Duo: Learn the Specifics of Departmental Accounts

This article will help you better understand the particular qualities and processes of Duo applicable especially to Departmental accounts.

In this article: 

• Onboarding Duo for Newly Created Departmental Accounts
• Authenticating with Duo as a User of A Departmental Account
  • Last Used Authentication and Departmental Accounts
  • Authentication Security from Shared Devices
• Understanding the Responsibilities of Specific Departmental Account Roles with Duo
  • User Responsibilities
  • Requestor Responsibilities
• Additional Resources

Onboarding Duo for Newly Created Departmental Accounts

1. Log in to Departmental Account via my-account.umn.edu
2. Select ENROLL IN DUO NOW.
3. Enroll Duo device at "Welcome to Duo".
   • For more help follow guidance found in from step 6 in the Getting Started with Duo Security section of the of the knowledge article Duo: Initiate Duo Security
4. Log out of the Departmental account.
5. Log in to Departmental Account via my-account.umn.edu
6. In Duo Security, select Generate Duo Bypass Codes.
7. Select Submit. 
8. Copy and securely store all ten generated Duo bypass codes to be used by others to add their device.

• NOTE: For every device that will need to be added to the Departmental Account, provide one of the generated Duo bypass codes.
• Only provide one bypass code for an user. 
• Bypass codes can only be used once.

Authenticating with Duo as a User of a Departmental Account 

Because departmental accounts are typically shared accounts and have multiple users who authenticate through Duo, it is essential that users adhere to these guidelines for security purposes and fully understand the user experience for shared accounts.

Last Used Authentication and Departmental Accounts

When a user signs into a departmental account enrolled in Duo, Duo will default to the most recent authentication method used. This default method, or "last used preference," is stored as a browser cookie which, by clearing the browser's cookies or cache, will be removed and at the next authentication Duo will automatically select the most-secure available method.
Refer to Duo's support article Last Used Authentication Method for more information.

Authentication Security from Shared Devices

This authentication issue with Duo that applies specifically to Departmental accounts is best illustrated by following the scenario below:

1. User A signs into a departmental account enrolled in Duo on a shared laptop that user B has also just used and signed into using the same departmental account.
2. Duo will automatically offer user A the same authentication method that user B used.
3. For key security purposes, user A should decline this authentication option (that was used by user B).
4. To securely sign into the shared laptop using the departmental account, user A should follow these steps:
   1. Cancel any authentication request that they did not initiate.
   2. Authenticate using their own device by selecting Other Options
   3. Select their enrolled duo device during the authentication process. 

Users should never select Confirm this is your device when using a public or shared computer. This leaves your Duo session available to other users causing a security risk for your data and the data of the University community. Users should select Yes, this is my device only when accessing applications from their devices.

Understanding the Responsibilities of Specific Departmental Account Roles with Duo

If the departmental account has more than one user, certain roles – users and requestors – have specific responsibilities to ensure secure and continued access. For more about who falls under these roles, visit the departmental account section in the Types of University Accounts page.

User Responsibilities

• It is important that each user select their own enrolled Duo device when authenticating to the departmental account(s).
• Do not reply to an authentication request that you did not initiate.

Requestor Responsibilities

Departmental accounts that have enabled Duo Security will remain active for all users, allowing continued access for all Duo devices associated with the departmental account. To ensure the security and integrity of access, the requestor is responsible for upholding these security measures:

• Review the Duo devices associated with the departmental account(s) on a quarterly basis.
  • Go to Duo: Add or Remove Devices for step-by-step instructions for managing duo devices. 
    • Only the device information is displayed under manage devices.
    • You will need to have an understanding of who owns each device so it is recommended that the account owner track that internally. Duo does not contain this information.
• Remove Duo devices when staff leave, no longer require access, etc.
• Reset the departmental account password when staff leave, when staff no longer require access, or if you think the password has been compromised.

Additional Resources

• There are a number of different types of accounts used at the U. To find out more about them, visit the Types of University Accounts page.
• For information specific to Departmental Accounts, go to Accounts: Update Access to and Manage a Departmental Account
• Refer to the Self-Help Guide for Duo Set up and Using Duo Security for instructions on enrolling and setting up Duo on any University account.