Multi-Factor Authentication FAQ

Overview

Multifactor authentication (often called two-factor authentication) provides a second layer of security to any type of login. It requires the user to provide extra information or have a physical device to log in—beyond the first initial password. MFA will be used for all UI accounts and most systems.

By requiring two different channels of authentication, UI accounts can be better protected from remote attacks that may exploit stolen usernames and passwords. 

Request MFA assistance

1. Multifactor Authentication FAQ
   1. Why do we need MFA?
   2. What is Duo?
   3. How do I set up Duo?
   4. What is Secure MFA?
   5. What devices may I use?
   6. Who do I contact for help?
   7. What do I do if I think someone's accessed my account?
   8. What happens if I don't have Office 2016?
   9. I have more than one account, may I use one device?
   10. What mail clients are supported by Duo MFA?
2. Duo Guides
   1. How do I enroll in Duo with the mobile app?
   2. How do I enroll a landline or desk phone with Duo?
   3. How do I enroll a mobile phone number with Duo?
   4. How do I use SMS or text passcodes with Duo?
   5. How do I use a Duo hardware token?
   6. How do I use a U2F token with Duo?
   7. How do I add or remove Duo devices?
   8. How do I use the VPN with Duo? 
   9. How may I use a Linux mail client with Duo?
3. Duo Mobile/Duo Push
   1. What is Duo Mobile and Push?
   2. Why is it the recommended method?
   3. How much data does a push use?
   4. What does the app mean for my phone?
   5. Why does it need my camera?
   6. What if I don't have connection?
   7. What if I'm not receiving pushes?
4. VPN
   1. Is the VPN Duo protected?
   2. Can I use a passcode to access the VPN?
5. Common Problems and Solutions
   1. Reactivating Duo Mobile
   2. No push notifications
   3. Lost Phone
   4. Hardware token stopped working
   5. Microsoft Internet Explorer not displaying properly

Multifactor Authentication FAQ

Why do we need multifactor authentication?

Multifactor authentication increases security protection provided to the university community, including your personal information (W-2, Direct Deposit), university intellectual property and other sensitive data. Login credentials are valuable and increasingly easy to compromise.

From 60 percent to over 80 percent ^[1,2] of security breaches today involve compromised usernames and passwords. One factor authentication (a simple password) is not adequate to protect university data and personal information. MFA enhances the security of your UI account by using a secondary device or application to verify your identity. This will help prevent anyone but you from accessing your account, even if they know your password.

Because MFA is so critical, MFA is mandatory for all UI faculty, staff and students to gain access to their accounts and most UI systems.

What is Duo Security?

Duo Security is the company UI selected to provide a cloud-based software service that utilizes multifactor-authentication to secure access to UI services and data. 

Duo has been the chosen security partner and vendor by many organizations across the country, including over 150 higher education institutions as well as government agencies- including the State of Idaho.

How may I set up Duo and how long will it take to enroll?

The enrollment process itself takes about two minutes to complete. To set up Duo and your two-factor authentication, you may:

1. Go to https://help.uidaho.edu/duo to complete the enrollment process, or
2. When you log in to any UI web-based application such as MyUI,  you will be prompted to enroll in Duo and then you can complete the necessary enrollment steps, or
3. Request assistance enrolling in Duo.

What is Secure MFA?

Secure MFA is a safer way to use MFA, by disallowing use of Voice or SMS methods (which are more prone to compromise). Some users may be required to use Secure MFA because of data they access or compliance requirements, and others who opt-in to using Secure MFA may enjoy a password with indefinite expiration. 

Many users are automatically in Secure MFA and provided long or indefinite password expiration if they already use a long password and use only DUO Mobile or a hardware token. Users receive email notice if they are automatically enrolled.

If you would prefer a password that has practically no expiration:

• Download and enroll DUO Mobile for phone or use a hardware token.
• Change password on help.uidaho.edu and select the “Secure MFA” option.

What electronic devices may I use for MFA?

You may use either a business or personal electronic device. UI highly recommends using a mobile device for the MFA process to make it as easy and as quick as possible to gain access to accounts. The Duo software application and MFA system recognizes and supports these electronic devices:

• Smartphone with Duo application for either "push" authentication or soft token when offline
  • Android
  • iPhone
  • iPad
• Windows Phone
• Any SMS-capable phone can receive codes via text message
• Any phone (cell, desk, home) can be used for voice-based authentication
• Duo hardware token
• Other methods, including Universal Second Factor (U2F)

If you are in a compliance area (HIPAA, FISMA, DFARS) you may be restricted to only Mobile app or hardware token authentication. If you do not have a smart phone and require a hardware token for compliance, please contact us to have one provisioned.

