Differences between revisions 205 and 206
Revision 205 as of 2023-04-07 07:48:17
Size: 15251
Editor: bolton
Comment:
Revision 206 as of 2023-04-07 07:48:48
Size: 15363
Editor: bolton
Comment:
Deletions are marked like this. Additions are marked like this.
Line 19: Line 19:
Before proceeding please review the ''' [[https://docs.google.com/document/d/1H4GkuivyQONU77HNjtizdB5TnkFNbdUvTgJfL6hMpzs/edit#|Quick Start Guide]] (individual users) '''for important information on how to get enrolled and begin using Duo. More information on using Duo with shared accounts is available in the DUO Quick Start Guide - Shared Accounts Before proceeding please review the ''' [[https://docs.google.com/document/d/1H4GkuivyQONU77HNjtizdB5TnkFNbdUvTgJfL6hMpzs/edit#|Quick Start Guide]] (individual users) '''for important information on how to get enrolled and begin using Duo. More information on using Duo with shared accounts is available in the [[https://docs.google.com/document/d/1-m0UZElBnq294lhumzm0QAAzwdZfTOVAjk8QxxSPwN4/edit#heading=h.igr8ogd9abfb|DUO Quick Start Guide - Shared Accounts]]

DUO Two-Factor Authentication

Two-Factor Authentication with DUO

As part of Oakland University's continuing commitment to protecting its community of research, faculty, staff, and students the University is implementing two-factor authentication from DUO Security. Two-factor authentication (2FA) requires individuals to provide a secondary confirmation of their identity after initial NetID login using a physical device in their possession (app, text message or phone call). 2FA protects against phishing, social engineering, password brute-force attacks and secures your login from attackers exploiting weak or stolen credentials.

Systems that Require DUO

  • Banner 9 Administrative Pages
  • Oakland VPN
  • Destiny One - Staff Administrative View
  • Argos
  • All services authenticating via Single Sign On (SSO) including, but not limited to, WebMail and MySail Faculty, Staff, Guest, and Shared Accounts

Getting started

Before proceeding please review the Quick Start Guide (individual users) for important information on how to get enrolled and begin using Duo. More information on using Duo with shared accounts is available in the DUO Quick Start Guide - Shared Accounts

UTS strongly recommends:

  • Registering two devices (smartphone and desk phone)
  • Registered a mobile device as you primary device (device preference can be adjusted using the Manage Device option)
  • Using the Manage Device option to ensure your most used device is listed first
  • Using the convenient Duo Mobile app on a smartphone to generate a passcode or preform one touch authentication. If you are unable to use the Duo Mobile App you may also authenticate by receiving a phone call, passcode sent to you via text message, or by using a hardware token.

Duo on Smartphones & Smart Devices

Alternative Duo Options

Common Duo Tasks

After enrolling in Duo you may wish to add or modify your authentication method. (For example if you purchased a new mobile phone) These changes can typically be made via the self-service options listed below.

Please note if the above instructions do not match what you see when authenticating you may need to select the "Universal Prompt guide" (typically located at the top of the page)

Using Duo Two-Factor Authentication to Log in

In most cases DUO Two-Factor authentication occurs interactively in the browser as shown below. The Faculty and Staff VPN offers additional methods for DUO Authentication which are detailed HERE:

  • After initial NetID and password are entered, you will be prompted with this screen.

This is a picture of a DUO authentication screen.

Note: For some services, such as VPN may display different screen as shown below.

This is a picture of a VPN_DUO authentication screen.

  • Use "Trust this browser" option to bypass the two-factor prompt for the period specified when using the same device and web browser. If you do not select "Trust this browser" you will be prompted to use two-factor authentication for subsequent authentications that day.
  • Push Notification Duo Mobile App
    • Click Send Me a Push
    • Duo immediately sends a notification to your mobile device. Depending on how you have set notifications up on your device, you may need to open the notification. On your device, tap Approve to approve the login.

alt text

This is a picture of a DUO authentication screen.

  • Phone Call - Call me
    • You will receive an automated phone call from 248-370-4748 to the primary phone number enrolled and asked to push 1 to login or push 9 to report fraud.
    • If you receive a Duo authentication phone call that you did not initiate, press 9 to report fraud.
    • Please do not call back on the automated phone call number.
  • Enter A Passcode
    • You can get a passcode to enter in multiple ways:
      • Generate a passcode with the Duo Mobile app
      • Get passcodes via text message
      • Duo hardware token passcode
      • Emergency bypass code

Frequently Asked Questions

  • What is two-factor authentication required?

    • Two-factor authentication enhances the security of your NetID credentials by using a device you own to verify your identity. This protects your account in the event your password is compromised or guessed by a malicious actor


  • Why am I being asked to perform two-factor authentication

    • Two-factor authentication will be required for all faculty and staff when accessing services that use Oakland University's Single Sign On (SSO) for authentication. Student employees may be prompted for Duo authentication based on their jobs duties. For example, student employees with access to the VPN or Banner services will be required to use Duo two-factor authentication.


  • How often will I need to use two-factor authentication?

    • The need for two-factor authentication is based on a combination of the browser being used and the service being accessed. Depending on the combination of services being accessed you may be required to perform two-factor authentication multiple times per day. However, in most cases you will only be prompted to complete two-factor authentication once per day if using the same browser and selecting the "Trust this Browser" or "Remember Me" option.


  • Do I have to use my cell phone?

