All about Duo

•  Duo FAQ 
  
  
  What is Duo? 
  
  Duo is a two-factor authentication service that adds a second layer of protection to your online accounts. Verifying your identity using a second factor (like your phone or other mobile device) prevents anyone but you from logging in to your account - even if they know your password.
  
  Why is two-factor authentication needed?
  
  With the number of stolen passwords and hacking attempts on the rise, it is important to ensure the safety and security of Rice data. By using two-factor authentication, we can ensure that critical university systems are only accessed by authorized users.
  
  Which services are protected using two-factor authentication?
  
  Rice University is using this technology to protect your VPN access to Rice systems. Once you are successfully enrolled in Duo, two-factor authentication will also be enabled to protect your NetID access and Esther.
  
  Do I need any special equipment in order to enroll or use two-factor authentication?
  
  Rice University and Duo Security's two-factor system uses something most of us already have - a smartphone. A smartphone is the best choice since it provides the greatest level of security. It allows you to use the Duo Mobile app, letting you receive push notifications for easy, one-tap authentication, or choose to receive a phone call or text.
  
  What is multi-factor Authentication (MFA)?
  
  
  Multi-factor authentication (MFA) strengthens access security by requiring multiple methods (also referred to as factors) to verify your identity. These factors can include something you know - like a username and password, plus something you have - like a smartphone app to approve authentication requests. MFA helps protect against phishing, social engineering and password brute-force attacks and secures your logins from attackers exploiting weak or stolen credentials.
  
  How do I access AnyConnect VPN?
  
  Information regarding downloading AnyConnectVPN can be found here https://kb.rice.edu/page.php?id=82263.
  
  

•  Duo Enrollment 
  
  
  The following are instructions for enrolling your device in Duo so you can use it for two-factor authentication (2FA) with systems that require Duo two-factor authentication. Duo's enrollment process makes it easy to register your phone and install the Duo Mobile application on your smartphone or tablet.
  

  Supported Browsers: Chrome, Firefox, Safari, Internet Explorer 11, Microsoft Edge, and Opera.

  Step 1: Login to the Online Account Management System with your NetID credentials. Click Sign in.

  
  

  Step 2: Select Two-Factor Authentication under Account Maintenance.

  
  

  Step 3: Select Enable Two-Factor Authentication.

  

  Step 4: Click Start setup to begin enrolling your device.

  
  
  Step 5: Select the type of device you'd like to enroll and click Continue. We recommend using a smartphone for the best experience, but you can also enroll a landline telephone, a universal two-factor authentication (U2F) token (currently only works on Chrome) or iOS/Android tablets.

  

  Step 6: Select your country from the drop-down list and type your phone number. Use the number of your smartphone, landline, or cell phone that you'll have with you when you're logging in to a Duo-protected service. You can enter an extension if you chose Landline in the previous step.

  Double-check that you entered it correctly, check the box, and click Continue.

  

  If you're enrolling a tablet you will not be prompted to enter a phone number.

  Step 7: Choose your device's operating system and click Continue.

  If you do not have a compatible smartphone device or decide not to install the Duo Mobile app: choose Other > Continue > Continue to Login > Enter a passcode. Click Text me new code at the bottom of the window. Enter in the passcode you received from Duo via text message and select Log In. Skip to Step 11.

  

  Step 8: Install Duo Mobile:

  Duo Mobile is an app that runs on your smartphone and helps you authenticate quickly and easily. Without it you'll still be able to log in using a phone call or text message, but for the best experience we highly recommend that you use Duo Mobile. Since Duo Mobile works in any country, it doesn't require a cell service and is more reliable than SMS/Voice, making it the best option for authenticating your device. 

  Follow the platform-specific instructions on the screen to install Duo Mobile. After installing Duo Mobile, return to the enrollment window and click I have Duo Mobile installed.

  

  Step 9: Activate Duo Mobile:

  Activating the app links it to your account so you can use it for authentication. This will require access to your camera. The application will request access to the camera, which you can temporarily allow. This can be disabled after enrollment.

  On your smartphone: activate Duo Mobile by scanning the barcode with the app's built-in barcode scanner. Follow the platform specific instructions for your device:

  

  After you scan the barcode successfully, select Continue.

