Duo, Single Sign-On, & Two Factor Authentication

 

What is Duo?

Duo is a Single Sign-On (SSO) service that secures most campus resources, including Gmail, Box, and Banner. This two-factor authentication system protects our students, faculty, and staff from potential phishing or other identity-related attacks.

What is Two Factor Authentication?

Duo allows us to implement a feature called Two Factor Authentication (2FA), a method of confirming a user’s claimed identity by utilizing a combination of two different factors. Enabling 2FA helps ensure that if a malicious actor manages to steal our password, they are still unable to log in without something physical (a phone, for example).

A second authentication factor could be a text message/phone call that provides you a code to enter, a push notification sent your smartphone that needs to be approved, a physical device that provides a code that changes every X amount of time or needs to be tapped, and many other forms. Duo allows users to receive a text or phone call with a code, select Accept on a push notification from the Duo smartphone app, or use a U2F Hardware Token.

 

Setting Up Duo

Using Duo Mobile App

UF2 Hardware Token

Using Duo Internationally

Frequently Asked Questions

Setting Up Duo

If you are a new student, faculty, or staff member of Emerson College the following steps will help you register your device(s) to Duo! 

  1. Log into any Emerson related webpage that uses Duo (i.e. Gmail; eCommon; Box; or Canvas). Your username is firstname_lastname and your password is whatever you initially set during the onboarding process.
  2. You will then be prompted to register a device that will allow you to receive a voice call, text message, or push notification from the Duo Mobile app (which can be downloaded on the App Store or Google Play). 
  3. Once you've entered the device's details, you might be asked to download the Duo application to activate your device.
  4. You will then see a QR code on your screen that you can scan in the app to finish the process of adding your device. 
    • In order to scan the QR code in the mobile app:
      1. Open the mobile application.
      2. Click the '+' in the upper right-hand corner of the screen.
      3. Point the device camera to the QR code.
  5. The webpage will display a message once the process is complete and will be able to use Duo to authenticate your identity. 

Using Duo Mobile App

The Duo mobile application allows you to quickly verify your identity when logging into most online Emerson resources by either approving a push notification or loading a 6-digit code (by pressing the down arrow next to 'Emerson College').

UF2 Hardware Token

U2F security tokens can be set up to bypass the 2-factor authentication process without the use of a cellular device. U2F security tokens are available in USB and USB-C options. These need to be set up while on campus but can be used anywhere with compatible devices.  For more information and setup instructions on U2F tokens please visit Setting Up a UF2 Hardware Token.

Duo for International End Users

There are many international students at Emerson as well as faculty and staff who travel abroad for extended periods of time. Fortunately, there are several ways to authenticate your identity through Duo while living outside of the US.

Note

Due to telephony restrictions in China, Duo is unable to use the phone call method to +86 numbers. Passcode and Duo Push will continue to function with those phones.

Option 1 Option 2 Option 3

Setting up U2F security tokens

U2F security tokens can be set up to bypass 2-factor authentication without the use of a cellular device. U2F security tokens are available in USB and USB-C options. These need to be set up while on campus but can be used anywhere with compatible devices. For more information and setup instructions on U2F tokens please visit Setting Up a UF2 Hardware Token.

Frequently Asked Questions:

What if I don't have cell phone reception? 

You can use WiFi to download the Duo Mobile application (through the App Store or Google Play) on your device(s). After activating your device by either scanning a QR code or calling the IT Help Desk, you can send push notifications via the Internet/Wi-Fi rather than via cell phone networks. You can also use the six-digit codes provided in the app to bypass Duo. (This can be found by clicking the down arrow next to Emerson College.)

If you are on an airplane and have paid for Wi-Fi on your computer but not your cell phone, log into all of the websites you'll be visiting in advance of the flight (Emerson Gmail, Banner, etc.) and choose the Remember me for 30 days option. This will bypass two-factor and allow you to log in when you're on the plane. We also strongly recommend following this practice before major time-sensitive events, such as Course Registration.

Alternatively, a U2F Hardware Token does not require Wi-Fi. We highly recommend you read the U2F Hardware Token guide to learn how valuable and easy to use these devices are.

Can I register multiple devices?

Yes! In fact, we recommend that you add multiple devices when first set up two-factor authentication through Duo. For example, if you set up your cell phone as well as your office phone, and your cell phone gets lost, broken, or runs out of battery, you can still authenticate your identity by using your secondary device.

