Transition to Microsoft MFA: Hardware tokens and VPN access

Starting May 29, 2026, Purdue will migrate from Duo to Microsoft Multi-Factor Authentication (MFA) for accessing Purdue Single-Sign-On (SSO) and Purdue VPN services.

Hardware Tokens

Duo authentication tokens are not compatible with Microsoft MFA and cannot be reused. Once Duo is retired on May 29, these hardware MFA tokens will no longer be tied to Purdue accounts. The recommended solution for approving MFA requests is the Microsoft Authenticator app.

Those currently using Duo authentication tokens will need to:

• Enroll in Microsoft MFA using the Microsoft Authenticator app.
• Configure at least one additional authentication method in case your primary method is unavailable for any reason.
• Safely recycle the old Duo tokens at their local e-waste recycling center.

For users who do not have a device that supports the Microsoft Authenticator app, hardware tokens are available for purchase, either individually or through the employee’s Business Office with department approval. Instructions for purchasing and enrolling a compatible token are available here.

VPN Authentication

After May 29, the system will use the individual’s default method from their Microsoft account settings as your method for authenticating with the VPN.

Those using Duo to authenticate with the Purdue VPN will need to:

• Enroll in Microsoft MFA using the Microsoft Authenticator app (if you have not already).
• Set your default sign-in method in Microsoft MFA to your preferred method.

For more information about these changes, please visit this KB article: VPN Access Changes: Microsoft Authenticator Transition 

If you need further assistance or have questions, contact the service desk at it@purdue.edu.