Purdue BoilerKey: FAQ
General Purdue BoilerKey Questions
What is a BoilerKey?
The Purdue BoilerKey is a form of two-factor authentication, a system that requires two forms of verification of identity before a person can access protected computer resources.
At Purdue, these two forms of verification are something you know (career account username and either a password or PIN) and something you have (a physical token or the Duo Mobile application on your smartphone). These two items are used in place of your password alone to gain access to computer applications and systems.
The BoilerKey comes in two forms. One is the Duo Mobile application for your smartphone that either displays a push notification used when you enter your PIN or a randomized six-digit code. The other is a small electronic device, known as a hard token, which displays a series of six digits when activated.
Why are we using the BoilerKey?
The primary reason for using the BoilerKey is that it is more secure. It uses two-factor authentication to increase the level of security. Two-factor authentication uses something you know (career account username and either a password or PIN) and something you have (a physical token or the Duo Mobile application on your smartphone).
As the number of systems using the BoilerKey for access increases, your value in using the BoilerKey also increases.
What is Two-Factor Authentication?
Two-factor authentication is the use of two separate requirements that must be used together to gain access to an application or portal. In our solution, it is something you know (career account username and either a password or PIN) and something you have (a physical token or the Duo Mobile application on your smartphone).
For example, if you use your bank card to obtain cash from the ATM, the card is something you have and your ATM PIN is something you know. Combined, these two factors reduce the likelihood that an unauthorized person could obtain access to your account.
Getting Started With a Purdue BoilerKey
BoilerKey Setup Video
How do I request a Purdue BoilerKey?
The Purdue BoilerKey comes in two forms, one of which is a small electronic device (known as a hard token) that displays a series of six digits when activated and the other is an application for your smartphone (known as a soft token) that displays the six digit code.
You can request and configure BoilerKeys here.
How do I setup my new Purdue BoilerKey?
You can request and configure BoilerKeys here.
What is a BoilerKey passcode?
A BoilerKey passcode is a 6-digit number that is generated by pressing the button on your BoilerKey token. If you have set up a Duo Mobile BoilerKey with the Duo Mobile app on your smartphone, you can also generate a BoilerKey passcode with the Duo Mobile app:
What if I don't want to use my Career Account Password in the Passcode?
The option to use a four (4) digit personal identification number (PIN) instead of your Purdue Career Account Password as your BoilerKey password is available. You can set and change your BoilerKey PIN here.
General Use of Purdue BoilerKey Questions
What if I can't login using the BoilerKey?
Use your career account username and your BoilerKey password when logging in. Your BoilerKey password consists of either a BoilerKey PIN or your career account password, a comma, and then either the word push or a 6-digit BoilerKey token code (or Duo Mobile passcode).
If you are unsuccessful and using a BoilerKey token, go here and choose "Manage my BoilerKey Tokens". There's an option to fix your token, that will require you to enter three codes from your token to "resynchronize" it.
Can I log in to the OnePurdue portal with my regular password?
No. Once you have been set up to use the BoilerKey, you must use your BoilerKey password. If your BoilerKey token or smartphone with your Duo Mobile BoilerKey is temporarily unavailable and you need access, please contact your Distributed IT Support Group or the ITaP Customer Service Center. They can issue you a 9-digit Duo Bypass code, which can be used in your BoilerKey password instead of the word push, or a BoilerKey token code. So your BoilerKey password would look like BoilerKey PIN,123456789.
How does the current password policy affect me now that I have a BoilerKey?
You are still required to follow the every 180 day (or 90 day if you have additional privileges) password change policy for your Purdue Career Account.
What should I do if I lose my BoilerKey token?
If the BoilerKey token is lost or stolen, you should immediately report the BoilerKey as lost. Please contact your Distributed IT Support Group or the ITaP Customer Service Center.
What should I do if I have a problem with my smartphone that has my Duo Mobile BoilerKey?
If you have a problem with your smartphone containing your Duo Mobile BoilerKey, your Distributed IT Support Group or the ITaP Customer Service Center can issue you a 9-digit Duo Bypass code, which can be used in your BoilerKey password instead of the word push. So your BoilerKey password would look like BoilerKey PIN,123456789. Your smartphone will not be needed to use the Duo Bypass code. A Duo Bypass code can only be used once, and will expire one day from when it is issued.
Duo Mobile Smartphone App Specific Questions
- How do I install the Duo Mobile BoilerKey application on my smartphone?
What are the steps required to set up a Duo Mobile BoilerKey?
Duo Mobile BoilerKeys are created and configured with the BoilerKey web application.
