Multifactor Authentication FAQ
Multifactor authentication (often called two-factor authentication) provides a second layer of security to any type of login. It requires the user to provide extra information or have a physical device to log in—beyond the first initial password. MFA will be used for all UI accounts and most systems.
By requiring two different channels of authentication, UI accounts can be better protected from remote attacks that may exploit stolen usernames and passwords. Learn more by watching this video: https://www.youtube.com/watch?v=0mvCeNsTa1g.
Multifactor authentication will increase the security protection provided to the university community, including your personal information (W-2, Direct Deposit) as well as university intellectual property and other sensitive data. Login credentials are more valuable than ever and are increasingly easy to compromise.
From 60 percent to over 80 percent [1,2] of security breaches today involve compromised usernames and passwords. One factor authentication (a simple password) increasingly is not adequate to protect university data and personal information. MFA enhances the security of your UI account by using a secondary device or application to verify your identity. This will help prevent anyone but you from accessing your account, even if they know your password.
Because of the adoption of MFA is so critical, MFA will be mandatory for all UI faculty, staff and students to gain access to their accounts and most UI systems.
Duo Security is the company UI selected to provide a cloud-based software service that utilizes multifactor authentication-to secure access to UI services and data. It is this company's security software application that UI will be using for its MFA. It is called "Duo Mobile" or just "Duo" for short.
Duo has been the chosen security partner and vendor by many universities and large and small businesses alike across the country, including over 150 higher education institutions as well as government agencies, including the State of Idaho.
When logging in to an application that is protected by Duo, you will still enter your username and password. After inputting your login information, you will be required to complete a method of second-factor authentication. Duo does not replace or require you to change your UI username and password. Think of Duo as an extra layer of security added to your pre-existing login method.
The enrollment process itself takes about two minutes to complete. To set up Duo and your two-factor authentication, you can:
- Go to https://help.uidaho.edu/duo to complete the enrollment process, or
- When you log in to any UI web-based application such as VandalWeb, you will be prompted to enroll in Duo and then you can complete the necessary enrollment steps.
You can use either a business or personal electronic device. UI highly recommends using a mobile device for the MFA process to make it as easy and as quick as possible to gain access to accounts. The Duo software application and MFA system recognizes and supports these electronic devices:
- Smartphone with Duo application for either "push" authentication or soft token when offline
- Windows Phone
- Any SMS-capable phone can receive codes via text message
- Any phone (cell, desk, home) can be used for voice-based authentication
- Duo hardware token
- Other methods, including Universal Second Factor (U2F)
If you are in a compliance area (HIPAA, FISMA, DFARS) you may be restricted to only Mobile app or hardware token authentication. If you do not have a smart phone and require a hardware token for compliance, please contact us to have one provisioned.
UI employees and students who need a hardware token for authentication may request one at no cost. See the question: "How can I request a hardware token?" for more information.
Please don't hesitate to contact Information Technology Services (ITS) if you need assistance. UI students should contact the Student Technology Center (formerly known as Help Desk) in TLC 128 or at 208-885-4357. UI faculty and staff should contact their Technology Solutions Partner (TSP) or System Administrator for help.
UI employees should enroll by Wednesday, January 17, 2018, and UI students by Wednesday, January 31, 2018. Email reminders will be sent to both UI employees and students who have not enrolled up until the deadline date. Any employee or student who has not enrolled by these dates will be required to do so upon their next login. If this is not done, then UI account access will not be available.
UI employees and students who do not enroll during the voluntary “opt-in” process will automatically be prompted to enroll the next time they try to login to a UI system. Users will not be able to access these services until enrollment has been completed.
Just as there is no "unsinkable ship", there is no "unhackable" system. MFA adds a layer of security that makes it much more difficult for an attacker to successfully compromise an account, but it is not impossible for this to happen. If you suspect that someone has compromised your account, you should change your password immediately and contact the ITS Security office to report the possible compromise. ITS Security will investigate to confirm whether or not the account has been compromised.
It is important to note that not all systems are currently protected by Duo, and so an attacker could still log in to those services with a simple username and password combination. This means that it is still very important to protect your password. Even with Duo, you should never share your password with anyone for any reason.
Additionally, Duo makes it easier to detect unauthorized login attempts. If your username and password have been compromised, and an attacker attempts to use them to log in to a Duo protected service, you will receive a push notification asking you to confirm the login. If you receive a notification but did not initiate a login, you should deny the login, change your password and contact the ITS Security office at firstname.lastname@example.org or 208-885-2522.
While Office 2016 is not a requirement, it does enhance the security of office applications as they connect to Office 365 cloud services like email, OneDrive and more. Additionally, the MFA experience is much smoother with Office 2016.
If you don't upgrade to the current version, you may need to enable Legacy authentication which is less secure.
To upgrade, faculty and staff should contact their Technology Solutions Partner (TSP) or System Administrator for help.
Yes, although you will need to enroll each account separately, you can use the same device, such as a smartphone with the Duo Mobile app installed.
Duo Mobile/Duo Push
Duo Mobile is Duo Security's free application that allows you to quickly and easily approve a second-factor authentication request with one tap or “push” of a button on your smartphone to authenticate your identity. To use Duo Push, you will need to have the Duo Mobile app installed and activated . During the enrollment process, you will be guided through the process of installing and activating the Duo Mobile app.
