The MOST common 'Boilerkey call/issue' of late are due to the user getting a new device.

Boilerkey credentials through the Duo Mobile are tied to the particular device that they were created on. They can not be copied onto a new device either by the user... or malicious actors, this is an intentional security feature.

NOTE: A 'broken' key on the Duo Mobile app is handled the exact same way. This can be the result of a factory reset, and in some cases an update to the phone's operating system. Duo Mobile 'thinks' it's a different phone than before...

Usually calls/tickets will begin along the line of:

"I got a new phone, and my Boilerkey stopped working."
"I factory reset my device, and now Boilerkey isn't working."
"Duo Mobile says Purdue University : Reconnect."
"The 'Issues with your Boilerkey?' link told me to contact ITaP."
"I need a activation/bar/QR code for DuoMobile/Boilerkey."

A this point we have 2 courses of action to resolve the issue.

A.) Instruct the user how to use their Boilerkey Self-Recovery Tool to set up their new device (assuming they enabled it)
C.) Issue a bypass code, enable SRT (Self-Recovery Tool), set up their new device.

In an ideal world, everyone would have their SRT set up and know how to use it, and we would never need to help anyone when they get a new device. However, SRT isn't a required part of the Boilerkey setup process, so usually they don't have it setup. Or if they do... they don't know how to use it.

NOTE: By this point, they've already contacted us about their new device issue, can't change that. My goal though, is to do my best to make sure that next time... they don't need to call. For that reason, when 'Option A' doesn't work, I prefer 'Option C.'

New Device Activation : Option A - Using the Boilerkey Self-Recovery Tool

Once someone has identified themselves as having a new device, and Boilerkey is no longer working... ask them if they have already enabled their "Boilerkey Self-Recovery Tool"
1. "No" - Skip to option C
2. "I don't know" - Usually means they haven't... follow along to find out, or assume they don't have it enabled (usually the latter) and skip to option C now
3. "Yes" - Continue to follow along below
Direct them to purdue.edu/boilerkey
Click on the link BELOW the manage button that says "Self-Recovery"
Have them fill out all three fields and click "Continue"
One of two things will happen:
1. They'll get a text message on their phone and be prompted to input the code into the next web page in the browser
2. They'll be prompted to contact ITaP - Their self-recovery tool isn't enabled, skip to option C
Enter the code received into the next page
Once logged in, click on the option at the top to "Replace a Duo Mobile Boilerkey"
1. Step 0: On screen, they'll see their previous device listed with an option to replace. Assuming they're not still using it, click on the device and select replace.
2. Step 1: Make sure that they have the app installed on the new phone
  1. Remove any existing "Purdue University" keys on the device, they key will say 'Reconnect' next to it
    1. iPhones : Tap 'Edit' in top left corner, or the 3 dots in the upper right of the key, and then delete option to remove the key/account from this device
    2. Andriod : Press & Hold on "Purdue University" to remove the key/account
    3. Others : Try both of the above methods?
  2. Notifications SHOULD be enabled
3. Step 2: Confirm their PIN
4. Step 3: Device Management
  1. Have them enter in a new Device Name, it SHOULD be the model of the phone, iPhone8, GalaxyS7, etc (no spaces, no special characters)
5. Step 4: Register the new device
  1. Option 1 : Registering a new device using a computer and your device camera
    1. Tap the "Get started" or "Add account" option on the Duo Mobile App
    2. The app needs to access their camera so that it can scan the code, so allow it if prompted
    3. Point the camera at the QR code on screen in order to scan it
    4. "Purdue University" with a dropdown arrow and a 6 digit code should appear
  2. Option 2 : Registering a device, from it's own web browser
    1. If the user is completing the registration process on the device itself,
    2. On Step 4, click the "Option 2" link below the QR code, and follow the on screen directions
6. Step 5: Testing your device activation
  1. The username will just be their regular Career Account Username
  2. The "Boilerkey Passphrase" will be either:
    1. PIN#, comma, 'push' (####,push)
      1. In this case they'll need to tap the "Approve" option on the notification that their phone receives WITHIN 15 seconds of clicking the "Test Boilerkey Authentication" button.
    2. PIN#, comma, 6-DIGIT-CODE (####,######)
      1. The code will come from the DuoMobile app (tap the dropdown arrow next to Purdue University)
      2. You MUST tap the refresh icon EVERY time BEFORE putting the code into the login prompt
      3. There are no spaces in the Passphrase or Code
      4. Some phones show the Refresh icon as a key and needs to be 'toggled' for a new code
  3. This Login page works like any other CAS login or test page, and can be troubleshooted in the same way
    NOTE: If they got the phone notification, but the we page said "Sorry, this is not the correct Boilerkey passphrase" It's lying... they just took too long to approve, try again.
7. Step 6: The setup process is complete, their new device is setup for Boilerkey Authentication

New Device Activation : Option B - 'Device Purge method using the White Auth Failed Page'

NOTE: The process formerly known as "Option B" has been removed as it has proven to be unstable and buggy, causing issues on both the user side and the admin side. It relied on a function of Boilerkey that was only implemented as a temporary fix during the initial Boilerkey rollout, and was not intended for continued use, hence... unstable and buggy... Please use Option C below.

