Emerson IT Help Desk

Duo, Single Sign-On, & Two Factor Authentication

What is Duo?

Duo is a Single Sign-On (SSO) service that secures most campus resources, including Gmail, Box, and Banner. As our single sign-on service, if a user logs into one Duo application and opens another tab in the same browser for an application that also uses Duo, they will not have to enter their username and password again.

Duo Login Screen:

duo1.png

What is Two Factor Authentication?

Duo allows us to implement a feature called “Two Factor Authentication” (2FA), a method of confirming a user’s claimed identity by utilizing a combination of two different factors. Enabling 2FA helps ensure that if a malicious actor manages to steal our password, they are still unable to log in without something physical (a phone, for example).

How To Use Two Factor Authentication

A second authentication factor could be a text message/phone call that provides you a code to enter, a push notification sent your smartphone that needs to be approved, a physical device that provides a code that changes every X amount of time or needs to be tapped, and many other forms. Duo allows users to receive a text or phone call with a code, select “Accept” on a push notification from the Duo smartphone app, or use a U2F Hardware Token, available at the Help Desk (Walker, 404).

Duo push notification:

duo18.png 

Frequently Asked Questions:

  • What if I don't have a cell phone or cell phone reception? Or I am on a plane?

We highly recommend users setup using a push notification on their cell phone instead of a text message. Push notifications can be sent via the Internet/Wi-Fi rather than via cell phone networks. If you are in an area that has internet access but not cell signal, and the only second factor you have configured is a text message or phone call, you may be unable to receive a text or phone call to authenticate.  However, you can also request a U2F Hardware Token from the Help Desk (Walker, 404).

If you are on an airplane and have paid for Wi-Fi on your computer but not your cell phone, log into all of the websites you'll be visiting in advance of the flight (Emerson Gmail, Banner, etc.) and choose the "Remember me for 30 days" option. This will bypass two factor and allow you to log in when you're on the plane. We also strongly recommend following this practice before major, time sensitive events, such as Course Registration.

Alternatively, a U2F Hardware Token does not require Wi-Fi and will allow you to log in. We highly recommend you read the U2F Hardware Token guide to learn how valuable and easy to use these devices are.

  • Can I register multiple devices?

Yes! In fact, we recommend that users add multiple devices when they are first setting up two factor authentication. For example, if you set up your cell phone as well as your office phone, if your cell phone gets lost, broken, or runs out of battery, you can still authenticate by using your secondary device. If you have selected "Remember me for 30 days," but want to add another device, simply visit a service like Box or Gmail (gmail.emerson.edu or box.emerson.edu) in a Private or Incognito browser window (in your browser, click File > New Incognito Window or File > Private Browsing Window, then navigate to gmail.emerson.edu or box.emerson.edu and log in). Then, simply click "Add a New Device" on the left, authenticate with your primary device, and follow the prompts to add a secondary device.

duo3.png

  • What if I never receive a Push? Or SMS? Or phone call? Or my U2F token doesn't work?

To protect yourself from any of these scenarios, set up multiple methods of authentication with multiple devices where possible (see the above question about registering multiple devices). If you're still locked out, simply call (617) 824-8080 within business hours. The Help Desk will verify your identity and give you a temporary login code.

  • My department/group has a shared email address or Google Drive in which we share a password. How does this work with two factor?

In most cases, your workflow should not require shared passwords. For instance, if you are collaborating in Google Drive, rather than sharing an account, you should create a shared folder and share it with specific individuals. This way, if someone leaves the college or the project, you only have to unshare the folder with them rather than change the password. With Gmail mailboxes, a single user with the password can set delegates, or IT can set delegates on your department's behalf. Under this model, users log into their own mailboxes (using Duo), and then can open your shared mailbox in a separate tab.

In the rare cases where you have to share a password for a shared resource, you can register more devices through the "Add a New Device" option described in the above question regarding registering multiple devices. We recommend against this practice, believe that you will prefer using shared folders and delegates, and we strictly forbid password sharing for your personally assigned Emerson account.

