Duo Two Factor Authentication

2021-01-06T16:49:02Z

Ssukhram:

�鶹��Ƶ requires DUO Two-Factor Authentication (TFA or 2FA) on your �鶹��Ƶ account. Two-Factor Authenication is also known as Strong Authentication or Multi-Factor Authenticaion (MFA). DUO TFA is required for employees and students. Please note that enrolling in DUO two-factor authentication is permanent and cannot be deactivated.

[[File:duomobileapp.png|right|150px]]

[https://guide.duo.com/ Learn more about Duo Two-Factor Authentication]

{{DuoTwoFactorQuickLinks}}
==Why enroll in two-factor authentication?==

Two-Factor Authentication adds an additional layer of security to your �鶹��Ƶ account. In addition to your password, you will need a mobile device like your phone or a hardware token to verify your identity when logging into your account.

Using just a username and password are no longer considered a secure mechanism for authentication. A password can be stolen or guessed. 2FA protects against password theft or guessing by requiring access to a physical mobile phone or hardware token to successfully login.

A successful information security program is all about adding layers of protection and 2FA is one of those critical layers. Learn more about securing your login by visiting the following page.
[https://www.lockdownyourlogin.com/ #LockDownURlogin]

==How does it work?==

#Access a resource protected by 2FA such as the �鶹��Ƶ website or GusMail.
#Enter your username and password as you normally would.
#Click DUO push to send a verification to your mobile device or it may be automatically pushed to your device. If you do not have a mobile device set up, you can receive a verification notification sent to your office phone, or hardware token (fob) where it will give a code to enter.
#After verifying it from you, by checking location, you accept a prompt from your mobile device to approve the login. If you have a fob, press the button on the fob, and then type the code that appears on your fob into the web page.
#Login is now complete.

==Enrollment==

Two-Factor Authentication is required on your �鶹��Ƶ account. Any user may enable 2FA on their �鶹��Ƶ account by following the instructions below. You will need a mobile device and the password for your phone to install the DUO Mobile App. You will also need your AppleID or Google Play account password to download the App Store or Google Play store. Please note that enrolling in DUO two-factor authentication is permanent and cannot be deactivated.

Follow the steps below to begin the two-factor enrollment, or watch our [https://youtu.be/7S2KyOexQJg Getting Started with Duo Two Factor at �鶹��Ƶ Video].

#Visit the [/account/manageTwoFactor �鶹��Ƶ DUO Management] portal.
#Enter your username and password. [[File:ssologinpage.PNG]]
#Click '''Start Enrollment''' or proceed to the next step if GTS has enabled your account for two-factor.
#Click '''Start Setup'''. [[File:tfasetup1.PNG]]
#Select your device type. We recommend a mobile device such as a phone. If you would like to set up your office phone, choose Landline. [[File:tfasetup2.PNG]]
#Enter your phone number and select the platform of the device. [[File:tfasetup3.PNG]]
#Install the '''Duo Mobile''' App from the App or Play store on your mobile device. [[File:tfasetup4.PNG]]
#Please enable notifications and access to the camera.
#Activate the '''Duo Mobile''' App by opening it and scanning the QR code. [[File:tfasetup5.PNG]]
#We recommend adding a secondary device such as your office phone by selecting '''Add Another Device''' in case your primary device is unavailable.
#Click '''Continue to Login''' to try 2FA for the first time. [[File:tfasetup6.PNG]]
#Select '''Send Me a Push''' if you are using a mobile device. Select Call me if you are using your office phone. Enter code if you are using a hardware token (fob). [[File:duoauthenWCall.PNG]]
#Click '''Accept''' on your mobile device. If you are using your office phone, press any key on your key pad and hang up.
#Your login is complete.

==Additional Information==

*An enrollment email will be sent to you from Duo as well to enable two-factor authentication.
*A mobile device such as a smart phone with the DUO mobile app is recommended for convenience and ease of use.
*If you do not want to use your mobile device, a [[Security Key]] may be purchased. We recommend the Yubikey 5 or [[Security Key]] (NFC) from Yubico. There are several options depending on your devices: [https://www.yubico.com/store#security-key-series https://www.yubico.com/store#security-key-series]
*GTS recommends installing the Duo Mobile app made by Duo Security on your supported device and enabling '''Automatically send me a: Duo Push.'''

To learn more, please visit:
*https://guide.duo.com/enrollment or watch our [https://youtu.be/7S2KyOexQJg Getting Started with Duo Two Factor at �鶹��Ƶ Video].

[[File:duomobileapp.png|right|100px]]

==Everyday Use of Duo==
===Modifying Settings and Devices===
There are two options for modifying your settings or to add an additional device:
*Visit the [/account/manageTwoFactor �鶹��Ƶ DUO Management] portal.
*Logout and back into the �鶹��Ƶ website. Then click '''My settings & Devices'''

===Automatic Settings===
Duo can be configured to '''automatically''' send a Push or make a phone call to your default device.
*Access your Duo settings (see above)
*Under the list of current devices, you will see an option to select a '''Default Device:'''. If you have more than one device configured, select your default device.
*From the '''When I log in:''' pop-down select either '''Automatically send this device a Duo Push''' or '''Automatically call this device'''.

