Multi-Factor Authentication with Duo Frequently Asked Questions

Body

In a process approved by the President's Cabinet to meet university compliance requirements, Multi-Factor Authentication with Duo has been selected as the university's Multi-Factor Authentication method to secure access to Protected Data. 

Table of Contents

Why are we being required to use Multi-Factor Authentication?

Every University employee has access to data that is protected by some form of regulation. Passwords alone are no longer enough to secure protected data and auditors are asking us to do more. Failing to secure protected data can result in large fines and loss of funding for the University. We also are concerned for the privacy of our students, patients, and fellow employees and want to do our best to protect their information.

Who is required to use Multi-Factor Authentication?

Currently, only full and part time university employees, and sponsored employees, are required to use Multi-Factor Authentication.

What is the official name of the new system?

Multi-Factor Authentication with Duo will be the official name used by UIS. Sometimes referred to as MFA, or Two-Factor Authentication (2FA).

Which services require that we use Multi-Factor Authentication?

Duo is currently configured to protect web logins to Pacific's single sign-on environment. These include myAccount, Moodle, Box, BoxerApps (Google), Boxer Alerts, Compliance Training, Qualtrics, Zoom, and others. We plan to add employee access to Webmail in the near future.

Aren’t you worried people will confuse MFA with Master of Fine Arts?

No, because UIS will not refer to it as “MFA” alone.

What device will employees use for Multi-Factor Authentication with Duo?

Since most employees are already using personal cell phones for accessing University email and accessing Boxer Wireless, our hope is that most employees will use their cell phone for push notifications using the Duo Mobile app.

How do I get the Duo Mobile App for my smartphone?

The Duo Mobile App can be downloaded from either the Apple or Google Play app stores.

Can the university require people to use their personal cell phones?

If you have been provided a university funded cell phone or you receive a cell phone stipend for required university usage of the device, then you would be required to us the university funded device. Cell phone requirements may also be included as part of an employment contract or job requirements for particular positions. Other employees may choose to use their personal cell phone as a convenience, but not a requirement. Since many employees are already using personal devices on the campus wireless network, no additional costs would be incurred by the employee to install and use the free Duo Mobile app.

What if I do not want to use my personal cell phone when setting up this service?

Any employee who doesn’t want to use a personal phone for this purpose should talk to their supervisor, director or dean about it. The gap between what an employee needs to be able to do their job, what personal resources the employee is willing to use and what resources their department is willing and able to provide is a matter for each employee to work out with their supervisors. UIS’ only role is to provide the required security framework and to assist employees with whatever is their chosen method for authenticating.

What if I do not have a smartphone?

Hardware security keys are also available for purchase to use when a smartphone is not available.

Who pays if I need a hardware security key?

University departments may choose to pay for employee hardware keys like they would for other office supplies. Employees may also bring their own hardware key that can be used for both work and personal online accounts.

Where can I get a hardware security key device?

UIS recommends Yubikey hardware security keys from yubico.com that cost as low as $20 per device. You may also check with the University Bookstore. We suggest caution when finding less expensive security key devices made outside the United States since these devices are given access to your computer and data by connecting through a USB port or other methods.

What if my device does not have a USB-A port for the least expensive Yubikey?

Currently, the only computers UIS has issued without USB-A ports are the recent MacBook Pros. With each of these USB-C-only MacBook Pros we ordered USB-A to USB-C adapters and delivered those when we deployed the MacBook Pros. We plan to continue doing this for any computer we deploy that is USB-C only. It is true, however, that having a more expensive USB-C Yubikey would make it more convenient for those users.

What happens if I forget my cell phone or security key at home?

If you leave your Multi-Factor Authentication device at home, please contact the Technology Helpdesk and we will assist you with temporary access. You may consider purchasing a hardware security key to keep on a key ring for backup if needed.

What other options are available besides purchasing a security key?

Using the Duo app on a smartphone, using the Duo app on a tablet and using a hardware authentication device (a key) are the only ways employees can authenticate to Duo protected systems.

Does adding a second authentication device create another layer of problems?

Our experience is that having a second device reduces problems (or at least makes them less urgent), as one can be used as a backup to the other. For instance, if one’s phone is acting weird, one can use a Yubikey instead. If a Yubikey is lost or stolen, employees can (and should) disable that device from being able to be used to authenticate.

How often would we have to use Multi-Factor Authentication?

For one’s primary web browser, it should generally be once a week, since one can tell Duo to keep one logged in for five days. Using other systems (e.g. a web browser on a classroom PC) that may require authentication more often (as often as a faculty member or staff logs into a protected system).

What if my smartphone does not have data service?

The Duo Mobile app will allow you to generate a one time code that can be used when your smartphone does not have data service.

What happens if I choose not to use Multi-Factor Authentication?

If you choose not to use Multi-Factor Authentication you will not be able to use any of the services protected by it an may not be able to complete your job duties.

Will I need to carry around my cell phone everywhere I go?

Employees who may need to login on multiple devices at various locations will need to carry either their cell phone or a hardware key in order to login. For example, a faculty member needing to log into a single sign-on server from a classroom computer will need a device to authenticate.

Am I limited to using only University owned computers?

Multi-Factor Authentication with Duo will work on any computer used to access University resources protected behind Multi-Factor Authentication.

Which Phones will work with Duo Mobile?

Duo Mobile will work on many of the recent versions of Apple iOS and Android versions as long as the phones have screen locks enabled and have not been "rooted".
Please see this Duo web site for supported Apple iOS versions.
Please see this Duo web site for supported Android OS versions.

What do I need to do if I get a new cell phone?

If you are a university employee using Multi-Factor Authentication with Duo, and you use your phone as an authentication device, and you get a new phone, you will need to transition over to using the new phone as your authentication device. Please see our Knowledgbase article for Changing Multi-Factor Authentication with Duo to a New Phone.

Do I need to authenticate with Duo if I am accessing a site on my mobile phone that has the Duo app installed?

One can log onto a Duo-protected application using the browser on one’s cellphone, and authenticate using the Duo app on the same device.

I set my browser to reject all cookies except from sites I've specifically allowed. What sites should I allowlist?

  • duo.com
  • duosecurity.com

Why won't my Mac remember me for 7 days?

On Safari on macOS Catalina 10.15 and macOS Big Sur 11.0, to take advantage of this feature, you must go to Preferences -> Privacy and uncheck the checkbox for "prevent cross-site tracking."

Where do I go for help if I’m having problems with Multi-Factor Authentication?

Please contact the Pacific Technology Helpdesk at 503-352-1500 or by Zoom.

See Also

For more information, please see the Duo service catalog entry.

Questions?

Contact Support

Details

Details

Article ID: 134328
Created
Sun 7/11/21 7:24 PM
Modified
Mon 11/29/21 10:34 AM