In an ongoing attempt to protect the Haverford community and their data IITS is implementing Duo, a multi-factor authentication solution.
Once enrolled in Duo, users logging into resources that authenticate with the red Haverford login screen, such as Workday, Gmail, and Moodle, as well as BiONiC will be required to provide a second factor of authentication.
This factor can be a notification to an app on a registered cell phone, phone call or text message to a registered cell phone, phone call to a registered landline, or a number created by a hardware code generator (available for departmental purchase).
Duo will protect our users from attacks such as elaborate phishing emails as even if a Haverford password is compromised, Duo will prevent the bad actor from completing the login without a second factor of authentication.
For more information about Duo, see An Introduction to Duo Security
For more information on Duo enrollment, see https://guide.duo.com/enrollment
Duo provides several options for authentication. IITS recommends using the Duo Mobile app on a smartphone.
How does Duo handle phone numbers?
Once a phone number has been added to Duo Mobile, it does NOT need to be added again when it is migrated to a new device.
If you are activating a phone with a number that you have not previously used for Haverford Duo, see the section Activating a new phone number for Duo.
If your phone number has already been activated for Duo Mobile and it was migrated to a new device please see the section Activating Duo on a new phone at an existing number.
Activating a new phone number for Duo
Note: For best results, please use a computer and NOT a phone when proceeding through the steps below.
After you have enrolled yourself, you may choose to add more devices for authenticating to Duo. You can do so by logging into a Duo protected resource (i.e. Haverford Mail or Workday) to bring up the Duo Prompt again.
At the Duo prompt you will:
- Click on Add a New Device on the Duo screen as seen below.
- Authenticate to Duo.
- Follow the Duo prompt's instructions to add a new device
See https://guide.duo.com/add-device
Activating Duo on a new phone at an existing number
Note: For best results, please use a computer and not a phone to do the following instructions.
- Login to a Duo protected Haverford resource like Gmail or Workday with your Haverford username and password.
- Select My Settings & Devices at left BEFORE selecting one of the presented Duo options.
- Choose one of the two below options to satisfy the Duo challenge in order to make a change to your Duo account. Do not choose the "Send Me a Push" option as the account needs to be connected to the app in order to use that option, and it will not work if you are trying to reconnect the account to the app.
- ‘Call Me’ will prompt Duo to call your registered phone number with an automated message telling you to press any key to login.
- ‘Enter a Passcode’ will present you with an option to ‘Text me new codes’ to a smartphone – which will send you a text message with a six digit number to enter into the provided text box.
- After satisfying the Duo challenge you’ll be presented with a list of your Duo registered devices. Find your smartphone or tablet and select Device Options on the right hand side of the window to choose reactivate Duo Mobile.
- Follow the presented prompts to choose what type of device you are registering, indicate you already have the Duo Mobile app installed, and scan the QR code with the camera on your smartphone or tablet, from within the Duo mobile app. In other words, there should be an option to scan a QR code within the Duo app itself.
- Once completed you will see a green check.
- Select Continue and Back to Login to continue your Duo login session.
Remember My Device
IITS has enabled a new feature in Duo called ‘Remember My Device’ for all services behind the red Haverford login screen.
This feature will give you the option to have Duo remember your successful login for a 7 day span – skipping the Duo challenge during those 7 days.The ‘Remember me for 7 days’ checkbox appears at the bottom of the Duo window. Checking this box allows Duo to store a cookie within your browser, satisfying the challenge for future logins for up to 7 days.
While we’ve found the feature to work great overall there are a few limitations:
- Duo only remembers the specific browser on the specific computer you are using for future logins. In order for this feature to work users cannot have enhanced browser security enabled that disallows cookies or have set the browser to clear the cache each time the browser is closed.
- If you choose this setting, but log in later with a different browser you will have to set “Remember Me” again for that browser during authentication. If you are certain you chose it to remember you on both the computer and the browser you are using, then it might be a setting on the browser that is not saving your choice.
- Also, if users have Duo configured to automatically perform an action, such as ‘Send Me a Push’ the remember feature will be initially hidden and the user will need to cancel the Duo action to select the check box.
Password Policy Change
We are pleased to announce that in conjunction with the Duo implementation, as of February 2019 the College’s password policy will be updated to reflect the most current national and international best practices: we will no longer require community members to reset their passwords every six months. Instead, we will opt for longer passphrases that do not need to be changed on a regular cycle.
FAQ
Do I need to download the Duo Mobile app on my smartphone?
No. You can still use your mobile phone as a second factor of authentication without downloading the app, although it is the easiest method.
In order to accomplish this, choose “Mobile Phone” in the setup, enter your mobile phone number, and select “Other Phone” as the next option. This will still allow you to receive phone calls and text messages without the app.
In order to receive a text message, select the “Enter Bypass Code” option and then select “Text Me New Code.
What if I do not have a cell phone?
Hardware code generators can be used as a second factor of authentication.
The hardware code generator is a small device that provides a number when a button on the device is pushed that will satisfy the required two factor authentication.
These can be requested from the IT Service Desk. They should only be used if you do not have a cell phone capable of using the Duo App.
What if I don’t have my cell phone and get locked out of my account because I cannot login with Duo?
The IITS Service Desk can generate a limited use code for you to use until you can gain access to your Duo registered device.
IITS recommends a minimum of two devices registered in Duo to avoid lockouts.
Can I opt out of Duo?
IITS is committed to protecting both the data of our users and the data of the College. At this time, anyone who accesses Haverford resources is not permitted to opt-out of using Duo.
What if I don’t have cell phone service or wireless service, how can I use Duo on my cell phone?
The Duo Mobile app can generate a usable code without any connection to cellular or wireless networks. Simply open the app, generate the code, and enter it in the Duo login screen.
Another option would be for a hardware code generator, available for purchase through your department. Please seek approval from your departmental budget manager and submit a ticket through the IITS Service Desk to purchase this device.
What Haverford resources will require me to use Duo?
Any service that uses the red login screen will prompt for a second-factor of authentication via Duo after a Haverford username and password has been entered. This includes Workday, Gmail, and Moodle to name a few.
Duo also protects BiONiC.
What if I’m having issues with Duo on my smartphone?
Please contact the IITS Service Desk for assistance or view the links below.
iOS Troubleshooting: https://help.duo.com/s/article/2051
Android Troubleshooting: https://help.duo.com/s/article/2050