New Device Activation : Option C - Bypass code and Self-Recovery Tool Setup

NOTE: This is approximately the same steps you would take for a user who has never attempted to set up Boilerkey before, and they're NOT currently required to use Boilerkey for CAS logins. They would just use their career account password to log in initially instead of PIN#,9-DIGIT-BYPASS

NOTE: This is the preferred method for setting up a new device, as it doesn't have a timeout on pages, it enables SRT, and shows them how to set up their new devices in the future.

Using this method, you can take as much time as needed for each step, with some users, this is important.
Using this option, you can get them to enable their Self-Recovery Tool FIRST, then go set up the new device, hopefully reducing future calls.
Using this option, you can teach the user some self reliance by walking them through the process of removing a device and adding a new one rather than doing it for them.
HOWEVER.... this option is slower... but if it reduces future calls... kind of worth it.

The user has identified themselves as recently getting a new device, or an issue with their device, and not able to use their Boilerkey
They either haven't set up their Self-Recovery Tool, or don't know if they have (assume they haven't if they're not sure)
YOU will need to do a Purdue Person Search (PPS) Identity Verification
NOTE: October 2019, only 3 of the 5 data points are required. Bolded ones are preferred.
1. PUID
2. Username/Alias
3. Date of Birth (DOB)
4. Address on Record
5. First & Last Name
Direct them to open purdue.edu/boilerkey in a browser (computer PREFERRED... but not REQUIRED)
YOU will need to access YOUR Boilerkey page
1. Go to purdue.edu/boilerkey
2. Click the "Manage" button in the middle with the gears
3. Click the link near the bottom "Issue Duo Bypass codes to customers"
4. Put in their PUID & username, and check the checkbox
5. You'll receive a 9-DIGIT-BYPASS code (server generated pass codes can be identified by their 9 digit nature)
If they're not already there, direct them to open purdue.edu/boilerkey in a browser (computer PREFERRED... but not REQUIRED)
1. DO NOT have them click on it, but draw their attention to the "Self-Recovery" button below the "Manage" button, we will refer back to it later.
2. Have them click the "Manage" button in the middle with the gears
They will be at a CAS login prompt, have them log in with their username,
1. Their input for password should be of the form PIN#,9-DIGIT-BYPASS (####,#########)
  NOTE: If their PIN has been reset at some point, (can be checked on Catbert), they should instead use the form Career-Account-Password, a comma, 9-DIGIT-BYPASS (PW,#########)
Once logged in, direct them to set up their Self-Recovery Tool setup
1. Next to the ambulance icon, they should click "Enable BoilerKey Self-Recovery via text messaging"
2. Enter their cellphone number and send a verification code via text
3. Enter the code received into the next page
  NOTE: There have been some issues lately where this fails, about 80% of the time it works the second time, if it still doesn't work by the third time skip this step and send the ticket to ITAP_IDENTITIY_MGMT
  Check the 'Potential Problem ?" checkbox and document the reason for escalating.
4. Once the code is accepted, they should get the message "The changes to your cell phone settings have been saved"
In the future, they can use the Self-Recovery Tool to set up a new device
1. The Self-Recovery Tool is allows a user to access a stripped down version of the Boilerkey homepage
2. Explain to them how the tool is accessed by clicking the "Self-Recovery" button back on the Boilerkey landing page
3. Have them go back to the Boilerkey home page by clicking the "Boilerkey Self-Serve" under the black bar at the top of the page.
Setting up the new device
1. Tell them that this is the EXACT process that they will use in the future to set up a new device (once they've authenticated with SRT)
2. Have them click on the option at the top to "Replace a new Duo Mobile Boilerkey" (next to the green square Duo icon)
3. Step 0: On screen, they'll see their previous device listed with an option to replace. Assuming they're not still using it, click on the device and select replace.
  NOTE: If they are NOT replacing a device outright, on the Boilerkey homepage use the "Add or Remove your Duo Mobile BoilerKeys" to just add a new device outright instead.
4. Step 1: Make sure that they have the app installed on the new phone
  1. Remove any existing "Purdue University" keys on the device, they key will say 'Reconnect' next to it
    1. iPhones : Tap 'Edit' in top left corner, or the 3 dots in the upper right of the key, and then delete option to remove the key/account from this device