If you have selected Remember me for 30 days, but want to add another device, simply visit a service like Box or Gmail (gmail.emerson.edu or box.emerson.edu) in a Private or Incognito browser window (in your browser, click File > New Incognito Window or File > Private Browsing Window, then navigate to gmail.emerson.edu or box.emerson.edu and log in). Then, click Add a New Device, authenticate your identity with your primary device, and follow the prompts to add a secondary device.

What if I never received a Push, SMS message, or a phone call? 

Many cases have arisen where users have blocked the phone number from which Duo calls. Please check your blocked callers, or add it as a contact so you know that it's Duo. Other instances of this happening are usually when someone is in a "dead zone" and are do not have a cellular connection or are not connected to the WiFi.

To protect yourself from any of these scenarios, set up multiple methods of authentication with multiple devices where possible (see the above question about registering multiple devices).

If you're still locked out, simply call the IT Help Desk at (617) 824-8080 within business hours. The Help Desk will verify your identity and give you a temporary login code.

Why doesn't my U2F token work?

This commonly happens when the U2F token isn't fully inserted into the computer. Make sure that it is securely inserted and that you are touching the token. 

My department/group has a shared email address or Google Drive in which we share a password. How does this work with two-factor authentication?

In most cases, your workflow should not require shared passwords. For instance, if you are collaborating in Google Drive, rather than sharing an account, you should create a shared folder and share it with specific individuals. This way, if someone leaves the college or the project, you only have to unshare the folder with them rather than change the password.

With Gmail mailboxes, a single user with the password can set delegates, or IT can set delegates on your department's behalf. This way, users can log in to their own mailboxes (using Duo), and then can open the shared mailbox in a separate tab.

In the rare cases where you have to share a password for a shared resource, you can register more devices through the Add a New Device option described in the above question regarding registering multiple devices. However, we firmly recommend against this practice and strictly forbid password sharing for your personally assigned Emerson account.

What happens if I get a new phone?

If you get a new phone and keep the old phone number, SMS and calls with Duo will continue to work. However, Duo Mobile will not. To restore this functionality, open Google Chrome, click the three dots in the top right, click New Incognito Window, go to gmail.emerson.edu, log in with your email and password, cancel or don't respond to the multi-factor request, click Other options, click Manage devices at the bottom, choose the preferred multi-factor method you're currently using (such as call or text), and click Add a Device on the right. Then choose Duo Mobile and follow the prompts.

If you have a new phone AND a new phone number but have a secondary device registered, use that other device (such as a landline) to authenticate, then click Add a New Device and follow the prompts.

If you have a new phone, new phone number, AND no secondary devices to authenticate, contact the Help Desk at (617)-824-8080. They will verify your identity, remove the old device, and allow you to set up your new device from scratch.

I teach a course in which students use the lectern computer to present projects or documents. Having them log in and use Duo wastes valuable teaching time and is distracting. What can I do to prevent this?

If the students bring their own laptops to present their work, they can connect their personal laptop to the laptop station (or in select rooms, cast wirelessly) rather than use the lectern (desktop) computer.

Alternatively, some professors share a Google Doc with the class and ask them to post links to their projects in the document ahead of time. Then, during class time, only the professor will have to verify their identity to open the document and present from there.

How does "Trust this browser" work?

The Trust this browser feature uses a browser cookie to remember that you have authenticated through Duo. For that reason, if you clear your browser cache (or your computer's login profile is wiped, which occurs on Emerson lab and classroom computers nightly), you will clear the cookie and have to authenticate again. Additionally, if you're logging in with a browser that has a fresh cache, or a browser that you've never used before, you will have to re-authenticate.

Additionally, if you log out of Duo, such as clicking "Sign out of all accounts" in Gmail, you will have to re-authenticate.

I'm getting a "System Error," saying to contact the Help Desk. What do I do?

Some users, especially those connected to the Internet outside of the US, may encounter the following error on their computer, while it works successfully on their phone.

systemerror.png

This occurs when your computer's IP address changes between the time you go to the site and when you submit the password, which makes Duo think someone is hijacking your session. This could be due to a VPN you're running or the way your ISP is handling your Internet connection.

If you're using a VPN, turn that off and try again. If the VPN is necessary to connect to Google or another service while outside of the US, use Emerson's VPN instead. That would tunnel all traffic back to Boston and you wouldn't get this error.

Alternatively, if your phone works and supports tethering, connect your computer's wifi to your phone's data plan temporarily to connect.

 

 Have any questions?

Contact the Help Desk at (617)-824-8080 or submit a ticket.

Was this article helpful?
5 out of 8 found this helpful
Have more questions? Submit a ticket