Duo Multi-Factor Security
In an ongoing attempt to protect the Haverford community and their data IITS is implementing Duo, a multi-factor authentication solution.
Once enrolled in Duo, users logging into resources that authenticate with the red Haverford login screen, such as Workday, Gmail, and Moodle, as well as BiONiC will be required to provide a second factor of authentication.
This factor can be a notification to an app on a registered cell phone, phone call or text message to a registered cell phone, phone call to a registered landline, or a number created by a hardware code generator (available for departmental purchase).
Duo will protect our users from attacks such as elaborate phishing emails as even if a Haverford password is compromised, Duo will prevent the bad actor from completing the login without a second factor of authentication.
For more information about Duo, see An Introduction to Duo Security
For more information on Duo enrollment, see https://guide.duo.com/enrollment
Duo provides several options for authentication. IITS recommends using the Duo Mobile app on a smartphone.
Adding a Device in Duo
After you have enrolled yourself, you may choose to add more devices for authenticating to Duo. You can do so by logging into a Duo protected resource to bring up the Duo Prompt again. At the Duo prompt you will:
- Click on Settings at the top of the Duo screen as seen below.
- Choose Add a Device
- Authenticate to Duo
- Follow the Duo prompt’s instructions to add a new device
Reconnecting Duo Mobile App
- Login to a Duo protected Haverford resource like Gmail or Workday with your Haverford username and password.
- Select “Settings” in the upper right hand corner BEFORE selecting one of the presented Duo options and select ‘My Settings & Devices’.
- Choose one of the presented options to satisfy the Duo challenge in order to make a change to your Duo account.
- ‘Call Me’ will prompt Duo to call your registered phone number with an automated message telling you to press any key to login.
- ‘Enter a Passcode’ will present you with an option to ‘Text me new codes’ to a smartphone – which will send you a text message with a six digit number to enter into the provided text box.
- After satisfying the Duo challenge you’ll be presented with a list of your Duo registered devices, find your smartphone or tablet and select the ‘down arrow’ on the right hand side of the window to choose ‘Activate Duo Mobile’.
- Follow the presented prompts to choose what type of device you are registering, indicate you already have the Duo Mobile app installed, and scan the QR code generated with the camera on your smartphone or tablet.
- Once completed you will see a green check.
- Select ‘Continue’ and ‘Back to Login’ to continue your Duo login session.
Remember My Device
IITS has enabled a new feature in Duo called ‘Remember My Device’ for all services behind the red Haverford login screen.
This feature will give you the option to have Duo remember your successful login for a 7 day span – skipping the Duo challenge during those 7 days.The ‘Remember me for 7 days’ checkbox appears at the bottom of the Duo window. Checking this box allows Duo to store a cookie within your browser, satisfying the challenge for future logins for up to 7 days.
While we’ve found the feature to work great overall there are a few limitations.
Duo only remembers the specific browser on the specific computer you are using for future logins. In order for this feature to work users cannot have enhanced browser security enabled that disallows cookies or have set the browser to clear the cache each time the browser is closed.
If you choose this setting, but log in later with a different browser you will have to set “Remember Me” again for that browser during authentication. If you are certain you chose it to remember you on both the computer and the browser you are using, then it might be a setting on the browser that is not saving your choice.
Also, if users have Duo configured to automatically perform an action, such as ‘Send Me a Push’ the remember feature will be initially hidden and the user will need to cancel the Duo action to select the check box.
Password Policy Change
We are pleased to announce that in conjunction with the Duo implementation, this February 2019 the College’s password policy will be updated to reflect the most current national and international best practices: we will no longer require community members to reset their passwords every six months. Instead, we will opt for longer passphrases that do not need to be changed on a regular cycle.
Do I need to download the Duo Mobile app on my smartphone?
No. You can still use your mobile phone as a second factor of authentication without downloading the app, although it is the easiest method.
In order to accomplish this, choose “Mobile Phone” in the setup, enter your mobile phone number, and select “Other Phone” as the next option. This will still allow you to receive phone calls and text messages without the app.
In order to receive a text message, select the “Enter Bypass Code” option and then select “Text Me New Code.
What if I do not have a cell phone?
Hardware code generators can be used as a second factor of authentication.
The hardware code generator is a small device that provides a number when a button on the device is pushed that will satisfy the required two factor authentication.
This device has a cost of $20 can be purchased through the IITS ProDesk.
Faculty and Staff: Please seek approval from your departmental budget manager and submit a ticket through the IITS ProDesk to purchase this device.
Students: If you would like to purchase a Duo Hardware token please have in the form of cash or check contact the IITS ProDesk at firstname.lastname@example.org or #610.896.1480 after you’ve completed your self-enrollment.
If you would like to request a Duo hardware token and there is a financial need for support you can apply to LIFTFAR to cover the cost of a token via the link at the bottom of this webpage: https://www.haverford.edu/
What if I don’t have my cell phone and get locked out of my account because I cannot login with Duo?
The IITS ProDesk can generate a limited use code for you to use until you can gain access to your Duo registered device.
IITS recommends a minimum of two devices registered in Duo to avoid lockouts.
Can I opt out of Duo?
IITS is committed to protecting both the data of our users and the data of the College. At this time, anyone who accesses Haverford resources is not permitted to opt-out of using Duo.
What if I don’t have cell phone service or wireless service, how can I use Duo on my cell phone?
The Duo Mobile app can generate a usable code without any connection to cellular or wireless networks. Simply open the app, generate the code, and enter it in the Duo login screen.
Another option would be for a hardware code generator, available for purchase through your department. Please seek approval from your departmental budget manager and submit a ticket through the IITS ProDesk to purchase this device.
What Haverford resources will require me to use Duo?
Any service that uses the red login screen will prompt for a second factor of authentication via Duo after a Haverford username and password has been entered. This includes Workday, Gmail, and Moodle to name a few.
Duo also protects BiONiC.
What if I’m having issues with Duo on my smartphone?
Please contact the IITS ProDesk for assistance or view the links below.
iOS Troubleshooting: https://help.duo.com/s/article/2051
Android Troubleshooting: https://help.duo.com/s/article/2050