Duo Mobile (for smartphones) uses Duo Push as a process to verify a person’s identity. To use Duo Push, you will need to have the Duo Mobile app installed and activated.
Duo Push is an authentication request you’ll receive as a notification on your smartphone. Overall, it’s quicker, easier, more secure and could be cheaper than receiving text messages or phone calls.
It's quicker than a text or a phone call
- Authenticating with a text message requires waiting to receive the text, reading a passcode, and then typing it in.
- Phone calls require actually answering the phone, listening to the recording, and using the dial pad to approve the login.
- Duo Push is as simple as approving a notification on your smartphone.
It's more secure
- Duo Push uses cutting-edge end-to-end encryption that SMS and phone calls can’t.
- The Duo Push screen displays detailed information about the application and source device that initiated the authentication request.
Almost none. 500 pushes to your device will use 1 MB of data in total. This is roughly equivalent to loading one webpage on your smartphone.
No. Duo Mobile has no more access or visibility into your phone than any other app. Duo Mobile cannot read your emails or track your location, it cannot see your browser history, and it requires your permission to send you notifications. Lastly, Duo Mobile cannot remotely wipe your phone.
Duo Mobile only accesses your camera when scanning a QR code during activation.
No problem. Tap the key icon in the Duo Mobile app to generate an authentication passcode. You do not need an internet connection or a cellular signal to generate these passcodes.
Yes, VPN connections will require that you approve a login attempt. The process for connecting to the VPN will not change, however, once you enter your username and password, a Duo Push notification will automatically be sent to your primary device which has the Duo Mobile app installed. Once you approve the Duo Push, your connection will complete.
Yes, passcodes and hardware tokens are supported for VPN connections by using something called "Append Mode". To use Append Mode, enter your username into the VPN connection prompt as you would normally do, then enter your password followed by a comma (",") and then the passcode. If your password was G0Vandals and the passcode you wanted to use was 123456, this would become G0Vandals,123456. When you click "Connect", the VPN will complete the connection process without sending a Duo Push. Passcodes can be obtained from the Duo Mobile app, from SMS backup codes, from a hardware token or a bypass code provided by your TSP, System Administrator or the Student Technology Center.
MFA Common Issues and Solutions
On occasion, the UI community may encounter issues when using MFA. On occasion, the UI community may encounter issues when using MFA. If you need technical assistance, students should contact the Student Technology Center (formerly known as Help Desk). UI faculty and staff should contact their contact their Technology Solutions Partner (TSP) or System Administrator for help.
If you get a new phone, you'll need to re-activate Duo Mobile for the two-factor authentication process. You may enroll your new device yourself using Duo's device management after authenticating via an alternate method (like SMS). Otherwise, contact your TSP or System Administrator (for UI employees) or the Student Technology Center (for UI students) for assistance.
You may have trouble receiving push requests if there are network issues between your phone and our service. Many phones have trouble determining whether to use the WiFi or cellular data channel when checking for push requests.
- Simply turning the phone to airplane mode and back to normal operating mode again often resolves these sort of issues, if there is a reliable internet connection available.
- Similarly, the issue may be resolved by turning off the WiFi connection on your device and using the cellular data connection.
- Check the time and date on your phone and make sure they are correct. If the date and time on your phone are manually set, try changing your device's configuration to sync date and time automatically with the network.
If you can't get Duo Push working on your own, you can log in with a passcode generated by the Duo Mobile app and send a new activation link to your phone by following the instructions in the Managing Your Devices help article.
If you've tried the above suggestions here but Duo Push is still not working, please contact your TSP (Technology Solutions Partner) or System Administrator (for UI employees) or Student Technology Center (for UI students) for help with next steps.
- While it's important that you contact ITS if you’ve lost your phone, remember your UI password will still protect your account.
- If you previously enrolled a second authentication device, at login you can use My Settings & Devices to delete your lost or stolen phone.
- If you are not able to log in to Duo at all, then your TSP or System Administrator (for UI employees) or the Student Technology Center (for UI students) can help. They can disable the missing phone for authentication and help you log in using another method. If more guidance is needed, they will be happy to help you!
Contact your TSP or System Administrator (for UI employees) or the Student Technology Center (for UI students) if your token stops working or if you can't log in with the passcodes it generates.
Your token can get "out of sync" if the button is pressed too many times in a row and the generated passcodes aren't used for login. In some cases, this can happen by accident if the token is stored next to other objects in a pocket, backpack, etc. Your TSP or System Administrator (for UI employees) or Student Technology Center (for UI students) will ask you to generate three passcodes in a row and can attempt to resynchronize the token.
For the best results we do not recommend using Internet Explorer's Compatibility View with Duo authentication. You may be able to turn off Compatibility View yourself.
From the Address bar
If the Compatibility View button Compatibility View button displays in the Address bar to the right of the page address, you can click the button to exit Compatibility mode.
From the Internet Explorer Tools Menu
In the Internet Explorer browser window press the Alt key to display the menu bar. Navigate to Tools → Compatibility View settings and make one or more of the following changes:
Remove the website where you use Duo authentication from the "Websites you've added to Compatibility View"
Uncheck the "Display all websites in Compatibility View" option if present and enabled.
Uncheck the "Display intranet sites in Compatibility View" option.
Click the Close button to save your change.
Contact your ITS staff support if the Duo Prompt continues to display incorrectly.