Topics Map > •Accounts, Authenication & Passwords > -Accounts
Topics Map > •Accounts, Authenication & Passwords > -Duo
Topics Map > •Accounts, Authenication & Passwords > -NetID
Duo: Complete Guide to Duo
Reactivate Duo on Your Smart Phone
Duo Overview
What is Duo?
Duo is a tool used to improve security by using two-factor authentication (2FA), also called multi-factor authentication (MFA). Individuals are required to verify their identity by sharing something they know (i.e. user ID and password) along with something they have (i.e. smartphone, tablet, landline telephone). This type of authentication protects Rice systems against cyber attacks. Duo helps protect against phishing, social engineering, and password brute-force attacks and secures your logins from attackers exploiting weak or stolen credentials.
Why is Duo needed?
With the number of stolen passwords and hacking attempts on the rise, it is important to ensure the safety and security of Rice data and systems. With this additional security, we can ensure that critical university systems are only accessed by authorized users.
Which Rice systems use Duo?
Duo authentication is required on most Rice's centralized systems including:
- Mynetid - online account management systems. Read more in NetID: Complete Guide to NetID in the section on Duo Authentication.
- VPN - Virtual Private Network. Read more in VPN: Complete Guide to VPN in the section on Duo Authentication.
- Google Workspace for Education - Gmail, Calendar, Drive, etc. Read more in Duo: Logging into Google Workspace for Education
- Microsoft 365 Services - Outlook, Teams, One Drive. Read more in Duo: Logging into Microsoft 365 Services
- iO - employee and financial services system. Learn more about iO Support.
- Word Press - blog site hosting. See also Rice University Blogs.
Enrolling in Duo
Contents
- Duo Universal vs Duo Traditional Prompt
- Duo Universal Prompt
- Duo Traditional Prompt
- Rice supported Duo Authentication Methods
- Duo devices
Duo settings and device management
What is Duo?
Duo is a Two-Factor Authentication (2FA) application. It adds an additional level of security when authenticating to computing resources like web sites and computers. After authenticating with your NetID and password, you will be sent to the Duo application to do an additional check that you are who you say you are. This additional check will contact you through an external mechanism, like your cell phone, and ask you to confirm that you are trying to access the resource. If you ever receive this notification from Duo asking if you are trying to access a resource that you are not currently trying to access, please indicate that the request from Duo is fraudulent and change your NetID password.
Using Duo for Authentication
Duo Universal vs Duo Traditional Prompt
The prompt that the Duo application uses to initiate the 2FA process is changing. The traditional prompt is the one that Rice has used since we first began using Duo years ago. By the end of 2023, all web protected Duo applications will be switching to the Duo Universal Prompt. Since it may take time to have all of Rice's web applications configured to use the new method, here is documentation about both methods
Duo Universal Prompt
Duo Traditional Prompt
Rice supported Duo Authentication Methods
PUSH
The Push method sends a message to the Duo Mobile app running on your smart phone that causes it to produce an immediate popup notification and only requires clicking on an Accept or Decline button. This is by far the easiest method with which to interact with the Duo 2FA process but it requires running the Duo Mobile app on your smart phone and an active cell or wireless connection.
PASSCODE
The Passcode method is a six digit number that can be entered into the Duo Prompt. The Duo Mobile app running on your smart phone can generate this passcode for you. This passcode number can also be generated by a Duo Hardware Token. The passcode method does not require an active cell or wireless connection.
SMS
The SMS method will send a passcode to your cell phone as a SMS message. You can then enter this number into the Duo Prompt. The SMS method can be used on non-smart phones though this is one of the weakest in regards to security. The SMS method requires an active cell connection.
VOICE
The voice method will call your phone and ask you to approve or deny the request by pressing a number on the phone. This option can be used with landlines. Like the SMS method above, this is the weakest in regards to security. The VOICE method requires an active cell connection if used with a mobile phone.
Duo devices
Duo devices allow you to respond to the authentication requests sent by the Duo prompt.
- Duo Mobile - supports PUSH and PASSCODE
- Cell Phone & Landlines - supports SMS (cell phone) and VOICE (both)
- Hardware Tokens - supports PASSCODE
- Touch ID - supports platform PASSKEY
Duo settings and device management
Duo settings and device management can be accessed through the Duo authentication process when logging into MyNetID. When it displays the Duo Universal Prompt, click on the URL link "Other" at the bottom of the prompt.