  

  Can't scan the barcode? Click or have an activation link emailed to you instead and follow the instructions.

  Step 10: Configure Device Options (optional):

  You can use Device Options to give your phone a more descriptive name or select Add another device to start the enrollment process again and add a second phone or another authenticator.

  If this is the device you'll use most often with Duo then you may want to enable automatic push requests by going to the When I log in: option and changing the setting from Ask me to choose an authentication method to Automatically send this device a Duo Push or Automatically call this device and click Save. With one of the automatic options enabled, Duo automatically sends an authentication request via push notification to the Duo Mobile app on your smartphone or a phone call to your device (depending on your selection).

  

  Click Continue to login to proceed to the authentication prompt.

  

  Your device is now ready to approve Duo authentication requests. Click Send me a Push to give it a try. All you need to do is tap Approve on the Duo login request received at your phone.

  

  Step 11:  Congratulations, you can now use Duo Two-Factor Authentication!

  If you see a screen that is similar to below, you have completed the Duo 2FA Enrollment! If not, contact the OIT Helpdesk at helpdesk@rice.edu or 713-348-HELP (4357).

  
  

  

•  Duo Prompt  
  
  
  The following is a step-by-step instruction on how to login to services that require you to go through the Duo authentication prompt. The authentication prompt lets you choose how to verify your identity each time you log in to Duo protected applications like NetID.
  
  
  Supported Browsers: Chrome, Firefox, Safari, Internet Explorer 11, Microsoft Edge, and Opera. Once you login to the service that uses Duo prompts, you will be met with the following screen. 
  
  
  
  If you have more than one device enrolled you'll see a device selector. 
  
  
  
  Select the device you want to use and then choose your authentication method.
   

  Method	Description
  Call Me	Authenticate via phone callback.
  Duo Push	Pushes a login request to your phone or tablet (if you have Duo Mobile installed and activated on your iPhone or Android device). Just review the request and tap Approve to log in.
  Enter a Passcode	Log in using a passcode, either generated with Duo Mobile, sent via SMS, generated by your hardware token, or provided by an administrator. Click Send codes to get a new batch of passcodes texted to your phone.

  
  You can also use U2F Tokens for authentication. 
  
  If you can't authenticate or aren't sure what to do, click Need help? on the left side of the Duo prompt. Your administrator may have customized the help text with additional instructions or contact information. 
  
   
  
  Trusted Devices:
  
  You'll also see a Remember me for... option if your administrator enabled Duo's trusted devices feature. If you check this box when authenticating you won't need to perform Duo second-factor authentication again for the duration specified on the prompt.
  
  
  
  Authenticating from Smaller Screens: 
  
  If you're logging in with Duo from a device with a smaller screen (like a tablet) or small browser window then your authentication prompt may look slightly different. Don't worry! All the devices and options shown in the full-size prompt are available for use, and you can enroll and manage devices by following the same steps. 
  
  
  
  Access Add a New Device or My Settings & Devices by clicking the Settings button at the top. Click the X next to the Settings option to return to the authentication prompt. 
  
  

•  Manage Devices 
  
  
  The following instructions outline how to edit the devices you have enrolled on Duo. Select Device Options next to any of your enrolled devices to view the actions available for that type of device. You can Reactivate Duo Mobile for an enrolled smartphone, Change Device Name for any type of phone, or delete any authentication device.
  
  
  
  Reactivate Duo Mobile:
  
  You can use this option if you need to get Duo Push working on your phone (e.g. if you replaced your phone with a new model but kept the same phone number). After answering some questions about your device, you'll receive a new QR code to scan with your phone, which will complete the Duo Mobile activation process.
  
  
  
  Change Device Name:
  
  This will open up an interface to change the display name of your phone (hardware tokens can't be renamed). Type in the new name and click Save.
  
  
  
  After successfully modifying your phone's name, not only will you see this from now on when managing devices, but it will also be how your phone is identified in the authentication dropdown.
  
  
  
  Remove Device: 
  
  Select the red Trash Can icon to delete a phone or token device.
  
  Note: You may not remove your last device. If you wish to remove it, first add another, then delete the original. If you are unable to delete a device, contact your administrator to have it removed.
  
  
  
  You are given the chance to confirm or cancel deleting the authentication device. The device is deleted. It can no longer be used to approve Duo authentication requests.
  