    2. Andriod : Press & Hold on "Purdue University" to remove the key/account
    3. Others : Try both of the above methods?
  2. Notifications SHOULD be enabled
5. Step 2: Confirm their PIN
6. Step 3: Device Management
  1. Have them enter in a new Device Name, it SHOULD be the model of the phone, iPhone8, GalaxyS7, etc (no spaces, no special characters)
7. Step 4: Register the new device
  1. Option 1 : Registering a new device using a computer and your device camera
    1. Tap the "Get started" or "Add account" option on the Duo Mobile App
    2. The app needs to access their camera so that it can scan the code, so allow it if prompted
    3. Point the camera at the QR code on screen in order to scan it
    4. "Purdue University" with a dropdown arrow and a 6 digit code should appear
  2. Option 2 : Registering a device, from it's own web browser
    1. If the user is completing the registration process on the device itself,
    2. On Step 4, click the "Option 2" link below the QR code, and follow the on screen directions
8. Step 5: Testing your device activation
  1. The username will just be their regular Career Account Username
  2. The "Boilerkey Passphrase" will be either:
    1. PIN#, comma, 'push' (####,push)
      1. In this case they'll need to tap the "Approve" option on the notification that their phone receives WITHIN 15 seconds of clicking the "Test Boilerkey Authentication" button.
    2. PIN#, comma, 6-DIGIT-CODE (####,######)
      1. The code will come from the DuoMobile app (tap the dropdown arrow next to Purdue University)
      2. You MUST tap the refresh icon EVERY time BEFORE putting the code into the login prompt
      3. There are no spaces in the Passphrase or Code
      4. Some phones show the Refresh icon as a key and needs to be 'toggled' for a new code
  3. This Login page works like any other CAS login or test page, and can be troubleshooted in the same way
    NOTE: If they got the phone notification, but the we page said "Sorry, this is not the correct Boilerkey passphrase" It's lying... they just took too long to approve, try again.
9. Step 6: The setup process is complete, their new device is setup for Boilerkey Authentication
Send them on their way, and finalize your ticket for the call.
NOTE: Ideally when you get off the phone with the user, your ticket should be ready to save. Try to work on it any time you're waiting on the user.
NOTE: If the user mentioned at all that they already had an open ticket, locate it. If it is still open, update it and resolve it, otherwise, make a new ticket.
1. Ticket header
  1. Title : "Boilerkey - New Device"
  2. Ticket Type : "Service Request"
  3. Submission Method : "Phone" or "Walk-in"
    NOTE: If this was an existing ticket, leave this as it was.
  4. Status : "Resolved" (assuming you resolved it)
  5. Resolution Code : "Completed Successfully" (assuming you did)
  6. Schedule Date : Set for 1 week, 7 days, from now
    NOTE: Do not EVER use the "Current date and time" checkbox, EVER!
2. Contact Information Tab
  1. User ID: Fill in their username
  2. Press 'Enter' key to auto-fill the rest of the fields on this tab
3. Issue Information Tab
  1. Category : "Security"
  2. Service : "Identity & Access Management"
  3. Service Offering : "Boilerkey"
  4. Another dropdown should appear when you select "Boilerkey",
    1. Assuming you followed the above process, you should Ctrl+Click to select AT LEAST:
      1. "Boilerkey-Bypass Code"
      2. "Boilerkey-New Device"
    2. If any other issues came up, you'll want to also select them, and elaborate in your tech notes
  5. Urgency : "Scheduled" (should auto-fill)
  6. Impact : "Minimal" (should ALWAYS be selected, Moderate is 40+ people)
  7. Tech Notes : Anything irregular about the call, anything of note. These are a pretty 'standard' call by this point, so usually left blank.
4. Customer Note
  1. These are a pretty standard and frequent call by this point, you should probably have a Customer Note made up for just this type of call.
  2. Consult with your Supervisor if you don't know how to make a note, or aren't sure what to include in it.
5. Assignees and Notifications
  1. Assign the ticket,
    1. Using the dropdowns,
    2. Find your team,
    3. Find yourself within that team,
    4. Double-click to assign
  2. Check the "Contact" checkbox on the right so that the user receives your Customer Note
  3. If you feel like the call went well, or above average, check the "Send Survey to Customer" box also
Save the ticket, prepare for your next customer

Quick Note Contents

Click here for a customer note to use on these types of tickets

Browser not supported