- Initially setting up your information in Duo the first time
- Managing your 2FA devices and Settings
- Adding a new 2FA device - Universal Prompt
- Adding a new 2FA device - Traditional Prompt
Duo enrollment process
Your initial Duo setup is done as part of the workflow that you follow when activating your NetID using https://MyNetID.rice.edu. When going through the initial Duo enrollment, please be sure to add an authentication device that supports PUSH (recommended), SMS, or Voice in addition to any others you wish to use. Using these authentication types will serve as good backups should you ever need them.
Below you will find links that will describe this process.
Using Duo when traveling
Duo offers multiple options to meet your needs when traveling. It is suggested that you enroll in any device you plan on using before your trip.
Options
- Even without cellular service or a WiFi connection, you may use the Duo Mobile app to generate a passcode that you can use for authentication. Simply choose the Other -> Passcode option when you get the Duo authentication prompt. To generate the passcode, open the Duo Mobile app on your phone and tap the button with the Key symbol.
If you are unable to have a smartphone during your travel, it is possible to get 10 one-time-use bypass codes that you can use for Duo Security authentication for the duration of your trip. You can generate these by going to your Online Account Management System, selecting Two-Factor Authentication on the left menu, and select Generate Bypass Codes at the bottom of the page. Each time you click this button, new codes will be generated and previous codes are invalidated.
If you have cellular service or a WiFi connection, then you can simply use whatever authentication technique you normally use. The push, passcode, and phone options all work out of the country. You can even add an international phone number as one of your authentication options.
Restrictions
The Duo app and hardware tokens are subject to export control regulations. According to federal export control regulations, the Duo app and hardware tokens may not be transported or sent to embargoed nations identified by the U.S. State Department.
Sanctions Programs and Country Information
Here is a dated list from August 2019:
- Cuba
- Iran
- North Korea
- Sudan
- Syria
- Venezuela
If you are traveling to any of those countries, delete or uninstall the Duo app from any devices you will take with you, and do not take Duo hardware tokens with you.
How to Authenticate with Duo
Supported Browsers
- Chrome, Firefox, Safari, Internet Explorer 11, Microsoft Edge, and Opera. Once you login to the service that uses Duo prompts, you will be met with the following screen.
- Duo Push pushes a login request to your phone or tablet (if you have Duo Mobile installed and activated on your iPhone or Android device). Just review the request and tap Approve. to log in.
- Call Me will authenticate via phone callback.
- Enter a Passcode will allow you to log in using a passcode, either generated with Duo Mobile, sent via SMS, generated by your hardware token, or provided by an administrator.
- Click Send Codes to get a new batch of passcodes texted to your phone.
- You can also use U2F Tokens for authentication.
If you can't authenticate or aren't sure what to do, click Need help? on the left side of the Duo prompt. Your administrator may have customized the help text with additional instructions or contact information.
Trusted Devices
You'll also see a Remember me for... option if your administrator enabled Duo's trusted devices feature. If you check this box when authenticating you won't need to perform Duo second-factor authentication again for the duration specified on the prompt.
Authenticating from Smaller Screens
If you're logging in with Duo from a device with a smaller screen (like a tablet) or small browser window then your authentication prompt may look slightly different. Don't worry! All the devices and options shown in the full-size prompt are available for use, and you can enroll and manage devices by following the same steps.
Access
Click the Settings button at the top for the commands Add a New Device or My Settings & Devices.
Click the X next in the Settings button to return to the authentication prompt.Manage Devices
The following instructions outline how to edit the devices you have enrolled on Duo. Select Device Options next to any of your enrolled devices to view the actions available for that type of device. You can Reactivate Duo Mobile for an enrolled smartphone, Change the Device Name for any type of phone, or delete any authentication device.
Reactivate Duo Mobile
You can use this option if you need to get Duo Push working on your phone (e.g. if you replaced your phone with a new model but kept the same phone number). After answering some questions about your device, you'll receive a new QR code to scan with your phone, which will complete the Duo Mobile activation process. Note: If you have switched smartphones, uninstalled the Duo Mobile application on your phone, or performed a factory reset, see the section, Reactivate Duo on Your Smart Phone.
Change Device Name
This will open up an interface to change the display name of your phone (hardware tokens can't be renamed). Type in the new name and click Save.