    • A smartphone is the recommended option as it is typically with you and can take advantage of the Duo Push option for the easiest two-factor authentication. Please note that a best practice for your cell phone is to have port protections enabled with your carrier, so that your phone number cannot be moved to a different carrier or SIM card without your permission. Please verify the security practice with your carrier. If you do not have a smartphone you may also authenticate by receiving a phone call, passcode sent to you via text message, or by using a hardware token.


  • Can I use my office phone?

    • Yes, your office phone can be used with Duo. However, we reccomend setting a portable device (such as smartphone or hardware token) as your primary device. This is particulary useful if your position requires to you to authenticate in multiple locations. such as faculty teaching in multiple classrooms. By default the first device enrolled in Duo becomes the primary authentication method but this can be adjusted this using the Manage Device options per the instructions located above.


* What should I do if I am staff member that is also a student?

  • Currently traditional OU students will not be required to use Duo two-factor authentication. However, staff or faculty that are taking courses will be required to use two-factor authentication when accessing services during classes. In most cases we do not believe this will cause an issue but we are aware some courses have a no cell phone policy. In these cases please work directly with your instructor to make arrangements on how to use Duo in class


  • What OSs are supported by DUO on my iPhone or Android device?


  • Can I setup Duo on more than one device?

    • You are encouraged to register more than one device (mobile phone, office phone, tablet) for two-factor authentication. If you forget your phone or something happens to your phone, you will need another way to authenticate.


  • A cell phone is not required for my position and I do not have access to a landline at my workstation?


  • I previously enrolled with DUO, why is DUO prompting me to enroll again as a new user?

    • After 180 days of inactivity user accounts are removed from DUO. Please enroll again as a new user.
    • If it has not been 180 days since logging in with DUO, please contact the General OU Helpdesk


  • What should I do if my enrolled device is lost or stolen?

    • Please contact UTS [email protected] immediately if your enrolled device is lost or stolen. UTS will assist with the deactivation of your lost/stolen device and enroll your new device.


  • Will I be able to authenticate with Duo if I don't have a cell signal or WiFi connection?

    • You can generate a passcode in the Duo Mobile app on your mobile phone by tapping the key icon next to "Oakland University", then log in to the system using the passcode.


  • If I choose SMS message or phone call option, will I be charged by my phone carrier?

    • If you do not have an unlimited cell phone plan, you may be charged by your carrier for SMS messages or phone calls.


  • What if I am signing into Banner I get the message from DUO: "Invalid username/password: Logon Denied"?

    • If you get this message, you will need to report this error using a Banner ticket. This isn't a DUO, it is Banner which is affecting your login.


  • What if I get a Duo Notification that I did not request?

    • If you receive a Duo notification that you did not initiate via a login process, your NetID credentials may have been compromised. You need to immediately:
      • Press 9 to report fraud if you receive a Duo authentication phone call that you did not initiate
      • Deny the Duo Request
      • Contact UTS at [email protected]


  • What if on the Duo Notification I push the wrong button and report my legitimate access as fraud?

    • Any time you report an access as fraud we will attempt to contact you by email to verify the report.
      • Please respond to the email and let us know if it was an accident.
    • Instead of waiting for our verification email you may open a UTS ticket to let us know you accidentally reported an access as fraud.


  • Why do I automatically get denied access? I was never given an option to Approve login or to enter a passcode.

    • If you are getting denied access by Duo after successfully authenticating your NetID account, you are likely locked out of Duo. This usually occurs when 10 attempts to authenticate with Duo either have timed out or failed. After 10 minutes your account will automatically be unlocked or contact the General OU Helpdesk to unlock your Duo account.


  • What if I forgot my device and need access?

    • If you do not have your enrolled device with you and need access, you may contact UTS and we will enroll your desk phone.
    • If you do not have a desk phone with a personal extension, UTS may provide you with a temporary DUO passcode. The passcode will expire after 12 hours and can only be used once. The temporary DUO passcode must be picked up at the UTS service window in Dodge Hall room 220. Please bring your university or government issued picture ID to verify your identity.


  • I am using my cell phone as my primary device but I do not have a landline to use as a backup device. What other options do I have for a backup device?

    • Please fill out the DUO Security Token Request form at forms.oakland.edu. The lead time for token request is typically 3-4 business days.


  • What to do if you need to reactivate Duo on a device, you have lost your phone, your hardware token has stopped working, you are using an older operating system on your device, and more.


  • What to do if faculty facing any issue in the classroom?

    • Please contact Classroom Support (CSITS) for assistance.


  • What do I need to know if I am traveling?

    • In most cases Duo should work seamlessly when traveling, even if you do not have cellular service as mobile devices with the Duo App installed can authenticate with your mobile device using passcode option documented above. If you are unable to take your mobile device when traveling you can also request a dedicated Duo Hardware Token as documented above. Please be aware that in order to to comply with U.S. regulations, Duo blocks authentications from users whose IP address originates in a country or region subject to economic and trade sanctions enforced by the U.S. Office of Foreign Assets Control. Users attempting to authenticate to a Duo-protected application from an access device with an IP address originating in an OFAC-regulated country or region will be blocked from completing their login and receive an error message.

    • OFAC restrictions relevant to Duo currently apply to the following countries or regions:
      • Cuba
      • North Korea
      • Iran
      • Sudan
      • Syria
      • Crimea region
      • Sevastopol region
      • Donetsk region
      • Luhansk region

Troubleshooting Help From Duo