Topics Map > •Accounts, Authenication & Passwords > -Accounts
Topics Map > •Accounts, Authenication & Passwords > -Duo
Topics Map > •Accounts, Authenication & Passwords > -NetID
Duo: Complete Guide to Duo
This guide will provide links directly into Duo's own support documentation to help you find the information that you are interested in.
Overview
What is Duo?
Duo is a tool used to improve security by using two-factor authentication (2FA), also called multi-factor authentication (MFA). Individuals are required to verify their identity by sharing something they know (i.e. user ID and password) along with something they have (i.e. smartphone, tablet). This type of authentication protects Rice systems against cyber attacks. Duo helps protect against phishing, social engineering, and password brute-force attacks and secures your logins from attackers exploiting weak or stolen credentials.
Here is a brief description of the process:
If you ever receive this notification from Duo asking if you are trying to access a resource that you are not currently trying to access, please indicate that the request from Duo is fraudulent and change your NetID password.
Why is Duo needed?
With the number of stolen passwords and hacking attempts on the rise, it is important to ensure the safety and security of Rice data and systems. With this additional security, we can ensure that critical university systems are only accessed by authorized users.
Which Rice systems use Duo?
Duo authentication is required on most of Rice's centralized systems, including:
- MyNetid - online account management systems. Read more in NetID: Complete Guide to NetID in the section on Duo Authentication.
- VPN - Virtual Private Network. Read more in VPN: Complete Guide to VPN in the section on Duo Authentication.
- Google Workspace for Education - Gmail, Calendar, Drive, etc. Read more in Duo: Logging into Google Workspace for Education
- Microsoft 365 Services - Outlook, Teams, One Drive. Read more in Duo: Logging into Microsoft 365 Services
- iO - employee and financial services system. Learn more about iO Support.
- Word Press - blog site hosting. See also Rice University Blogs.
What are the Duo Authentication Methods?
This is the list of all current Duo authentication methods in order of most secure to least secure. Rice does not support every authentication method.
| Authentication Method | Category | Security | Description | Usable at Rice |
|---|---|---|---|---|
| Platform authenticators | PASSKEY | VERY STRONG (5) | Apple Touch ID / Face ID and Windows Hello | Yes |
| Roaming authenticators | PASSKEY | VERY STRONG (5) | WebAuthN tokens (Yubikey / 1Password / Apple Keychain / Google Chrome Password Manager) | Yes |
| Verified Duo Push * | PUSH | VERY STRONG (4) | Duo Mobile App Push w/PIN requirement | No |
| Duo Mobile push approval | PUSH | STRONG (3) | Duo Mobile App Push | Yes |
| Duo Desktop authentication * | PASSKEY | STRONG (3) | Desktop App | No |
| Duo Mobile generated passcodes | PASSCODE | STRONG (3) | Duo Mobile App Passcode | Yes |
| YubiKey passcodes * | PASSCODE | STRONG (2) | Hardware token | No |
| Hardware token passcodes | PASSCODE | STRONG (2) | Hardware token (OTP) | Limited |
| SMS passcodes | SMS | WEAK (1) | SMS delivered passcode | Yes |
| Phone call approval | VOICE | WEAK (0) | Telephone call with voice prompts | Yes |
* Not available at Rice
Security
0 = Weak - 5 = Strong / 2 or higher is acceptable for normal use, 3 and higher is preferred
Categories
PASSKEY
The PassKey methods are phishing-resistant and cryptographically strong. The credential can only be shared with the website that it was configured with.
PUSH
The Push method sends a message to the Duo Mobile app running on your smartphone, which causes it to produce an immediate popup notification and only requires clicking an Accept or Decline button. This is by far the easiest method with which to interact with the Duo 2FA process, but it requires running the Duo Mobile app on your smartphone and an active cell or wireless connection.
PASSCODE
The Passcode method is a six digit number that can be entered into the Duo Prompt. The Duo Mobile app running on your smart phone can generate this passcode for you. This passcode number can also be generated by a Duo Hardware Token. The passcode method does not require an active cell or wireless connection.
SMS
The SMS method will send a passcode to your cell phone as a SMS message. You can then enter this number into the Duo Prompt. The SMS method can be used on non-smart phones though this is one of the weakest in regards to security. The SMS method requires an active cell connection.
VOICE
The voice method will call your phone and ask you to approve or deny the request by pressing a number on the phone. This option can be used with landlines. Like the SMS method above, this is the weakest in regards to security. The VOICE method requires an active cell connection if used with a mobile phone.
What is a Duo device?
Duo devices allow you to respond to the authentication requests sent by the Duo prompt.
- Duo Mobile - supports PUSH and PASSCODE
- Cell Phone & Landlines - supports SMS (cell phone) and VOICE (both)
- Hardware Tokens - supports PASSCODE
- Touch ID - supports platform PASSKEY
Supported Web Browsers
Duo is constantly upgrading its service and security. Due to this, it is important to remain current with your web browser platform when using the service. Duo list of supported web browsers.
Travel and Duo
Duo offers multiple options to meet your needs when traveling. You should enroll in any device you plan on using before your trip.
- Even without cellular service or a WiFi connection, you may use the Duo Mobile app to generate a passcode that you can use for authentication. Simply choose the Other -> Passcode option when you get the Duo authentication prompt. To generate the passcode, open the Duo Mobile app on your phone and tap the button with the Key symbol.
- If you are unable to have a smartphone during your travel, it is possible to get 10 one-time-use bypass codes that you can use for Duo Security authentication for the duration of your trip. You can generate these by going to your Online Account Management System, selecting Two-Factor Authentication on the left menu, and select Generate Bypass Codes at the bottom of the page. Each time you click this button, new codes will be generated and previous codes are invalidated.
- If you have cellular service or a WiFi connection, then you can simply use whatever authentication technique you normally use. The push, passcode, and phone options all work out of the country. You can even add an international phone number as one of your authentication options.
Travel Restrictions
The Duo app and hardware tokens are subject to export control regulations. According to federal export control regulations, the Duo app and hardware tokens may not be transported or sent to embargoed nations identified by the U.S. State Department.
Sanctions Programs and Country Information
- Cuba
- Iran
- North Korea
- Sudan
- Syria
- Crimea region
- Donetsk region
- Luhansk region
- Sevastopol region
If you are traveling to any of those countries, delete or uninstall the Duo app from any devices you will take with you, and do not take Duo hardware tokens with you.
See also: Duo - Access Denied. Duo Security does not provide services in your current location
Usage
Authentication
NOTE: Duo automatically defaults to using the most secure authentication method you defined on first use. Afterward, it will default to the last one that you used.
Device Management
Duo adding or managing devices after enrollment
Backup and Recovery
Enrollment
You will be automatically taken through the Duo enrollment process when you first activate your NetID. You are only allowed to go through the NetID activation process once.
If you've been at Rice a long time and never set up Duo, logging back into https://MyNetID.rice.edu with your NetID and password should be enough to start enrollment.
WARNING
The enrollment process will only require you to define ONE Duo device. Some individuals find that if they only set up a platform authenticator tied specifically to one device, they cannot get into sites requiring Duo if they change their device. It is always best to set up multiple (2 or more) devices capable of responding to Duo, like using a roaming authenticator or the Duo Mobile app on your smartphone.
More Information
-
For more information, see the Duo Security online Guide to Two-Factor Authentication.
Need Help?
Contact the OIT Help Desk.