Duo Hardware Token Distribution Guidelines

Purpose

To establish eligibility considerations and request requirements for university-provided hardware tokens for Duo two-factor authentication (2FA).

Eligibility Criteria and Considerations

Active faculty and staff, enrolled students, and retirees with active accounts may be eligible for a hardware token only when one or more of the following conditions are met:

1. Lack of a Compatible Mobile Device

The user does not possess a mobile device that supports the Duo Mobile application.

Examples: flip phones, SMS-only phones, or no phone at all.

Request Process:  

  • Contact or submit a case to the WMU IT Help Desk requesting a hardware token, including a rationale and, if available, any supporting documentation for consideration.
    • All submissions will be reviewed by the Help Desk and, if necessary, by members of the Security Team.
    • Approved requests will receive instructions and documentation for use and return.
    • Denied requests will be provided with alternative options and configuration support. 
       

2. Device Restrictions or Limitations

  • The user is in possession of a device compatible with the Duo Mobile application but does not have the rights required to install.
  • Operating system limitations AND the inability to update the operating system prevent the installation of the Duo Mobile application.
  • Computer logins performed in restricted areas where mobile phones or tablets are not permitted.  

Request Process:  

  • Contact or submit a case to the WMU IT Help Desk requesting a hardware token, including a rationale and, if available, any supporting documentation for consideration.
    • All submissions will be reviewed by the Help Desk and, if necessary, by members of the Security Team.
    • Approved requests will receive instructions and documentation for use and return.
    • Denied requests will be provided with alternative options and configuration support. 

3. Approved Accessibility Accommodation

A user may be eligible for an alternative authentication method if they do not possess a mobile device compatible with the Duo Mobile application and have an approved need or are actively seeking accommodation.

Request Process:

  • Students:
    Students who require an accommodation related to Duo Mobile use should contact the Disability Services for Students (DSS) office to initiate the request and follow the established guidance. https://wmich.edu/disabilityservices 
  • Faculty and Staff:
    Faculty and staff seeking an accommodation should contact the Office of Institutional Equity (OIE) to express their need and follow the appropriate procedures. https://wmich.edu/equity  

Upon receiving accommodation approval from the DSS or OIE, contact or submit a case to the WMU IT Help Desk requesting a hardware token, including any supporting documentation.

Non-Eligible Requests

Requests that do not qualify based on the eligibility consideration criteria above will not be approved.  

Individuals seeking to appeal a decision may initiate the process through their direct supervisor. The supervisor is responsible for contacting the WMU Security and Privacy Officer or Chief Information Officer to review and discuss the circumstances surrounding the appeal.

Distribution

In-Person Pickup:

Users who reside within a 50-mile radius of WMU’s main campus in Kalamazoo, Michigan are required to pick up their authentication token in person at the Technology Help Desk, located in the University Computing Center.  

In-person pickup is typically available as a same-day service, depending on Help Desk hours and availability.

Mailing Option:

Token mailing is available only when in-person pickup is not feasible due to distance or other approved circumstances.  Mailed tokens are generally shipped within five business days of the request being approved.

Ownership and Return

Hardware tokens are the property of Western Michigan University and must be returned to the Office of Information Technology when:

  • The individual has transitioned to the Duo Mobile application and no longer requires the token, or
  • The individual no longer has an active relationship with the university (graduation, resignation, termination, etc.).