Skip to main content

Cornell University

I Can't Log In Using Two-Step Login

Common troubleshooting tips for Two-Step Login problems, including a disabled account, time away from the university, blocked connections to Duo Security, and conflicts with Dragon NaturallySpeaking.

This article applies to: Two-Step Login

On This Page

Your Account Is Disabled

You see the following message when you try to use Two-Step Login:

Red alert box with Your two-factor account has been disabled. Contact an administrator for assistance

What to Do

  1. Contact the IT Service Desk and ask to have your account released.  

    You will not be able to log in using Two-Step Login until you contact the IT Service Desk and arrange for access to your account. To verify your identity, make sure you have one of the following:

  • Your government-issued ID (i.e. driver’s license or passport) or a Cornell photo ID
  • Access to a computer that can support a Zoom session
  • Access to the phone you have listed in the Cornell Directory
  1. Immediately enroll a device in Two-Step Login.
Once your account has been released, you must enroll a device in Two-Step Login otherwise your payroll and tax documents will be vulnerable to hackers.

Cornell requires all employees, including student employees, have a Two-Step Login account.

Two-Step Login protects your sensitive employment information in Workday. The second step of logging in is needed before your tax documents or where your paycheck is deposited can be viewed or changed. Attackers seek out this type of information so they can steal money from you.

This security measure is not fully effective until you have opened an account and enrolled one or more devices.  If you are a Cornell employee who has not yet done this, access to Two-Step Login will be blocked, for your own protection, until you contact the IT Service Desk.

For more information and instructions, read about Two-Step Login.

If you have questions about enrolling devices or using Two-Step Login, contact the IT Service Desk.

You Were Away from the University for Some Period of Time

When you are no longer associated with Cornell, your Two-Step Login account will be deleted. When this happens, you will need to open a fresh account and enroll one or more devices before you can access services that require Two-Step Login.

To Check Your Account

  1. Go to Manage Your Two-Step Login.
  2. Log in with your NetID and password.
  3. If there are any devices listed on the Your Two-Step Login Devices tab, your account is still active. Otherwise, a new account will be initialized and you will be prompted to start enrolling devices.

You Have a New Smartphone

If you get a new smartphone, you will need to take steps to use it with Two-Step Login. To find out what to do, visit Replace Your Smartphone Listed in Two-Step Login.

You Don't Have a Wi-Fi or Data Connection

When you don't have a Wi-Fi or data connection on your mobile device, you can still use a hardware token to generate a passcode. A hardware token is a keyfob-like device where you press a button to generate a one-time passcode for use in the second step of logging in.

This works anywhere, even in places where your device doesn't have an internet connection or cell service. Visit Hardware Tokens for Two-Step Login for details.

Connections to Duo Security are Blocked

Two-Step Login is a cloud-based service. Your computer needs to be able to connect to Duo Security’s servers at *

  • The wired or WiFi network you are working on may be blocking connections to external sites. Try briefly switching to your smartphone's data plan to authenticate.
  • Your web browser might need to explicitly configured to allow access to Duo’s servers.
  • If you are authenticating to an application that runs on a terminal server, the server’s administrator may need to open up access to Duo Security.

You Use Ad Blockers

Some ad blocker apps and extensions interfere with Two-Step Login. While details on settings might vary between mobile OS versions, use the steps below as a guide to troubleshoot whether ad blockers are affecting Duo on your device.


  1. Open the Chrome app.
  2. At the top right, tap More (three-dots icon).
  3. Tap Site settings.
  4. Next to Ads, if the setting reads Blocked on some sites, tap Ads to open the settings.
  5. Tap the slider. The slider will turn blue and the caption should now read Allowed.
  6. Close the settings screen by clicking the back arrows at top left until you see the Duo webpage.
  7. Reload the page or retry your login to generate a new authentication request.


  1. Click More (three dots icon at top right), then click Settings.
  2. Click Privacy and security.
  3. Click Site Settings.
  4. Under Additional content settings, click Ads.
  5. Click All sites can show any ads to you.


Typically, ad blocking on iPhones is controlled by a third-party application like Adblock Plus. To change settings:

  1. On your iPhone, Tap the Settings icon.
  2. Type Safari in the search bar, then tap Safari.
  3. Under General, tap Content Blockers.
  4. In the list of content blocking apps, turn off Adblock Plus by clicking the slider so that it turns gray.

Content Filtering or Restrictions are Turned On

Mobile device or browser content filtering can sometimes interfere with the Duo app's authentication process. If you think this might be the case, try the steps below outlined for your device or browser. Details of device settings may vary between versions of operating systems, but use the below as a general guide while troubleshooting.


  1. On your iPhone, go to Settings, then tap Screen Time.
  2. Tap Content & Privacy Restrictions, then enter your Screen Time passcode, if required.
  3. Tap Content Restrictions.
  4. Tap Web Content.
  5. Choose Unrestricted Access, Limit Adult Websites, or Allowed Websites Only.

Android phones

  1. On your Android phone or tablet, open the Google app .
  2. At the top right, tap your Profile picture or initial and then Settings and then Hide explicit results.
  3. Turn Explicit results filter on or off.
    • To turn off SafeSearch, turn off Explicit results filter.
    • If you find a Lock icon at the top right, your SafeSearch setting is locked by someone who manages your account. The settings page provides info about who manages your SafeSearch setting.


  1. Open Chrome, then go to Settings.
  2. Under Privacy and Security, choose which settings to turn off. To control how Chrome handles content and permissions for a site, click Site Settings.

Turn off Parental Controls


  1. Tap Settings, then tap Screen Time.
  2. Tap Content & Privacy Restrictions.
  3. Toggle the Content & Privacy Restrictions slider to off/white to turn off Parental Controls.


  1. Tap Manage settings.
  2. Tap Controls on Google Play.
  3. This menu will let you edit your parental controls.

If You Use Dragon NaturallySpeaking Speech Recognition Software

The browser plug-in for Nuance's Dragon Naturally Speaking blocks the Two-Step Login authentication prompt. You will need to uninstall or disable the plug-in.

Restart the Duo Mobile App

Occasionally the Duo mobile app will not be able to create a notification. If you open the app manually, you will be able to approve or deny the pending authentication request. If this happens more frequently, try restarting the app.

Support Contact:

Cornell IT Service Desk

Normal Business Hours: Monday-Friday, 8am-6pm (Eastern Time)
Emergency Service Disruptions: After Hours Support


To share feedback about this page or request support, log in with your NetID

At Cornell we value your privacy. To view
our university's privacy practices, including
information use and third parties, visit University Privacy.