===Unprompted Notifications===
If you receive Push notifications that you did not initiate, '''DO NOT''' approve them. If your account has been compromised, and someone has your password, they could initiate the Push, if you accept, you have granted them access to your account. If you feel as if the Push Notification is fraudulent, please change your �鶹��Ƶ password and contact Technology Services.

===Remember Me===
[[File:Duo_Remember_Me.jpg|right|thumb]]You can set Duo to '''Remember me for 15 days'''. If you check the box (on the ''Choose an authentication method'' window), the authentication is remembered for 15 days on that browser from that machine only.

==Supported Devices==

*iPhone and iPad
*Android device
*Blackberry
*Windows Phone
*Hardware Token
*Security Key

==Video Tutorial==
Watch our [https://youtu.be/7S2KyOexQJg Getting Started with Duo Two Factor at �鶹��Ƶ Video].

==FAQ==
===Am I required to enroll in DUO?===
Yes, �鶹��Ƶ employees are required to enroll in DUO TFA. This includes student employees.

===Do I need a smartphone to use Duo?===
No, you can have Duo call your office phone, send texts to your cellphone, or you can use a hardware token (fob) that you can add your key ring which provides codes you can enter into the verification menu to access your account.

===How can I use my FOB all the time?===
The Default Device pop-down does not allow users to choose a FOB as their default device. However, at the Duo '''Choose an authentication method''' window, you can select '''Enter a Passcode'''. You can then enter a passcode from your FOB, the Duo app on your phone or pre-generated passcodes.

===Does the system allow for multiple hardware tokens and phones to be added to an account?===

Yes and we strongly recommend adding multiple options in case one is unavailable. However, GTS only provides one hardware token per user. If an additional one is required, there are several options available for purchase online.

===How does it work?===
Once you are enrolled, every time you access a web page that uses the �鶹��Ƶ Single Sign On page, use remote desktop or access the Remote server, you will be prompted with a Duo-Two Factor Authentication option, after you supply your credentials.

[[File:Duo_Two_Factor_Image.jpg|400 px]]

If you choose '''Enter a Passcode''', the code can be from the Duo application on your phone, a FOB or generated passcodes.

===Do I need to use Duo Two Factor every time I log into my computer?===
No, Duo Two Factor is only needed when you are logging into a resource below.

===Which resources will use Duo Two Factor?===
*�鶹��Ƶ Google Suite - Drive, Calendar, GusMail
*Moodle
*Remote Desktop
*�鶹��Ƶ User Settings
*�鶹��Ƶ Web Resources
*Office 365
*etc

===Can I set Duo up to automatically send a Push to my phone?===
Yes, you can. Those settings are in the Duo Two Factor settings. There are two options for modifying your settings:

*Visit the [/account/manageTwoFactor �鶹��Ƶ DUO Management] portal.
*Logout and back into the �鶹��Ƶ website.

Then click '''My settings & Devices'''.

You can then choose a Default Device (a hardware token or fob cannot be selected as the default device) and what method to use. Select either
*Ask me to choose an authentication method
*Automatically send this device a Duo Push
*Automatically call this device

===I am traveling abroad and do not have access to texts/internet, how can I use Duo?===
When you are traveling abroad and do not have access to text messages or phone calls:
#Open the Duo Mobile app on your phone
#Press the down arrow to the right of the �鶹��Ƶ heading. This will show you a passcode to enter at the two factor authentication screen.
#Instead of choosing push notification, press enter passcode and enter the number it generates in the app.
#If you set it to automatically send you a push notification, press cancel and choose enter passcode.

===I lost my device or I got a new device===
If you lost your phone and don't have a secondary device added to your account, please contact the Technology Helpline at (507-933-6111 or [mailto:helpline@gustavus.edu helpline@gustavus.edu]) to get a new device added. You will need to speak with a full time staff member. If you have purchased a new phone, please see our web page [[Duo_TF_-_Device_Replacement_for_End_Users]].

===I forgot my device at home?===
If you have your cell phone configured as your device, and it isn't available (left at home or dead batteries) you can contact the Technology Helpline (507-933-6111) to get your landline added, or get printed bypass codes. You will need to speak with a full time staff member.
===Can I get '''one''' time use bypass codes?===
Yes, it is possible to get one time use bypass codes. These are numeric codes you would print or write down and use one time for authentication. You can get a list of bypass codes by contacting the Technology Helpline (507-933-6111 or [mailto:helpline@gustavus.edu helpline@gustavus.edu],
you will need to speak with a full time staff member). To use your codes, from the '''Choose an authentication method''' window, select '''Enter a Passcode''', and input one of your codes.

==Troubleshooting==
===When I log into my account on my iPhone, I do not see the Duo screen. I see a blank white/grey screen.===
This symptom usually indicates a web content restriction. Please see [https://help.duo.com/s/article/3710?language=en_US Duo Mobile's help page] for information on how to resolve this issue.
===Duo doesn't remember me for 15 days like it says it will on my Internet browsers.===
Update your browsers to the newest versions, and then try clearing the website data/cache for duosecurity.com. Also allow cookies for websites you visit.

===On my Mac, when I try to update my Internet Accounts for GusMail with my new password, the accounts page freezes and doesn't allow me to update the password.===
Open Keychain Access on your Mac, and search for Google saved passwords and remove them. Restart your computer and try again.
[[Category:Duo Two Factor Authentication]]
[[Category:Security]]

Technology Services Wiki - User contributions [en]

Duo Two Factor Authentication