The steps involved in creating a Duo Mobile BoilerKey are shown in the following video.
What if my device can not connect to the internet (bad cell phone signal, traveling internationally, etc)?
If your phone is not connected to the internet, ask your Duo Mobile app for a randomized 6-digit passcode to use in your BoilerKey password in place of the word push. Instead of "pin,push" as a BoilerKey password, you'll use "pin,6-digit-passcode".
- How can I learn more about the Duo Mobile smartphone app?
What if my Duo Mobile smartphone app says "Account Not Found" during BoilerKey authentication?
If you are trying to authenticate with your Duo Mobile BoilerKey, and the Duo Mobile app on your smartphone says "Account Not Found - A request was received for an account that is no longer paired to this device. To re-enable it, please contact your administrator.", then the Duo Server and your Duo Mobile smartphone app do not have the same BoilerKeys on file.
To fix this, remove any Duo Mobile BoilerKeys from your smartphone and from the BoilerKey web application, and then set up a new Duo Mobile BoilerKey in the BoilerKey web application.
To remove a Duo Mobile BoilerKey from your smartphone, press and hold where it says "Purdue University", and there should be a menu that pops up with a remove option.
What if my device is connected to the internet, but the Duo Mobile app is still not receiving PUSH notifications?
We've found that the best way to get the PUSH functionality working again is to request a new Duo Mobile BoilerKey, set that up, and then remove the old Duo Mobile BoilerKey (from the system and the app). Here's the least painful way to do this.
- Rename your current BoilerKey token in the Duo app. Long press on the name of the token (probably "Purdue University"), choose rename, and rename it to something like "old BoilerKey".
- Request a new Duo Mobile BoilerKey. You can request a new Duo Mobile BoilerKey via the "Set up a new Duo Mobile BoilerKey" function of the BoilerKey page. Remember the name you give the BoilerKey so you can tell which one is the new one and which one is the old one.
- Remove the old BoilerKey from the BoilerKey system. You can remove your old Duo Mobile BoilerKey via the "Manage my Duo Mobile BoilerKeys" function on the BoilerKey page. Be sure to choose the old BoilerKey name and not the one you just setup!
- Remove the old BoilerKey from the app. Long press on the title of the old BoilerKey (which you changed in step 1) and select "Remove".
Physical or Hard Token Specific Questions
How do I use a BoilerKey Token to Generate a BoilerKey Code?
The BoilerKey token is designed to provide a six-digit code in the display panel of the device that may be used, as part of your BoilerKey password, to login to a computer application or portal. The BoilerKey generates and displays a seemingly random series of six numbers called the BoilerKey token code.
To have your Purdue BoilerKey generate a new code, hold your token with the notched end for the key ring to the right and then press the button directly to the right of the display screen. The BoilerKey will display the new code for 25 seconds. If you need a new code, you can press the button and a new code will be displayed.
What happens if the number disappears while I am entering it into the application?
If you were able to put in the entire sequence before it disappeared, go ahead and submit it. The system is able to use BoilerKey codes that are used within a limited time period.
If you need to generate a new code, press the button next to the display and a new code will be generated.
What happens if the display includes letters along with numbers?
There are two possibilities where letters could be displayed:
Verify that you are holding the BoilerKey correctly. The token should be read while it's
held with the button on the right side of the display. Some numbers appear to be letters if the BoilerKey
- If you are still seeing letters on the display, your token might be in diagnostic mode (If the button is held down for an extended period, the token will enter this mode). You will need to cycle the display back into token mode. To do this, you'll need to press and release the button until the display goes blank (this might take up to 15 times). The BoilerKey is now in token mode once again.
- Verify that you are holding the BoilerKey correctly. The token should be read while it's held with the button on the right side of the display. Some numbers appear to be letters if the BoilerKey is upside-down.
Can a thief use a stolen BoilerKey?
No. There are two reasons why it would be unusable to a would-be hacker. First, they do not have access to your Purdue Career Account password or BoilerKey PIN, and probably wouldn't know your career account username. Both of those would also be required to login. Second, by just notifying us that it has been lost or stolen, we can quickly disable the BoilerKey, preventing it from being used to gain access to any resources.
Can a BoilerKey be opened or tampered with?
It could of course be opened if the would-be hacker has the time and tools to do it. Opening the BoilerKey would most likely disable it, however. It would require an extensive effort to gain any information of value and by then you would have notified us that you no longer have the BoilerKey.
Can a defective BoilerKey be replaced?
A BoilerKey that is not functioning properly can be replaced. Contact your Distributed IT Support Group or the ITaP Customer Service Center.