What is Duo?
Duo is a Single Sign-On (SSO) service that secures most campus resources, including Gmail, Box, and Banner. This two-factor authentication system protects our students, faculty, and staff from potential phishing or other identity-related attacks.
What is Two Factor Authentication?
Duo allows us to implement a feature called “Two Factor Authentication” (2FA), a method of confirming a user’s claimed identity by utilizing a combination of two different factors. Enabling 2FA helps ensure that if a malicious actor manages to steal our password, they are still unable to log in without something physical (a phone, for example).
A second authentication factor could be a text message/phone call that provides you a code to enter, a push notification sent your smartphone that needs to be approved, a physical device that provides a code that changes every X amount of time or needs to be tapped, and many other forms. Duo allows users to receive a text or phone call with a code, select “Accept” on a push notification from the Duo smartphone app, or use a U2F Hardware Token.
Setting Up Duo
If you are a new student, faculty, or staff member of Emerson College the following steps will help you register your device(s) to Duo!
1. Log into any Emerson related webpage that uses Duo (i.e. Gmail; eCommon; Box; or Canvas). (Your username is firstname_lastname and your password is whatever you initially set during the onboarding process.)
2. You will then be prompted to register a device that will allow you to receive a voice call, text message, or push notification from the Duo Mobile app (which can be downloaded on the App Store or Google Play).
3. Once you've entered the device's details, you might be asked to download the Duo application to activate your device.
4. You will then see a QR code on your screen that you can scan in the app to finish the process of adding your device.
5. In order to scan the QR code in the mobile app:
a. Open the mobile application.
b. Click the '+' in the upper right-hand corner of the screen.
c. Point the device camera to the QR code.
6. Once you see the checkmark, you have completed the process and will be able to use Duo to authenticate your identity.
Using Duo Mobile App
The Duo mobile application allows you to quickly verify your identity when logging into most online Emerson resources by either approving a push notification or loading a 6-digit code (by pressing the down arrow next to 'Emerson College').
UF2 Hardware Token
U2F security tokens can be set up to bypass the 2-factor authentication process without the use of a cellular device. U2F security tokens are available in USB and USB-C options. These need to be set up while on campus but can be used anywhere with compatible devices. For more information and setup instructions on U2F tokens please visit Setting Up a UF2 Hardware Token.
Duo for International End Users
There are many international students at Emerson as well as faculty and staff who travel abroad for extended periods of time. Fortunately, there are several ways to authenticate your identity through Duo while living outside of the US.
(Please note: As of April 2019, due to telephony restrictions in China, Duo is unable to use the phone call method to +86 numbers. Passcode and Duo Push will continue to function with those phones.)
Option 1: Setting up U2F tokens.
U2F security tokens can be set up to bypass 2-factor authentication without the use of a cellular device. U2F security tokens are available in USB and USB-C options. These need to be set up while on campus but can be used anywhere with compatible devices. For more information and setup instructions on U2F tokens please visit Setting Up a UF2 Hardware Token.
Option 2: Set up the Duo app and turn off cellular service.
If you have the Duo app installed and have access to WiFi, you can turn off your cellular service and send push notifications to your device or use the six-digit codes provided in the app, in order to pass the Duo security page.
Option 3: International landline calls.
If you're abroad and don't have a U2F token or a US number, you can call the IT Help Desk and they will help you set up your international landline as a calling option.
Frequently Asked Questions:
- What if I don't have a cellphone?
- What if I don't have cell phone reception?
- Can I register multiple devices?
- What if I never received a Push Notification, SMS message, a phone call?
- Why doesn't my U2F token doesn't work?
- My department/group has a shared email address or Google Drive in which we share a password. How does this work with Duo?
- What happens if I get a new phone?
- I teach a course in which students present projects or documents through the desktop computer. Having them log in and use Duo wastes valuable teaching time and is distracting. What can I do to prevent this?
- I chose "Remember Me" but it never seems to remember me?
- What applications use two-factor authentication?
What if I don't have cell phone reception?
You can use WiFi to download the Duo Mobile application (through the App Store or Google Play) on your device(s). After activating your device by either scanning a QR code or calling the IT Help Desk, you can send push notifications via the Internet/Wi-Fi rather than via cell phone networks. You can also use the six-digit codes provided in the app to bypass Duo. (This can be found by clicking the down arrow next to Emerson College.)
If you are on an airplane and have paid for Wi-Fi on your computer but not your cell phone, log into all of the websites you'll be visiting in advance of the flight (Emerson Gmail, Banner, etc.) and choose the "Remember me for 30 days" option. This will bypass two-factor and allow you to log in when you're on the plane. We also strongly recommend following this practice before major, time-sensitive events, such as Course Registration.