After successfully modifying your phone's name, not only will you see this from now on when managing devices, but it will also be how your phone is identified in the authentication dropdown.
Remove Device
Select the red Trash Can icon to delete a phone or token device.
Note: You may not remove your only remaining device. If you wish to remove it, first add another, then delete the original. If you are unable to delete a device, contact your administrator to have it removed.
You are given the chance to confirm or cancel deleting the authentication device. Once the device is deleted, it can no longer be used to approve Duo authentication requests.
Enroll New Device
You can easily add new devices right from the Duo authentication prompt.
Step 1: To start enrolling a new device, click Add a new device. If you don't see this link then make sure you are logging into the Online Account Management System.
Step 2: Choose an authentication method and complete two-factor authentication to begin adding your new device. If you're adding a new device to replace one that you previously activated for Duo Push, don't select the Duo Push authentication method on this page unless you still have the original device. If you don't have the original device but you have a new device with the same phone number, then you can authenticate with a phone call or SMS passcode.
You can't add a new device from this page if you do not have access to any of your previously enrolled authentication devices; you'll need to contact your Duo administrator for help.
Step 3: Proceed with the device enrollment process. As an example, let's add another phone.
Step 4: Select the new phone's operating system.
Step 5: Install Duo Mobile on the new phone and scan the barcode to activate.
The new phone is added and listed with your other enrolled devices. You can select Add another device to start the enrollment process again and add another authenticator.
To further manage the device added or any of the other enrolled devices, go to the Manage Devices option on this article.
Reactivate Duo on Your Smart Phone
To proceed, your smartphone will need to be able to receive calls or texts if it is the only device you've enrolled in Duo but it has to have the same number when it was first enrolled to receive a phone call or SMS text message.
1. MyNetID Login
Login to mynetid.rice.edu with your NetID and password. Click Sign In.
2. Authenticate with Duo
Authenticate with Duo by using the Call Me option.
3. MyNetID Welcome Screen
On the Account Management page, click the Two-Factor Authentication link/button.
4. Two-Factor Authentication Settings
Click the Device Management Portal button.
5. Duo My Settings & Devices
Select the Device Options button next to your registered device.
6. Duo My Settings & Devices, Device Options
Click on the Reactivate Duo Mobile button.
7. Phone Type
Select your type of smartphone and click Continue.
8. Activate Duo Mobile
***Note: Do not scan the QR code on this page.***
Click the hyperlink next to it to have it sent to your email instead. Follow the instructions within that email to continue.
9. Re-activation Complete
Once you see the green check mark appear, you have completed the reactivation of your device and will now be able to receive push notifications.
Need help?
If you need assistance, contact the OIT Help Desk.
Using Duo while Traveling
Duo offers multiple options to meet your needs when traveling. It is suggested that you enroll in any device you plan on using before your trip.
Options
- Even without cellular service or a WiFi connection, you may use the Duo Mobile app to generate a passcode that you can use for authentication. Simply choose the Enter a Passcode option when you get the Duo authentication prompt. To generate the passcode, open the Duo Mobile app on your phone and tap the button with the Key symbol.
If you are unable to have a smartphone during your travel, it is possible to get 10 one-time-use bypass codes that you can use for Duo Security authentication for the duration of your trip. You can generate these by going to your Online Account Management System, selecting Two-Factor Authentication on the left menu, and select Generate Bypass Codes at the bottom of the page. Each time you click this button, new codes will be generated and previous codes are invalidated.
If you have cellular service or a WiFi connection, then you can simply use whatever authentication technique you normally use. The push, passcode, and phone options all work out of the country. You can even add an international phone number as one of your authentication options.
Restrictions
The Duo app and hardware tokens are subject to export control regulations. According to federal export control regulations, the Duo app and hardware tokens may not be transported or sent to embargoed nations identified by the U.S. State Department.
Sanctions Programs and Country Information
Here is a dated list from August 2019:
- Cuba
- Iran
- North Korea
- Sudan
- Syria
- Venezuela
If you are traveling to any of those countries, delete or uninstall the Duo app from any devices you will take with you, and do not take Duo hardware tokens with you.
More Information from Duo.com
-
For more information, see the Duo Security online Guide to Two-Factor Authentication.
Need help?
Contact the OIT Help Desk.