  • What happens if I get a new phone?

If you get a new phone and keep the old phone number, SMS and calls with Duo will continue to work. Duo Mobile, however, will not. To restore this functionality, go to gmail.emerson.edu or box.emerson.edu (in an Incognito Window if you've clicked "Remember Me" in the past 30 days), click "My Settings & Devices" on the left side, authenticate with SMS or a phone call, and then click "Device Options" for your cell phone and click "Reactivate Duo Mobile" and follow the prompts.

If you have a new phone AND a new phone number, use a secondary device like a landline to authenticate, then click "Add a New Device" and follow the prompts.

If you have a new phone, new phone number, AND no secondary devices to authenticate, contact the Help Desk at 617-824-8080. They will verify your identity, remove the old device, and allow you to set up your new device from scratch.

  • I teach a course in which students use the lectern computer to present projects or documents. When each of them take turns logging in, it wastes valuable teaching time and is distracting. What can I do to prevent this?

If the students bring their own laptops to present their work, they can stage their project on their personal laptop and simply connect to the laptop station (or in select rooms, cast wirelessly) rather than use the lectern computer.

Alternatively, some professors share a Google Doc with the class and ask them to post links to their projects in the document ahead of time. Then, during class time, only the professor will have to authenticate to open the doc and present from there.

  • I chose "Remember Me" but it never seems to...remember me?

The "Remember Me" feature uses a browser cookie to remember that you have authenticated via two factor in the past 30 days. For that reason, if you clear your browser cache (or your computer's login profile is wiped, which occurs on Emerson lab and classroom computers nightly), you will clear the "Remember Me" function and have to authenticate with two factor again. Additionally, if you're logging in with a browser that has a fresh cache, or a browser that you've never used before, each site that uses two factor will require it for the first time, even if you have already chosen "Remember Me" on a different site.

Put simply, when you choose "Remember Me," you're configuring it to remember you for that individual site (such as Gmail or Box) for 30 days, but not ALL Emerson sites simultaneously.

  • What applications use two factor authentication?

Currently, Gmail, Box, Banner SSB, the VPN, and K2 (the Emerson recognition system) are the only services that use two factor authentication.

Please visit our article on logging into Box with Duo here: Logging Into Box

 

Duo for International End Users

We have many international students at Emerson as well as many faculty and staff that travel abroad for extensive periods of time.  Duo has, at times, been a concern for them as they worry about charges for international calls.  There are several ways to authenticate via Duo for those traveling abroad or living abroad.  Creating a bypass code should be the final and extreme-case option.

 Option 1: U2F Tokens

U2F security tokens can be set up to bypass 2 factor authentication without the use of a cellular device.  U2F security tokens are available in USB and USB-C options.  These would need to be set up while on campus, but can be used anywhere with compatible devices.  For more information and setup instructions on U2F tokens please visit https://support.emerson.edu/hc/en-us/articles/360004105752-Using-a-U2F-Hardware-Token-With-Duo-For-2FA

Option 2: Setting up Duo app and turning off cellular service

The Duo app can be used for cellular calls and text messages, but what happens when cell service is unavailable?  If the user has the Duo app installed and is in an area with WiFi they can send push notifications to themselves on the device or use the device’s internal codes to pass the Duo security page.  If a user downloads the Duo app and turns off their cellular service they can still receive Duo Push notifications and authentication codes.

Option 3: International landline calls

If someone cannot get to a cell phone and did not have the time to stop by the Help Desk for a U2f token we can set up their international landline as a calling option.  This way they can utilize a local phone for verification.

Extreme Cases: 

In an extreme case where none of these options are available we can set up a bypass code for a user.  An example of an extreme case is someone who has no mobile device, no landline, no WiFi and no way to do a 2-factor authentication.  Staff members will request verification of a person's identity before issuing a bypass code using the security questions set up during account creation.

Was this article helpful?
1 out of 4 found this helpful
Have more questions? Submit a request

Comments

Powered by Zendesk