DUO Security FAQs

Tags Duo

Duo Security FAQs

 

  1. What is multi-factor authentication (MFA)?
    MFA adds another layer of security to your UCA user account by utilizing a secondary device (your smartphone or hardware token) to prevent anyone but you from logging in to your account, combining something you know (your password) with something you have (your smartphone or token). Our partner for this project is Duo (duo.com), a leader in multi-factor security.

    Many people may be familiar with MFA from your iCloud, Instagram, Snapchat or online banking accounts, as all of these utilize MFA as a part of the security aspect. An example would be logging into a UCA application that requires you to enter your credentials and then being required to enter a secondary authentication.  This will be handled with a push notification, that would be accepted on your secondary device or the token process, which generates a code that the end user would have to enter.
     
  2. Why do I need MFA?
    Defending against cyber security threats has become a major part of the overall security plans for universities across the country. It is becoming increasingly easier for your password to be compromised either through phishing attacks, illegitimate emails, or malicious software on your computer. Rather than just asking for a username and password, MFA requires one or more additional verification factors, which decreases the likelihood of a successful cyberattack.

 

Over the last three years, UCA IT initiated three separate planned phishing attempts and, on average, we saw a 15% click through rate. In a real world phishing attack, we would see a significant loss of credentials and potential negative impact to our systems.
 

  1. Can you explain the phishing schemes that had a 15% click-through rate? What does this mean exactly?
    The information security team at UCA completes a yearly third party security review.  As part of that process, we will orchestrate online and in-person phishing attempts. The results from the security review provide real world scenarios, which can result in new security initiatives.
     
  2. Was there a particular situation that prompted the use of MFA on campus? Is this a precaution or has there been an occurrence of “hacking” on campus?
    According to the 2021 Data Breach Investigations Report, a security industry summary, phishing (password theft via email) was present in 36% of breaches, up from 25% the previous year.  Due to this trend, we are working to reduce our risk exposure from credential theft and phishing.  The rollout of MFA is not in response to any known attempt of unauthorized access to the universities data.
     
  3. Is Duo MFA required?
    Yes, for specific services. Here is a list of services included in the initial rollout:
  • Banner Admin
  • Banner Self-Service
  • Google services (G Suite)
  • Argos
  • AppWorks
  • Global Protect VPN
  • Maxient

 

  1. Is this something that would apply to students or just faculty and staff?
    For now, our focus is on faculty and staff but we do think that this will eventually be rolled out to the entire campus, which would include students.
     
  2. How does MFA work?
    Here is an overview of the enrollment process: When it is time to enroll, you will receive an enrollment email (example shown below) which includes the steps to add the Duo application and activate your device. After enrollment and activation, when accessing some University-related applications, you will be asked to perform a second authentication step by simply responding to a notification on your device.

 

  1. What is required to use Duo MFA?
    Smartphone with Duo App installed or a hardware token device.
     
  2. What is the phased rollout for Duo MFA?
    The phased rollout is designed to ensure a smooth transition for the faculty and staff of UCA. By rolling this out first to our Division of Information Technology, we can perform testing and validations of process, access, and work flows without impacting faculty and staff.
     

Phase 1

Feb 2022

The IT Department will be the initial rollout phase and will allow for extensive testing and other activities to ensure that the rollout to the rest of FS goes smoothly.

Phase 2

Mar/Apr 2022

UCA Staff will be enrolled.

Phase 3

Fall 2022

UCA Faculty will be enrolled. There may also be the opportunity to opt-in to MFA during Phase 2. (More to come on this as we get closer to Phase 2.)

 

 

  1. How do I get started?
    You will receive an enrollment email (pictured below) that includes a unique link to create your Duo account and instructions to link your Duo and UCA accounts.




    Once you receive the enrollment email, click the unique-to-you link provided in the email to create your Duo account. Duo will walk you step–by-step through account creation, app download, and activation. In addition to the general video provided as an attachment to the email, you can view UCA’s enrollment video to watch how quickly and easily it is to enroll and get started with Duo MFA. Also, Duo has created an Enrollment Guide that provides detailed information on enrollment and activation.

    Using Duo to approve login requests is simple. Login as you normally do. When accessing a service that requires MFA, click the button to Send Me a Push, and click approve on your device. Login will continue automatically. To see this process in action, view the Duo Approve Smartphone Notification video.

