Duo Security Two-Factor Authentication
The University uses a two-factor authentication system for users who need access to its enterprise-level applications (e.g., CS PeopleSoft, EFS PeopleSoft, EDMS, and the Data Warehouse) and for the underlying servers and databases. A form of authentication stronger than just a password, two-factor authentication requires two factors to authenticate: something you have, and something you know.
What is Duo?
Duo Security’s two-factor authentication enhances the security of your online accounts by using your phone to verify your identity. This helps prevent anyone but you from accessing your accounts, even if they know your password. Duo Security uses your Internet password for the “something you know” and leverages a phone for the “something you have." It works with all phone types, including smartphones, other cell phones and landlines. Duo Security also works internationally.
Traditional two-factor authentication solutions use hardware tokens (or “fobs”) that users need to carry. But your phone is a device you already have, know how to use, and notice when it’s missing,and by enabling the use of an existing device like your phone, the University is poised to save a substantial amount of money in hardware, software, deployment and training costs, and to deliver an improved end-user experience. Duo replaces M Key as the University's method of two-factor authentication.
There are a number of different methods for logging in. Use whichever method is most convenient for you. You can even enroll in the system with multiple phones and use multiple methods as a backup in case the device you normally use to log in is ever lost, damaged, or simply unavailable.
How It Works
Smartphones can use “push” authentication. When you attempt to access a secured system, your phone will present a notification that asks you to verify that you are trying to log in. When you select Accept, the system will let you in. If you are in a location where your phone does not have Internet access, the Duo app can generate one-time access codes, just like the M Key.
Other mobile phones and landlines can use “call me” authentication. When you attempt to access a secured system, the Duo system will call you and ask to press any number to proceed.
You can also have a list of ten one-time-use codes sent to your phone as a text message (SMS). Generated codes are vaild for and expire after one hour.
You can use your smartphone, cell phone, a tablet or your University desk phone. For users who do not have a phone they can use, a hardware token similar to the M Key will be available. The token will generate one-time-use codes that you type after your Internet password in order to log in.
Answers to Common Questions
Q. Do I need to have a smartphone to use Duo?
A. No. You can use a smartphone, cell phone, landline (such as your office or home phone), tablet, or hardware token. A complete and up-to-date list of authentication methods is available on the Duo Security website. We recommend that users who have a smartphone choose to use them, since they are the easiest to use with Duo, and the most cost effective for the University to support.
Q. What happens with my M Key? When will it stop working?
A. Once an application has been converted to accept Duo logins, it also will continue to support M Key logins until the M Key service is discontinued in June 2014. Once you no longer need your M Key, you can return it to:
2218 University Ave SE
2171A (Campus Delivery Code)
Q. I have an application that could/should leverage Duo. How can I start using/requiring it?
A. Please contact the Identity Management Service team to discuss your needs. Supported interfaces include Shibboleth, LDAP, RADIUS, or direct integration with Duo via their auth API or prebuilt integrations.
Q. How are accessibility issues handled?
A. Due to the variety of authentication options available, it is expected that Duo Security will accommodate every user.
Q. Does Duo see my password?
A. No. The University system verifies your Internet password with its internal systems, and never sends it to Duo. Duo provides only the second factor—the “something you have.” In fact, Duo stores very little information—just enough so it can do its job.
Q. If I log in to a site with my Internet password, then go to another site that requires two-factor, do I have to type my Internet password again?
A. No; the system will recognize that you have already provided your Internet password, and will only require the Duo push, callback, or code to continue.
Q. Can I use Duo to login to apps that do not require it.
A. Yes, this capability will continue with Duo. If an app currently allows this (e.g. any app using Shibboleth for web authentication), it should continue to allow it with Duo.
Q. What if I forget my smartphone at home?
A. We encourage users to set up multiple authentication methods with Duo, so that when one method is unavailable, you have others from which to choose. For example, you could set up your smartphone for “push” and also your office phone and home phone to do callback.
Q. How do I use my tablet?
A. Download the Duo Mobile App to generate one-time-use passcodes for use on your mobile device. Passcodes can be used even when you don't have an Internet connection.
Q. Does it cost me money to authenticate with my phone? Will the U reimburse me for it?
A. ”Push” authentication uses a very small amount of Internet data traffic to function (a few kilobytes per login). Text messages and voice calls are sent only when you request them, and would be billed by your carrier like any other text message or inbound voice call. The U will not reimburse users for any expenses incurred. If you would incur significant expense using Duo on a device, you should enroll something else, such as a landline.
Q. If a user wants a hardware token, who can have one, and will you charge for it?
A. The Identity Management service will pay for and manage the distribution of hardware tokens, so there will be no charge to users or departments. If you have determined that a hardware token is the most appropriate authentication method for you or your staff, please refer to the instructions to request a hardware token. Current M Key users should contact Technology Help to request tokens, and those who do not have M Keys will need to complete the appropriate Access Request Form(s).
Q. When can I start using Duo?
A. Each application will enable Duo on its own timeline in a phased implementation process, and the Identity Management Services team is working with the application owners to identify the implementation schedule for each. M Key authentication is scheduled to be decommissioned by June 1.
Q. How will managers submit requests to have new employees set up for Duo?
A. This will be part of the existing Access Request process handled by OIT Data Security. If access to a system that requires two-factor authentication is requested for a user, and the user is not set up for Duo, OIT Data Security will enable them to use it as part of the provisioning process. The plan is to send an email to the user at that point, informing them how to enroll their devices in Duo.
Q. Who is eligible to use Duo?
A. The University’s implementation of Duo is licensed to include all faculty, staff, and student employees, with the capacity for discretionary additions. It is anticipated that more applications will be able to leverage two-factor authentication over time.
Q. How do I authenticate when using Oracle database tools such as Toad, SQL Developer, and SQL*Plus?
A. Please consult the Oracle Database Authentication Instructions document.
Questions should be directed to Technology Help.