Alternatively, a U2F Hardware Token does not require Wi-Fi. We highly recommend you read the U2F Hardware Token guide to learn how valuable and easy to use these devices are.
Can I register multiple devices?
Yes! In fact, we recommend that you add multiple devices when first set up two-factor authentication through Duo. For example, if you set up your cell phone as well as your office phone, and your cell phone gets lost, broken, or runs out of battery, you can still authenticate your identity by using your secondary device.
If you have selected "Remember me for 30 days," but want to add another device, simply visit a service like Box or Gmail (gmail.emerson.edu or box.emerson.edu) in a Private or Incognito browser window (in your browser, click File > New Incognito Window or File > Private Browsing Window, then navigate to gmail.emerson.edu or box.emerson.edu and log in). Then, simply click "Add a New Device" on the left, authenticate your identity with your primary device, and follow the prompts to add a secondary device.
What if I never received a Push, SMS message, or a phone call?
Many cases have arisen where users have blocked the phone number from which Duo calls. Please check your blocked callers, or add it as a contact so you know that it's Duo. Other instances of this happening are usually when someone is in a "dead zone" and are do not have a cellular connection or are connected to the WiFi.
To protect yourself from any of these scenarios, set up multiple methods of authentication with multiple devices where possible (see the above question about registering multiple devices). If you're still locked out, simply call the IT Help Desk at (617) 824-8080 within business hours. The Help Desk will verify your identity and give you a temporary login code.
Why doesn't my U2F token doesn't work?
This commonly happens when the U2F token isn't fully inserted into the computer. Make sure that it is securely inserted and that you are touching the token.
My department/group has a shared email address or Google Drive in which we share a password. How does this work with two-factor authentication?
In most cases, your workflow should not require shared passwords. For instance, if you are collaborating in Google Drive, rather than sharing an account, you should create a shared folder and share it with specific individuals. This way, if someone leaves the college or the project, you only have to unshare the folder with them rather than change the password.
With Gmail mailboxes, a single user with the password can set delegates, or IT can set delegates on your department's behalf. This way, users can log in to their own mailboxes (using Duo), and then can open the shared mailbox in a separate tab.
In the rare cases where you have to share a password for a shared resource, you can register more devices through the "Add a New Device" option described in the above question regarding registering multiple devices. However, we firmly recommend against this practice and strictly forbid password sharing for your personally assigned Emerson account.
What happens if I get a new phone?
If you get a new phone and keep the old phone number, SMS and calls with Duo will continue to work. However, Duo Mobile will not. To restore this functionality, go to gmail.emerson.edu or box.emerson.edu (in an Incognito Window if you've clicked "Remember Me" in the past 30 days), click "My Settings & Devices" on the left side, authenticate with SMS or a phone call, and then click "Device Options" for your cell phone and click "Reactivate Duo Mobile" and follow the prompts.
If you have a new phone AND a new phone number but have a secondary device registered, use that other device (such as a landline) to authenticate, then click "Add a New Device" and follow the prompts.
If you have a new phone, new phone number, AND no secondary devices to authenticate, contact the Help Desk at (617)-824-8080. They will verify your identity, remove the old device, and allow you to set up your new device from scratch.
I teach a course in which students use the lectern computer to present projects or documents. Having them log in and use Duo wastes valuable teaching time and is distracting. What can I do to prevent this?
If the students bring their own laptops to present their work, they can connect their personal laptop to the laptop station (or in select rooms, cast wirelessly) rather than use the lectern (desktop) computer.
Alternatively, some professors share a Google Doc with the class and ask them to post links to their projects in the document ahead of time. Then, during class time, only the professor will have to verify their identity to open the document and present from there.
I chose "Remember Me" but it never seems to...remember me?
The "Remember Me" feature uses a browser cookie to remember that you have authenticated via two-factor in the past 30 days. For that reason, if you clear your browser cache (or your computer's login profile is wiped, which occurs on Emerson lab and classroom computers nightly), you will clear the "Remember Me" function and have to authenticate with two-factor again. Additionally, if you're logging in with a browser that has a fresh cache, or a browser that you've never used before, each site that uses two-factor will require it for the first time, even if you have already chosen "Remember Me" on a different site.
Put simply, when you choose "Remember Me," you're configuring it to remember you for that individual site (such as Gmail or Box) for 30 days, not ALL Emerson sites simultaneously.
What applications use two-factor authentication?
Currently, Gmail, Box, Banner SSB, the VPN, and K2 (the Emerson recognition system) are the only services that use two-factor authentication.
Please visit our article on logging into Box with Duo here: Logging Into Box