    If you do not use a smartphone, you will need to request a hardware token. This process requires the user to complete a Duo Token Request ticket. Once the ticket has been submitted, you will receive an email with instructions for picking up the hardware token from IT.

    Accessing a service that requires MFA when using a hardware token is a similar, but slightly different process. When logging in, you’ll click Enter a Passcode, click the button on your token device to generate a six-digit code, enter the code on the login screen and click Log In. To see this in action, view the Duo Approve Token Device video.
     
  2. What is the best/recommended method of MFA?
    The recommended method of MFA is using a smartphone, downloading the Duo app, and approving logins with a push notification. However, for those individuals that do not use a smartphone, a Duo Token may be requested using the Duo Token Request ticket link.
     
  3. What should I do if I receive a Duo Push when I didn’t log in?
    If you are not in the process of logging into a UCA MFA-enabled service, click Deny to prevent an unauthorized use of your account.
     
  4. Why don’t I need to use Duo MFA each time I login when using Google Workspace apps? Can you explain Google Workspace apps “remembering” me for 14 days?
    Unless you explicitly log out of Google (click your initial in the upper right corner and then "Sign out of all accounts"), closing your browser does not end your Google session. It will be remembered for up to 14 days. It is only when the full Google session has timed out or been ended that you will be prompted for MFA.
     
  5. If I’ve logged in using MFA for email or another MFA service, will I have to use MFA again to login to additional MFA-enabled services?
    Please note that you will not be prompted for each separate MFA-enabled service during a single browser session. After responding to the first MFA prompt of a session, you will be able to access other services without additional prompting for the duration of the session. Some exceptions would be if you start a new browser, end your current session, there is a network connectivity problem, or your session exceeds the MFA timeout (to be determined).
     
  6. I need to request a token because I don’t have/use a smartphone. What do I need to do?
    You will still receive an enrollment email. However, instead of using the link provided in that email, request a Duo token by completing the Duo Token Request ticket form. In the process of assigning a token to you, the enrollment will be completed and your account activated when you visit the help desk - with your Bear Card/ID - to pick up the token.
     
  7. I recently got a new/replacement smartphone. Do I have to re-enroll and complete account activation again?
    You will need to activate the new device. Follow the steps at https://guide.duo.com/add-device for details on activating new devices. If you do not have access to your original device, you will need to contact the Help Desk for assistance.
     
  8. What are the plans for UCA groups to be required to use MFA as of March 2022?*

 

Population

Yes

Scheduled

Future

No

Staff

X

 

 

 

Faculty

 

X

 

 

Administrative Faculty

X

 

 

 

Grad Assistants/Student Workers

 

 

X

 

Grad/Undergrad Students

 

 

X

 

FS New Hires

X

 

 

 

Volunteer/Guests

 

 

 

X

Retired Staff/Faculty

 

 

 

X


*The requirement of MFA for a particular group is reviewed regularly and may change based upon that review.

 

 

  1. I don’t have reliable cell service at home. I use the internet by satellite/cable. Does Duo use an internet connection or cell service to authenticate?
    Duo uses the internet - however your phone is connected to the internet.
     
  2. If I’m using a smartphone, can I use a passcode instead of a push notification?
    Yes, you can enter the passcode provided in the Duo app rather than using push notifications. When logging in, click the Enter a Passcode button to display a text box and, in the Duo app, click Show to reveal the passcode. Enter that in the text box to continue the log on process.
     
  3. If I previously had to get the Duo app when I worked remotely, do I need to set it up again?
    In this case, you will just add another account to your Duo app. When you receive the enrollment email, follow the steps to display a QR code. Then, in the Duo app, click the Add button and select Use QR code.
     
  4. My phone died/I left my phone at home/I’m working from home, but my phone is at the office/I don’t know where my phone is! How do I authenticate?
    Call the IT Help Desk and they can provide you with a one-time passcode that will allow you to authenticate.
     
  5. When using email or myUCA on my phone, will I still need to authenticate?
    Yes, when logging into services using your phone that require MFA authentication, you will still authenticate with the Duo app.
     
  6. Will employees that are also enrolled as students require multiple Duo codes and/or logins?
    No. Employees enrolled as students still use their @uca.edu account when logging into MFA required services.
     
  7. What about departmental emails? How would those work?
    Departmental email accounts will not be subject to MFA.
     
0% helpful - 2 reviews

Details

Article ID: 136582
Created
Tue 2/8/22 12:21 PM
Modified
Tue 11/28/23 11:09 AM