Departmental Accounts in the HCC Required to Enroll in Duo Security
Recent updates to University of Minnesota information security policy require Departmental Accounts in the Health Care Component (HCC) to enable multi-factor authentication (Duo Security) by April 2025. All individuals who own Departmental Accounts in the Health Care Component will be notified approximately two weeks before they are required to enroll in Duo Security.
Pilot Group - March 2025
A pilot group of 100 people were randomly selected from all HCC Departmental Account holders in the Health Care Component. The pilot group will be required to enroll their Departmental Accounts in Duo Security by March 25, 2025. All other Departmental Accounts in the HCC will be required to enroll in Duo in April. Communications to non-pilot HCC Departmental Account requesters, managers, or owners will be sent at least two weeks before they are required to enroll in Duo Security.
Pilot Group Timeline
- March 12 - Pilot participants (selected requester, owners, or managers) will receive an email notifying them of the new requirement and can self-enroll in Duo Security until March 25.
- March 13 - Pilot Departmental Account email addresses will receive a notification about the requirement.
- March 18 - When pilot participants sign into their HCC Departmental Accounts, they will see prompts to enroll in Duo. These prompts can be dismissed for up to 7 days.
- If any person signs into the account and enrolls the account in Duo, all subsequent people who sign into the account using the Internet ID and password will need to enroll a device in Duo for the Departmental account. See below for Best Practices for Shared Access to Departmental Accounts.
- March 25 - Enrollment in Duo is required to access the Pilot Participants' Departmental Accounts. If the account has not been enrolled before March 25, people who need to access the account will be required to enroll the account and devices for each person who signs in using the Internet ID and password.
Guidance for Shared Access to Departmental Accounts
Limit access to HCC Departmental Accounts by providing credentials only to individuals who need them to perform their assigned tasks. HIPAA requires that only the minimum necessary number of people should have access to the account.
Access Methods
There are two ways to access Departmental Account inboxes:
- Sign into the the Departmental Account using the account's Internet ID and password
- Use Delegate Access to the Departmental account. With delegate access, after signing into one's primary account, one can view and reply to their own emails and Departmental Account emails.
Internet ID and Password
For information security, it is recommended to limit the number of people who access a Departmental Account by signing into the account using the Internet ID and password to those who manage the account (up to three people). Account management duties include:
- renewing the account when prompted annually
- resetting the account's password when people off-board, or as needed
- adding or removing devices from Duo Security when people on or off-board
Delegate Access
For people who do not have account management duties, but are responsible for viewing or responding to email, use Google's delegate access. People with delegate access do not have to enroll a device in Duo for the delegate account. This is because they will have already authenticated their identity with Duo when they signed into their primary account.
Securely Enrolling More than One Device in Duo for Departmental Accounts
If more than one person needs to sign in to the HCC Departmental Account using the Internet and Password, coordination is required to enroll devices in Duo Security. This is because adding a device to Duo requires authentication, and Duo automatically sends a verification prompt to the last device used.
For example, if Kelly enrolls a device, and then Pat attempts to enroll Pat’s device, the automatic prompt will be sent to Kelly’s device (because that was the last device to authenticate). Since no one should ever approve a Duo prompt that they did not initiate, the following process is recommended.
Securely Distribute Codes
The first person to enable Duo and enroll their device should immediately generate Duo bypass codes for all others who need to sign in directly to the HCC Departmental Account. For security reasons, Duo bypass codes should not be shared via email or chat. Codes should be distributed using one of the following options:
- in an in person/virtual meeting,
- via a file in a shared folder on an HST file server,
- via a file shared with the team in Box, or
- via Google Chat (note: HCC GChat messages auto delete after 24 hours.)
After people have been given their bypass codes to enroll their devices, they should: Go to the Duo: Add or Remove Devices knowledge base article and follow steps 1 to 8 in the Adding New Devices to Duo section.
HCC Departmental Accounts Used for Testing or Other Non-Person Tasks
Functional Accounts are non-person accounts that are needed to accomplish various tasks (e.g., Automated testing, integrations, nightly batch jobs, email collectors).
If the HCC Departmental Account is being used as a functional account, the HCC Departmental Account requestor, owner, or manager must submit a request to have the account converted to an actual Functional Account type. Duo is optional for Functional Accounts.
- Refer to Request conversion to functional account to start the account conversion process.
- Learn more about University Account Types.
Departmental Accounts used for Creating, Storing and Collaborating in Google My Drive
If you are using your HCC Departmental Account to create, store, and collaborate on documents in the account’s Google My Drive, it is recommended that you migrate those files/folders to a Shared Drive. Shared Drives have a significant benefit: when people leave the University the files stored within are not deleted.