UI employees and students who need a hardware token for authentication may request one at no cost. See the question: "How can I request a hardware token?" for more information.

If I have a problem enrolling in Duo, who should I contact for help?

Please don't hesitate to contact Information Technology Services (ITS) if you need assistance. UI students should contact the Student Technology Center (formerly known as Help Desk) in TLC 128 or at 208-885-4357. UI faculty and staff should contact their Technology Solutions Partner (TSP) or System Administrator for help.

What do I do if I suspect my UI account has been breached (compromised)?

Just as there is no "unsinkable ship", there is no "unhackable" system. MFA adds a layer of security that makes it much more difficult for an attacker to successfully compromise an account, but it is not impossible for this to happen. If you suspect that someone has compromised your account, you should change your password immediately and contact the OIT Security office to report the possible compromise. OIT Security will investigate to confirm whether or not the account has been compromised.

It is important to note that not all systems are currently protected by Duo, and so an attacker could still log in to those services with a simple username and password combination. This means that it is still very important to protect your password. Even with Duo, you should never share your password with anyone for any reason.

Additionally, Duo makes it easier to detect unauthorized login attempts. If your username and password have been compromised, and an attacker attempts to use them to log in to a Duo protected service, you will receive a push notification asking you to confirm the login. If you receive a notification but did not initiate a login, you should deny the login, change your password and contact the OIT Security office at security@uidaho.edu or 208-885-2522.

I haven't upgraded to Office 2016 yet, what do I need to do?

While Office 2016 is not a requirement, it does enhance the security of office applications as they connect to Office 365 cloud services like email, OneDrive and more. Additionally, the MFA experience is much smoother with Office 2016.

It is possible to use Office 2013 with Duo. We suggest working with your Local Support team to make the necessary configurations.

To upgrade, faculty and staff should contact their Local Support team for help.

I have more than one account. May I use the same device for each account?

Yes, although you will need to enroll each account separately, you may use the same device, such as a smartphone with the Duo Mobile app installed.

Duo Mobile/Duo Push

What is Duo Mobile and Duo Push?

Duo Mobile is Duo Security's free application that allows you to quickly and easily approve a second-factor authentication request with one tap or “push” of a button on your smartphone to authenticate your identity. To use Duo Push, you will need to have the Duo Mobile app installed and activated . During the enrollment process, you will be guided through the process of installing and activating the Duo Mobile app.

Duo Mobile (for smartphones) uses Duo Push as a process to verify a person’s identity. To use Duo Push, you will need to have the Duo Mobile app installed and activated.

Why is Duo Push the recommended MFA authentication method?

Duo Push is an authentication request you’ll receive as a notification on your smartphone. Overall, it’s quicker, easier, more secure and could be cheaper than receiving text messages or phone calls.

It's quicker than a text or a phone call

• Authenticating with a text message requires waiting to receive the text, reading a passcode, and then typing it in.
• Phone calls require actually answering the phone, listening to the recording, and using the dial pad to approve the login.
• Duo Push is as simple as approving a notification on your smartphone.

It's more secure

• Duo Push uses cutting-edge end-to-end encryption that SMS and phone calls can’t.
• The Duo Push screen displays detailed information about the application and source device that initiated the authentication request.

How much data does a Duo Push use?

Almost none. 500 pushes to your device will use 1 MB of data in total. This is roughly equivalent to loading one webpage on your smartphone.

Does installing the Duo Mobile app give up control of my phone?

No. Duo Mobile has no more access or visibility into your phone than any other app. Duo Mobile cannot ​read your emails or track your location, it cannot​ see your browser history, and it requires your permission​ to send you notifications. Lastly, Duo Mobile cannot​ remotely wipe your phone.

Why does the Duo Mobile app need access to my camera?

Duo Mobile only​ accesses your camera when scanning a QR code during activation.

What if I'm traveling or otherwise don't have wifi or cellular reception?

No problem. Tap the key icon in the Duo Mobile app to generate an authentication passcode. You do not need an internet connection or a cellular signal to generate these passcodes.

What if my push alerts aren't coming through?

Try these easy troubleshooting steps for iOS, Android, Windows Phone, or BlackBerry.

Still not working? Reactivate Duo Mobile or contact your TSP or the Student Technology Center.

Why does the Duo Mobile app need access to my camera?

