BNL Home

Duo Federal is now the Lab's two-factor authentication solution - Everyone who uses Duo must re-enroll at in order to retain their access. Those who have been using a YubiKey for two-factor authentication must to get a new one. Just arrange to pick it up at ITD customer support at no charge (1-631-344-5522,

DUO Two-factor Authentication

Brookhaven National Laboratory is using DUO Security to provide two-step verification. Two-step verification will soon be required to access many protected resources and applications, and to connect to the local network using BNL's Virtual Private Network (VPN) service.

Get started with DUO

Do you have a BNL domain account?

Yes No

Do you have the Duo App installed?

Yes No

Select a device:

Note: Installing and using the mobile device app is the preferred method.

Mobile Device USB Token

Select an operating system (OS) to find and install the latest version of the Duo Mobile App. Then come back and complete STEP 2.

Go to BNL Duo Federal Enrollment from your computer once you have installed the Duo Mobile app on your device.

View the Duo Frequently Asked Questions for more information.

Since a project and activity number is required to cover the $38.40 cost of each YubiKey4 token, using the mobile app is the preferred method. Please submit a Service Now request if you still would like a token.

YubiKey Token User Guide - Find information on how to remove, reset and use the token with Windows or Mac OS X systems.

Please note, you must have a BNL domain account to enroll and use Duo security.

Overview, How it Works

Two-factor authentication (also known as 2FA) is an extra layer of security that requires not only a password and username but also verifies your identity using a second factor (mobile device, tablet or USB token) that you physically have in your possession. Using two-factor authentication prevents anyone but you from logging in, even if they know your BNL username and password.

step one

Step 1

Login with your BNL username and password

step two

Step 2

Verify your identity by using a mobile device or USB token

step three

Step 3

You are securely logged in

Note: Duo lets you link multiple devices to your account.

Using Duo at Brookhaven Lab

Duo two-factor authentication can be used with the following BNL services:

  1. Brookhaven Lab Virtual Private Network Client (VPN)
    Download Client | Login Instructions
    Using DUO to log into VPN
    Example BNL Domain Credentials: Username: jdoe | Password: 123456 | Passcode: 987654

    Select the Duo Two-factor authentication you set up in your profile.
    Push (smartphone)
    Passcode (Duo App)
    Passcode (YubiKey4 token)
    When prompted, enter your username "jdoe" and password "123456" then click [OK]. The login panel will disappear and you will get a push notification sent to your smartphone. Select [Approve] to authenticate.

    Note: Push is the default and recommended authentication method. However, you may have to use the passcode authentication method if you do not have cell service.
    When prompted, enter your username "jdoe" then open your Duo App on your smartphone. Tap the key icon to get a one-time passcode for login.

    Enter your password plus a comma and passcode from your Duo App "123456,987654" then click [OK] to authenticate. The login panel will disappear.
    When prompted, enter your username "jdoe" and password plus a comma "123456," then insert your token into an open USB port and press (1 second) the token button to authenticate (passcode will be inserted automatically after the comma). The login panel will disappear.

    Note: You may have to wait for your token to install any hardware (if new) before you can authenticate.

    YubiKey Token User Guide - Find information on how to remove, reset and use the token.
  2. SSH Gateways

Using VPN with Cisco AnyConnect

Some of the Lab's online resources, such as PeopleSoft and SBMS, require an additional layer of security. That means logging in with a Virtual Private Network (VPN). The Lab uses the application Cisco AnyConnect for this purpose. Note: to access the AnyConnect download page, you must have DUO Two-factor Authentication already installed and configured.