Duo Multi-Factor Security
In an ongoing attempt to protect the Haverford community and their data IITS is implementing Duo, a multi-factor authentication solution.
Once enrolled in Duo, users logging into resources that authenticate with the red Haverford login screen, such as Workday, Gmail, and Moodle, as well as BiONiC will be required to provide a second factor of authentication.
This factor can be a notification to an app on a registered cell phone, phone call or text message to a registered cell phone, phone call to a registered landline, or a number created by a hardware code generator (available for departmental purchase).
Duo will protect our users from attacks such as elaborate phishing emails as even if a Haverford password is compromised, Duo will prevent the bad actor from completing the login without a second factor of authentication.
For more information about Duo, see An Introduction to Duo Security
For more information on Duo enrollment, see https://guide.duo.com/enrollment
Duo provides several options for authentication. IITS recommends using the Duo Mobile app on a smartphone.
Adding a Device in Duo
After you have enrolled yourself, you may choose to add more devices for authenticating to Duo. You can do so by logging into a Duo protected resource to bring up the Duo Prompt again. At the Duo prompt you will:
- Click on Settings at the top of the Duo screen as seen below.
- Choose Add a Device
- Authenticate to Duo
- Follow the Duo prompt’s instructions to add a new device
Reconnecting Duo Mobile App
- Login to a Duo protected Haverford resource like Gmail or Workday with your Haverford username and password.
- Select “Settings” in the upper right hand corner BEFORE selecting one of the presented Duo options and select ‘My Settings & Devices’.
- Choose one of the presented options to satisfy the Duo challenge in order to make a change to your Duo account.
- ‘Call Me’ will prompt Duo to call your registered phone number with an automated message telling you to press any key to login.
- ‘Enter a Passcode’ will present you with an option to ‘Text me new codes’ to a smartphone – which will send you a text message with a six digit number to enter into the provided text box.
- After satisfying the Duo challenge you’ll be presented with a list of your Duo registered devices, find your smartphone or tablet and select the ‘down arrow’ on the right hand side of the window to choose ‘Activate Duo Mobile’.
- Follow the presented prompts to choose what type of device you are registering, indicate you already have the Duo Mobile app installed, and scan the QR code generated with the camera on your smartphone or tablet.
- Once completed you will see a green check.
- Select ‘Continue’ and ‘Back to Login’ to continue your Duo login session.
Password Policy Change
We are pleased to announce that in conjunction with the Duo implementation, this February 2019 the College’s password policy will be updated to reflect the most current national and international best practices: we will no longer require community members to reset their passwords every six months. Instead, we will opt for longer passphrases that do not need to be changed on a regular cycle.
Do I need to download the Duo Mobile app on my smartphone?
No. You can still use your mobile phone as a second factor of authentication without downloading the app, although it is the easiest method.
In order to accomplish this, choose “Mobile Phone” in the setup, enter your mobile phone number, and select “Other Phone” as the next option. This will still allow you to receive phone calls and text messages without the app.
In order to receive a text message, select the “Enter Bypass Code” option and then select “Text Me New Code.
What if I do not have a cell phone?
Hardware code generators can be used as a second factor of authentication. This device can be purchased through IITS as a departmental charge of $20.
The hardware code generator is a small device that provides a number when a button on the device is pushed that will satisfy the required two factor authentication.
Please seek approval from your departmental budget manager and submit a ticket through the IITS ProDesk to purchase this device.
What if I don’t have my cell phone and get locked out of my account because I cannot login with Duo?
The IITS ProDesk can generate a limited use code for you to use until you can gain access to your Duo registered device.
IITS recommends a minimum of two devices registered in Duo to avoid lockouts.
Can I opt out of Duo?
IITS is committed to protecting both the data of our users and the data of the College. At this time, anyone who accesses Haverford resources is not permitted to opt-out of using Duo.
What if I don’t have cell phone service or wireless service, how can I use Duo on my cell phone?
The Duo Mobile app can generate a usable code without any connection to cellular or wireless networks. Simply open the app, generate the code, and enter it in the Duo login screen.
Another option would be for a hardware code generator, available for purchase through your department. Please seek approval from your departmental budget manager and submit a ticket through the IITS ProDesk to purchase this device.
What Haverford resources will require me to use Duo?
Any service that uses the red login screen will prompt for a second factor of authentication via Duo after a Haverford username and password has been entered. This includes Workday, Gmail, and Moodle to name a few.
Duo also protects BiONiC.
What if I’m having issues with Duo on my smartphone?
Please contact the IITS ProDesk for assistance or view the links below.
iOS Troubleshooting: https://help.duo.com/s/article/2051
Android Troubleshooting: https://help.duo.com/s/article/2050