Push, neither of which consume any telephony credits and can be used without limit.

Duo also supports two-factor login via other methods, such as automated voice calls or SMS messages. Duo incurs a small marginal cost when an automated voice call is made (long distance telephone charges) or an SMS message needs to be sent (SMS charges), with the exact amount depending on the source and destination of the call or message. Telephony credits are the way that Duo ensures those marginal costs don't get out of control. Telephony credits are purchased in advance as a non-expiring credit in a pool that covers all user accounts at a site. In the United States, voice calls for login confirmation incur a two (2) credit charge; SMS messages for login confirmation cost one (1) credit in the US. Rate cards for other countries are available.

Telephony credits are purchased directly from Duo after you have enrolled in the program.

Could we align our Duo subscription date with the date of other InCommon billings?

Unfortunately, we cannot arrange that your Duo subscription align with your InCommon annual fee (all InCommon annual fees are due January 1, while the Duo subscription date depends on when you first signed up for Duo).

What is a staff person for licensing?

Staff: Any individual employed by or employees working in the Customer’s postsecondary institution except those employed by or working in the medical school component of the Customer’s institution or Hospital Staff accessing an application used in Subscriber’s medical school or hospital clinical operations. Staff includes individuals employed by or employees working in the postsecondary component of a hospital or medical center that offers postsecondary education as one of its primary missions; also includes those working in first-professional schools (e.g., law schools, dental schools, schools optometry) except medical schools accessing an application used in the Customer’s clinical operations. This definition is derived from Integrated Postsecondary Education Data System (IPEDS) definition of “Institution’s staff,” available at:

What is the Duo Security Platform Edition?

Duo Security introduced a new Platform Edition in 2015. More details on Duo Security Platform Edition can be found on the Duo Security website. It is a separate subscription from the Duo Security Enterprise product and includes all of the functionality of the Duo Security Enterprise Edition.

How do I license my hospital for Duo Security?

Duo Security licensing is based on Hospital Users as specified by universities. Universities need to specify the number of Hospital Users during sign-up. A Hospital User is any user of the Services who the Hospital Customer may authorize to enroll to use the Services in accordance with the terms of this Agreement and the Service Agreement.

What happened to Campus Associates?

Duo Security has included Campus Associates within the new pricing for default in the Faculty, Staff, Students, Associates/Affiliates, and Alumnae pricing. It is not available as an add-on.


What's the difference between Duo Mobile and Duo Push?

Duo Mobile is a mobile application for smartphones that generates a one-time password (i.e., a secret, random-looking number on the user's smartphone), which the user then types into the application that requires authentication. Duo Push is a special feature of the Duo Mobile application that uses mobile push services to authenticate the user right on the smartphone, without the need to type the one-time password into the application.

What platforms does the Duo Mobile app run on? What about Duo Push?

The Duo Mobile app runs on the following platforms:

  • Google Android
  • Apple iPhone
  • RIM BlackBerry
  • Java J2ME
  • Palm WebOS
  • Symbian OS
  • Windows Mobile

Duo Push, which is a special feature of the Duo Mobile app, is available on Google Android, Apple iPhone, and RIM BlackBerry only.

What if a user does not have a smart phone?

A variety of options exist to accommodate users without smart phones:

  • An ordinary mobile phone (not a smart phone), or even a traditional desktop phone, can be used to authenticate with Duo.
  • If the user doesn't have any phone, the institution can elect to purchase a traditional hard cryptographic one-time password token for that user at $20/token, or the school may want to consider an inexpensive prepaid basic cell phone for this purpose.
  • Finally, if the person without a phone is just a regular user (i.e., not a user with special privileges or access to sensitive data), yet another option would be to selectively disable use of Duo for that user.

On the server side, is Duo deployed at the IdP or the SP?

Actually, you can choose how best to deploy Duo in your environment. At the SP, Duo Web supports client libraries for Python, Ruby, Classic ASP, ASP.NET, Java, PHP, Node.js, ColdFusion, and Perl. At the IdP, Duo provides a custom login handler for Shibboleth IdP 2.3.5.

What services can be secured with Duo? Will it work for the web? Our SSL VPN? What about shell access to Unix hosts?

Duo integrates with virtually all popular web applications, SSL VPNs, and Unix applications. See the Duo solutions and documentation pages on their web site for details.


Our campus is committed to open source software, particularly for security-related applications. Can we see the source code for Duo?

Yes, the Duo source code is available on GitHub.


Copyright 2004-2017 InCommon LLC. All rights reserved. InCommon is operated by Internet2.