How do I use Duo Two-Factor Security?

In an ongoing attempt to protect the Haverford community and their data IITS is implementing Duo, a multi-factor authentication solution.

Once enrolled in Duo, users logging into resources that authenticate with the red Haverford login screen, such as Workday, Gmail, and Moodle, as well as BiONiC will be required to provide a second factor of authentication.

This factor can be a notification to an app on a registered cell phone, phone call or text message to a registered cell phone, phone call to a registered landline, or a number created by a hardware code generator (available for departmental purchase).

Duo will protect our users from attacks such as elaborate phishing emails as even if a Haverford password is compromised, Duo will prevent the bad actor from completing the login without a second factor of authentication.

For more information about Duo, see An Introduction to Duo Security

For more information on Duo enrollment, see https://guide.duo.com/enrollment

Duo provides several options for authentication. IITS recommends using the Duo Mobile app on a smartphone.

How does Duo handle phone numbers?

Once a phone number has been added to Duo Mobile, it does NOT need to be added again when it is migrated to a new device.

If you are activating a phone with a number that you have not previously used for Haverford Duo, see the section Activating a new phone number for Duo.

If your phone number has already been activated for Duo Mobile and it was migrated to a new device please see the section Activating Duo on a new phone at an existing number.

Activating a new phone number for Duo

Note: For best results, please use a computer and NOT a phone when proceeding through the steps below.

After you have enrolled yourself, you may choose to add more devices for authenticating to Duo. You can do so by logging into a Duo protected resource (i.e. Haverford Mail or Workday) to bring up the Duo Prompt again.

At the Duo prompt you will:

1. Click on Other options on the Duo screen as seen below.
   
2. Click Manage devices on the Duo screen as seen below.
   
3. Authenticate to Duo via the method of your choosing.
4. On the Devices page, select Add a device, then follow the steps onscreen to add a new device of your choosing, entering its phone number when prompted.
   
   
   

See https://guide.duo.com/add-device

Activating Duo on a new phone at an existing number

Note: For best results, please use a computer and not a phone to do the following instructions.

1. Login to a Duo protected Haverford resource like Gmail or Workday with your Haverford username and password.
2. Before authenticating to Duo, select Other options on the Duo screen as seen below, then click Manage devices.
   
3. Choose one of the two below options to satisfy the Duo challenge in order to make a change to your Duo account. Do not choose the "Duo Push" option, as the account needs to be connected to the app in order to use that option. It will not work if you are trying to reconnect the account to the app.
   • ‘Text message passcode’ will send you a text message with a 7-digit passcode to enter into the provided text box.
   • ‘Phone call’ will prompt Duo to call your registered phone number with an automated message telling you to press any key to login.
4. After satisfying the Duo challenge you’ll be presented with a list of your Duo registered devices. Find your smartphone or tablet and select I have a new phone, as seen below.
   
5. Follow the presented prompts and scan the QR code with the camera on your smartphone or tablet from within the Duo mobile app. In other words, there should be an option to scan a QR code within the Duo app itself.
6. Once completed you will see a green check.
7. Select Continue and Back to login to continue your Duo login session.

Types of Duo challenges

Beginning January 8, 2024, users with a smart device (smartphone or tablet) will receive a Duo Push challenge automatically by default when logging into Duo-secured resources, which sends a notification to the user's smart device with the options to Allow or Deny login.

If you ever receive a push prompt when you are not actively attempting to log into Duo-enabled resources, select 'Deny', as it could be a sign that your login credentials have been compromised and the attacker is attempting to log into your account.

If you prefer to use another method of Duo authentication challenge, you can still do so by clicking Other options on the automatic prompt, as seen below.

This brings up the Other options to log in menu, which provides the following options, which can be useful if you prefer not to use the push notification Duo challenge, as well as provides access to management of your Duo-enabled devices.

Password Policy Change

We are pleased to announce that in conjunction with the Duo implementation, as of February 2019 the College’s password policy will be updated to reflect the most current national and international best practices: we will no longer require community members to reset their passwords every six months. Instead, we will opt for longer passphrases that do not need to be changed on a regular cycle.

FAQ

Do I need to download the Duo Mobile app on my smartphone?

No. You can still use your mobile phone as a second factor of authentication without downloading the app, although it is the easiest method.

In order to accomplish this, choose “Mobile Phone” in the setup, enter your mobile phone number, and select “Other Phone” as the next option. This will still allow you to receive phone calls and text messages without the app.

In order to receive a text message, select the “Enter Bypass Code” option and then select “Text Me New Code.

What if I do not have a cell phone?

Hardware code generators can be used as a second factor of authentication.

The hardware code generator is a small device that provides a number when a button on the device is pushed that will satisfy the required two factor authentication.

These can be requested from the IT Service Desk.  They should only be used if you do not have a cell phone capable of using the Duo App. 

What if I don’t have my cell phone and get locked out of my account because I cannot login with Duo?

The IITS Service Desk can generate a limited use code for you to use until you can gain access to your Duo registered device.

IITS recommends a minimum of two devices registered in Duo to avoid lockouts.

Can I opt out of Duo?

IITS is committed to protecting both the data of our users and the data of the College. At this time, anyone who accesses Haverford resources is not permitted to opt-out of using Duo.

What if I don’t have cell phone service or wireless service, how can I use Duo on my cell phone?

The Duo Mobile app can generate a usable code without any connection to cellular or wireless networks. Simply open the app, generate the code, and enter it in the Duo login screen.

Another option would be for a hardware code generator, available for purchase through your department. Please seek approval from your departmental budget manager and submit a ticket through the IITS Service Desk to purchase this device.

What Haverford resources will require me to use Duo?

Any service that uses the red login screen will prompt for a second-factor of authentication via Duo after a Haverford username and password has been entered. This includes Workday, Gmail, and Moodle to name a few.

Duo also protects BiONiC.

What if I’m having issues with Duo on my smartphone?

Please contact the IITS Service Desk for assistance or view the links below.

iOS Troubleshooting: https://help.duo.com/s/article/2051

Android Troubleshooting: https://help.duo.com/s/article/2050