What is Duo?
Duo is a Single Sign-On (SSO) service that secures most campus resources, including Gmail, Box, Canvas, and Panopto. It also prevents users from having to log in to multiple applications. If a user logs into one Duo application and opens another tab in the same browser for an application that also uses Duo, they will not have to enter their credentials again.
Duo Login Screen:
What is Two Factor Authentication?
Duo allows us to implement a feature called “Two Factor Authentication” (2FA), a method of confirming a user’s claimed identity by utilizing a combination of two different factors. Enabling 2FA helps ensure that if a malicious actor manages to steal our password, they are still unable to log in without something physical (a phone, for example).
How To Use Two Factor Authentication
A second authentication factor could be a text message/phone call that provides you a code to enter, a push notification sent your smartphone that needs to be approved, a physical device that provides a code that changes every X amount of time or needs to be tapped, and many other forms. Duo allows users to receive a text or phone call with a code, select “Accept” on a push notification from the Duo smartphone app, or use a U2F Hardware Token, available at the Help Desk (Walker, 404).
Duo push notification:
Frequently Asked Questions:
- What if I don't have a cell phone or cell phone reception?
We highly recommend users setup using a push notification on their cell phone instead of a text message. Push notifications can be sent via the Internet rather than via cell phone networks. If you are in an area that has internet access but not cell signal, and the only second factor you have configured is a text message or phone call, you may be unable to receive a text or phone call to authenticate. However, you can also request a U2F Hardware Token from the Help Desk (Walker, 404).
- Can I register multiple devices?
Yes! In fact, we recommend that users add multiple devices when they are first setting up two factor authentication. For example, if you setup your cellphone as well as your office phone, if your cellphone gets lost, broken, or runs out of battery, you can still authenticate by using your secondary device. If you have selected "Remember me for 30 days", but want to add another device, simply try logging into a service like Box or Gmail in an inPrivate or incognito browser window.
- What applications use two factor authentication?
Currently, Gmail, Box, Banner SSB, the VPN, and K2 (the Emerson recognition system) are the only services that use two factor authentication.
Please visit our article on logging into Box with Duo here: Logging Into Box
Duo for International End Users
We have many international students at Emerson as well as many faculty and staff that travel abroad for extensive periods of time. Duo has, at times, been a concern for them as they worry about charges for international calls. There are several ways to authenticate via Duo for those traveling abroad or living abroad. Creating a bypass code should be the final and extreme-case option.
Option 1: U2F Tokens
U2F security tokens can be set up to bypass 2 factor authentication without the use of a cellular device. U2F security tokens are available in USB and USB-C options. These would need to be set up while on campus, but can be used anywhere with compatible devices. For more information and setup instructions on U2F tokens please visit https://support.emerson.edu/hc/en-us/articles/360004105752-Using-a-U2F-Hardware-Token-With-Duo-For-2FA
Option 2: Setting up Duo app and turning off cellular service
The Duo app can be used for cellular calls and text messages, but what happens when cell service is unavailable? If the user has the Duo app installed and is in an area with WiFi they can send push notifications to themselves on the device or use the device’s internal codes to pass the Duo security page. If a user downloads the Duo app and turns off their cellular service they can still receive Duo Push notifications and authentication codes.
Option 3: International landline calls
If someone cannot get to a cell phone and did not have the time to stop by the Help Desk for a U2f token we can set up their international landline as a calling option. This way they can utilize a local phone for verification.
In an extreme case where none of these options are available we can set up a bypass code for a user. An example of an extreme case is someone who has no mobile device, no landline, no WiFi and no way to do a 2-factor authentication. Please be positive of the person’s identity by checking Tools4Ever before giving them a bypass code.