BoilerKey FAQ

BoilerKey, Purdue’s version of two-factor authentication, improves the security of protected computer systems and personal data.

Two-factor authentication (also known as multi-factor authentication or two-step verification) is an extra layer of protection — more protection than a traditional password. Two-factor authentication should be used on accounts that contain sensitive information, such as bank accounts, Social Security numbers, health information and more.

At Purdue, these two forms of verification are something you know — career account and PIN — and something you have — the Duo Mobile application on your smartphone or a hardware token. These two items are used in place of your password wherever you see the BoilerKey logo and on the virtual private network (WebVPN).

Two-factor authentication increases the level of security; it uses something you know and something you have in order to increase the security of the system.

Specifically, BoilerKey protects University systems and your sensitive data, such as a Social Security number and bank account information. Even if someone gains your username and password or PIN, they will not have the physical device needed to break into your account.

NOTE:  Students who have signed up for BoilerKey two-factor authentication will need to use the Duo Mobile app on their personal device or a hard token to access important online systems. The Duo Mobile app should be downloaded only to the device students plan to use on campus.

Visit https://www.purdue.edu/securepurdue/identity-access/boilerkey/index.php to request a hardware token or to set up the Duo Mobile application on your smartphone or tablet.

You are able to register multiple devices with the Duo Mobile application, but you can only use one hardware token at a time.

No. Once you have been set up to use the BoilerKey, only the passcode (“PIN,push” or “PIN,6-digit code”) will work where you see the BoilerKey logo and the virtual private network (WebVPN).

If the BoilerKey is lost or if you suspect that it has been stolen or used by a third party, you should immediately report it. Please contact your campus unit’s IT support group or the ITaP Customer Service Center at 765-494-4000.

So that you can still access your account, there are two steps you can take now, BEFORE you lose your BoilerKey or leave it at home.

1) Self-service recovery. Go to https://www.purdue.edu/apps/account/BoilerKeySelfRecovery

*You must have first registered your cell phone number by visiting the Update Cell Phone tool (https://www.purdue.edu/apps/account/UpdateCellPhone).

This option is for the Duo Mobile app users who replaced a smartphone or for those with a hardware token who either left it at home or lost it.

Once you have registered your cellphone number, go to any page requiring BoilerKey to sign in and click “Issues with your BoilerKey?” This will start the BoilerKey self-recovery process. You will be asked to verify your identity by providing your career account login, 10-digit PUID number and your date of birth. Once verified, you will be sent a 9-digit code via text message that can be used in place of "push" or the generated code from a BoilerKey token or the app. Example: “0000,123456789”

2) Backup codes. Go to https://www.purdue.edu/apps/account/BoilerKeySelfServe, sign in, and click “Obtain lists of one-time use backup codes.” Once you have the codes, print them out and store them somewhere secure, such as your wallet or a locked drawer.

When you are without your hardware token or smartphone, you can use these 9-digit codes in place of “push” or the generated code from the token or app. Example: “0000,123456789”

Your BoilerKey is tied to a specific device, which means that if you get a new phone, you will have to do more than just download the Duo Mobile app on your new phone. Here’s how to set up your BoilerKey on a new phone:

  1. If you have the previous phone and can still use it to log into the BoilerKey website at purdue.edu/boilerkey, log in and select “Set up a Duo Mobile BoilerKey.” Set up Duo Mobile on your new phone.
  2. Once you have set up your new phone, return to the main page and select “Manage my Duo Mobile BoilerKeys.”
  3. Remove your old phone. Your new phone is now ready to use as normal.

If you do not have your previous phone, follow these steps.

  1. Go to any BoilerKey login page, select “Issues with your BoilerKey,” and follow the instructions.
  2. OR use a backup code in place of push or 6-digit code.
  3. Follow the above steps to register a new phone and remove the previous phone.

NOTE: If you have not registered your phone number for self-recovery nor printed out a list of backup codes, then you will need to call the ITaP Customer Service Center.

If your phone is not connected to the internet, use the Duo Mobile app to receive a 6-digit code to use in place of the word push. Instead of "PIN,push”, you'll use "PIN,6-digit code."

To access the 6-digit code in the Duo Mobile app, tap the “Purdue University” entry in the app to reveal the 6-digit code.

If you are trying to authenticate with your Duo Mobile BoilerKey, and the Duo Mobile app on your smartphone says "account not found,” a request was received for an account that is no longer paired to this device. Replacing a smartphone, having a smartphone restored to factory settings during repair, or any other major change to the phone may cause your Duo Mobile BoilerKey to disconnect.

To fix this, remove any Duo Mobile BoilerKeys from your smartphone and from the BoilerKey website, and then set up a new Duo Mobile BoilerKey on the BoilerKey website.

To remove a Duo Mobile BoilerKey from your smartphone, press and hold where it says "Purdue University," and a menu should pop up with a remove option. To remove a Duo Mobile BoilerKey from the BoilerKey website, visit purdue.edu/securepurdue/identity-access/boilerkey/index.php and log in using a backup code. Once logged in, click “Manage my Duo Mobile BoilerKeys” and remove the device.

Make sure that your network connection is working, either Wi-Fi or cellular data. The push message requires a network connection. If you’re in an area with poor network reception, click the “Purdue University” entry in the Duo mobile app to get a 6-digit token code instead. Enter that along with your PIN number in this format: 4-digit PIN, 6-digit code. For example: 1234,56789

If problems persist, the best way to get the push functionality working again is to request a new Duo Mobile BoilerKey, set that up, and then remove the old Duo Mobile BoilerKey from the Duo Mobile app by pressing and holding where it says "Purdue University.” A menu should pop up with a remove option.

To remove a Duo Mobile BoilerKey from your smartphone, press and hold where it says "Purdue University," and a menu should pop up with a remove option. To remove a Duo Mobile BoilerKey from the BoilerKey website, visit purdue.edu/securepurdue/identity-access/boilerkey/index.php and log in using a backup code. Once logged in, click “Manage my Duo Mobile BoilerKeys” and remove the device.

Check the “Notifications” settings for the Duo mobile application in the iPhone’s Settings app and make sure notifications are turned on. If turned off, you won’t be able to receive the push notifications. Go to Settings->Duo Mobile->Notifications to check the notification settings.
No. Duo Mobile is only available on smartphones and tablets.
A BoilerKey that is not functioning properly can be replaced. Contact your campus unit’s IT support group or the ITaP Customer Service Center.

Yes, users can have more than one BoilerKey. They are managed via the BoilerKey and BoilerKey Self Recovery web pages.

If you have multiple Duo Mobile tokens, PIN,push will only notify the first device registered on your BoilerKey page. The second DUO Mobile token will be notified if you use PIN,push2, the third to PIN,push3 and so on.

You are still required to change your password once a year.