  

•  Enroll New Device 
  
  
  You can easily add new devices right from the Duo authentication prompt.
  
  Step 1: To start enrolling a new device, click Add a new device. If you don't see this link then make sure you are logging into your Online Account Management System.
  
  
  
  Step 2: Choose an authentication method and complete two-factor authentication to begin adding your new device.
  
  If you're adding a new device to replace one that you previously activated for Duo Push, don't select the Duo Push authentication method on this page unless you still have the original device. If you don't have the original device but you have a new device with the same phone number, then you can authenticate with a phone call or SMS passcode.
  
  You can't add a new device from this page if you do not have access to any of your previously enrolled authentication devices; you'll need to contact your Duo administrator for help.
  
  
  
  Step 3: Proceed with the device enrollment process. As an example, let's add another phone.
  
  
  
  
  
  Step 4: Select the new phone's operating system.
  
  
  
  Step 5: Install Duo Mobile on the new phone and scan the barcode to activate.
  
  
  
  The new phone is added and listed with your other enrolled devices. You can select Add another device to start the enrollment process again and add another authenticator.
  
  
  

  To further manage the device added or any of the other enrolled devices, go to the Manage Devices option on this article.

•  Reactivate Duo on Smart Phone 
  
  This is required only when you have switch smart phones, uninstall the Duo Mobile application on your phone, or perform a factory reset. Otherwise you will not receive Duo push notifications nor will you be able to generate one-time use passcodes. 
  
  In order to proceed, your smart phone will need to be able to receive calls or texts. If this is the only device you've enrolled in Duo, it has to have the same number when it was first enrolled to receive a phone call or ("Enter a Passcode" ) SMS text message. 
  
  Step 1:  Login to your Online Account Management System with your NetID and password. Click Sign In and authenticate with Duo by selecting Call Me.
  
  
  Step 2:  On the Account Management page, select Two-Factor Authentication.
  
  
  
  
  Step 3:  Within Two-Factor Authentication Settings, click Device Management Portal. 
  
  
  
  Step 4: Select Device Options next to your registered device.
  
  
  
  
  Step 5:  Click on the Reactivate Duo Mobile.
  
  
  
  Step 6: Select your type of smart phone and click Continue. 
  
  
  
  
  Step 7:  Follow the on-screen instructions using your smart phone to scan the QR code shown on this page. If you cannot scan the code, click the hyperlink next to it to have it sent to your email instead. Follow the instructions within that email to continue.  Note: do not scan this QR code. 
  
  
  
  
  
  
  Step 8: Once you see the check mark appear, you have completed the reactivation of your device and will now be able to receive push notifications.
  
  

•  Duo while traveling 
  
  Duo 2FA offers multiple options to meet your needs when traveling. It is suggested that you enroll any device you plan on using ahead of time.

  Options:

  Even without cellular service or WiFi connection, you may use the Duo Mobile app to generate a passcode that you can use to authentication. Simply choose the Enter a Passcode option when you get the Duo authentication prompt. To generate the passcode, open the Duo Mobile app on your phone and tap the button with the Key symbol.

  If you are unable to have a smartphone during your travel, it is possible to get 10 one-time use bypass codes that you can use for Duo 2FA authentication for the duration of your trip. You can generate these by going to your Online Account Management System, selecting Two-Factor Authentication on left menu and select Generate Bypass Codes at the bottom of the page. Each time you click this button, new codes will be generated invalidating the previous codes.

  If you have cellular service or a WiFi connection, then you can simply use whatever authentication technique you normally use. The push, passcode, and phone options all work overseas. You can even add an international phone number as one of your authentication options.

  Restrictions:

  The Duo app and hardware tokens are subject to export control regulations. According to federal export control regulations, the Duo app and hardware tokens may not be transported or sent to embargoed nations identified by the U.S. State Department: Sanctions Programs and Country Information. Here is a dated list from August 2019:
  • Cuba
  • Iran
  • North Korea
  • Sudan
  • Syria
  • Venezuela
  If you are traveling to any of those countries, delete or uninstall the Duo app from any devices you will take with you and do not take Duo hardware tokens with you.

See Also:

• Two-factor Authentication (Duo) and VPN
• Tips for Traveling with Tech