Duo Mobile only​ accesses your camera when scanning a QR code during activation.

How do I enroll in Duo with the mobile app?

A guide to using Duo Mobile.

 

VPN

Are VPN connections be protected by Duo?

Yes, VPN connections require that you approve a login attempt. The process for connecting to the VPN will not change, however, once you enter your username and password, a Duo Push notification will automatically be sent to your primary device which has the Duo Mobile app installed. Once you approve the Duo Push, your connection will complete.

May I use a passcode or hardware token to connect to the VPN?

Yes, passcodes and hardware tokens are supported for VPN connections by using something called "Append Mode". To use Append Mode, enter your username into the VPN connection prompt as you would normally do, then enter your password followed by a comma (",") and then the passcode. If your password was G0Vandals and the passcode you wanted to use was 123456, this would become G0Vandals,123456. When you click "Connect", the VPN will complete the connection process without sending a Duo Push. Passcodes can be obtained from the Duo Mobile app, from SMS backup codes, from a hardware token or a bypass code provided by your TSP, System Administrator or the Student Technology Center.

How do I use the VPN with Duo?

A guide to using the VPN with Duo.

MFA Common Issues and Solutions

On occasion, the UI community may encounter issues when using MFA. If you need technical assistance, students should contact the Student Technology Center (formerly known as Help Desk). UI faculty and staff should contact their contact their Technology Solutions Partner (TSP) or System Administrator for help.

I need to reactivate Duo Mobile.

If you get a new phone, you'll need to re-activate Duo Mobile for the two-factor authentication process. You may enroll your new device yourself using Duo's device management after authenticating via an alternate method (like SMS). Otherwise, contact your TSP or System Administrator (for UI employees) or the Student Technology Center (for UI students) for assistance.

I have stopped receiving push notifications on Duo Mobile.

You may have trouble receiving push requests if there are network issues between your phone and our service. Many phones have trouble determining whether to use the WiFi or cellular data channel when checking for push requests.

• Simply turning the phone to airplane mode and back to normal operating mode again often resolves these sort of issues, if there is a reliable internet connection available.
• Similarly, the issue may be resolved by turning off the WiFi connection on your device and using the cellular data connection.
• Check the time and date on your phone and make sure they are correct. If the date and time on your phone are manually set, try changing your device's configuration to sync date and time automatically with the network.

If you can't get Duo Push working on your own, you can log in with a passcode generated by the Duo Mobile app and send a new activation link to your phone by following the instructions in the Managing Your Devices help article.

If you've tried the above suggestions here but Duo Push is still not working, please contact your TSP (Technology Solutions Partner) or System Administrator (for UI employees) or Student Technology Center (for UI students) for help with next steps.

I lost my phone.

While it's important that you contact OIT if you’ve lost your phone, remember your UI password will still protect your account.

• If you previously enrolled a second authentication device, at login you can use My Settings & Devices to delete your lost or stolen phone.
• If you are not able to log in to Duo at all, then your TSP or System Administrator (for UI employees) or the Student Technology Center (for UI students) can help. They can disable the missing phone for authentication and help you log in using another method. If more guidance is needed, they will be happy to help you!

My hardware token stopped working.

Contact your TSP or System Administrator (for UI employees) or the Student Technology Center (for UI students) if your token stops working or if you can't log in with the passcodes it generates.

Your token can get "out of sync" if the button is pressed too many times in a row and the generated passcodes aren't used for login. In some cases, this can happen by accident if the token is stored next to other objects in a pocket, backpack, etc. Your TSP or System Administrator (for UI employees) or Student Technology Center (for UI students) will ask you to generate three passcodes in a row and can attempt to resynchronize the token.

I am using Microsoft Internet Explorer and the Duo prompt does not display properly.

For the best results we do not recommend using Internet Explorer's Compatibility View with Duo authentication. You may be able to turn off Compatibility View yourself.

From the Address bar

If the Compatibility View button Compatibility View button displays in the Address bar to the right of the page address, you can click the button to exit Compatibility mode.

From the Internet Explorer Tools Menu

In the Internet Explorer browser window press the Alt key to display the menu bar. Navigate to Tools → Compatibility View settings and make one or more of the following changes:

• Remove the website where you use Duo authentication from the "Websites you've added to Compatibility View"
• Uncheck the "Display all websites in Compatibility View" option if present and enabled.
• Uncheck the "Display intranet sites in Compatibility View" option.
• Click the Close button to save your change.
• Contact your OIT staff support if the Duo Prompt continues to display incorrectly.