Topics Map > •Accounts, Authenication & Passwords > -Accounts
Topics Map > •Accounts, Authenication & Passwords > -Duo
Topics Map > •Accounts, Authenication & Passwords > -NetID

Duo: Complete Guide to Duo

Duo is a security authentication tool that adds an additional layer of protection to online accounts. Using this document, you can enroll and manage a device in Duo, learn how to go through an authentication prompt, and learn how to use Duo while traveling.

 

This guide will provide links directly into Duo's own support documentation to help you find the information that you are interested in. 

Overview

What is Duo?

Duo is a tool used to improve security by using two-factor authentication (2FA), also called multi-factor authentication (MFA). Individuals are required to verify their identity by sharing something they know (i.e. user ID and password) along with something they have (i.e. smartphone, tablet). This type of authentication protects Rice systems against cyber attacks. Duo helps protect against phishing, social engineering, and password brute-force attacks and secures your logins from attackers exploiting weak or stolen credentials.

Here is a brief description of the process:

If you ever receive this notification from Duo asking if you are trying to access a resource that you are not currently trying to access, please indicate that the request from Duo is fraudulent and change your NetID password. 

Why is Duo needed?

With the number of stolen passwords and hacking attempts on the rise, it is important to ensure the safety and security of Rice data and systems. With this additional security, we can ensure that critical university systems are only accessed by authorized users.

Which Rice systems use Duo?

Duo authentication is required on most of Rice's centralized systems, including:

What are the Duo Authentication Methods?

This is the list of all current Duo authentication methods in order of most secure to least secure.  Rice does not support every authentication method.

Table of Authentication Methods
Authentication Method Category Security Description Usable at Rice
Platform authenticators PASSKEY VERY STRONG (5) Apple Touch ID / Face ID and Windows Hello Yes
Roaming authenticators PASSKEY VERY STRONG (5) WebAuthN tokens (Yubikey / 1Password / Apple Keychain / Google Chrome Password Manager) Yes
Verified Duo Push * PUSH VERY STRONG (4) Duo Mobile App Push w/PIN requirement No
Duo Mobile push approval PUSH STRONG (3) Duo Mobile App Push Yes
Duo Desktop authentication * PASSKEY STRONG (3) Desktop App  No
Duo Mobile generated passcodes PASSCODE STRONG (3) Duo Mobile App Passcode Yes
YubiKey passcodes * PASSCODE STRONG (2) Hardware token No
Hardware token passcodes PASSCODE STRONG (2) Hardware token (OTP) Limited
SMS passcodes SMS WEAK (1) SMS delivered passcode Yes
Phone call approval VOICE WEAK (0) Telephone call with voice prompts Yes

* Not available at Rice

Security

0 = Weak - 5 = Strong /  2 or higher is acceptable for normal use, 3 and higher is preferred

Categories

PASSKEY

The PassKey methods are phishing-resistant and cryptographically strong.  The credential can only be shared with the website that it was configured with. 

PUSH

The Push method sends a message to the Duo Mobile app running on your smartphone, which causes it to produce an immediate popup notification and only requires clicking an Accept or Decline button.  This is by far the easiest method with which to interact with the Duo 2FA process, but it requires running the Duo Mobile app on your smartphone and an active cell or wireless connection.

PASSCODE

The Passcode method is a six digit number that can be entered into the Duo Prompt. The Duo Mobile app running on your smart phone can generate this passcode for you.  This passcode number can also be generated by a Duo Hardware Token.  The passcode method does not require an active cell or wireless connection.

SMS

The SMS method will send a passcode to your cell phone as a SMS message.  You can then enter this number into the Duo Prompt.  The SMS method can be used on non-smart phones though this is one of the weakest in regards to security.  The SMS method requires an active cell connection.

VOICE

The voice method will call your phone and ask you to approve or deny the request by pressing a number on the phone. This option can be used with landlines.  Like the SMS method above, this is the weakest in regards to security.  The VOICE method requires an active cell connection if used with a mobile phone.

What is a Duo device?

Duo devices allow you to respond to the authentication requests sent by the Duo prompt. 

Supported Web Browsers

Duo is constantly upgrading its service and security.  Due to this, it is important to remain current with your web browser platform when using the service.  Duo list of supported web browsers.

Travel and Duo

Duo offers multiple options to meet your needs when traveling. You should enroll in any device you plan on using before your trip.

  • Even without cellular service or a WiFi connection, you may use the Duo Mobile app to generate a passcode that you can use for authentication. Simply choose the  Other -> Passcode option when you get the Duo authentication prompt. To generate the passcode, open the Duo Mobile app on your phone and tap the button with the Key symbol.
  • If you are unable to have a smartphone during your travel, it is possible to get 10 one-time-use bypass codes that you can use for Duo Security authentication for the duration of your trip. You can generate these by going to your Online Account Management System, selecting Two-Factor Authentication on the left menu, and select Generate Bypass Codes at the bottom of the page. Each time you click this button, new codes will be generated and previous codes are invalidated.
  • If you have cellular service or a WiFi connection, then you can simply use whatever authentication technique you normally use. The push, passcode, and phone options all work out of the country. You can even add an international phone number as one of your authentication options.

Travel Restrictions

The Duo app and hardware tokens are subject to export control regulations. According to federal export control regulations, the Duo app and hardware tokens may not be transported or sent to embargoed nations identified by the U.S. State Department.

Sanctions Programs and Country Information

  • Cuba
  • Iran
  • North Korea
  • Sudan
  • Syria
  • Crimea region
  • Donetsk region
  • Luhansk region
  • Sevastopol region 

If you are traveling to any of those countries, delete or uninstall the Duo app from any devices you will take with you, and do not take Duo hardware tokens with you.

See also: Duo - Access Denied. Duo Security does not provide services in your current location

 

Usage

Authentication

NOTE: Duo automatically defaults to using the most secure authentication method you defined on first use.  Afterward, it will default to the last one that you used.

Duo authentication process

Device Management

Duo adding or managing devices after enrollment

Backup and Recovery

Duo Restore - iOS

Duo Restore - Android

 

Enrollment

You will be automatically taken through the Duo enrollment process when you first activate your NetID.  You are only allowed to go through the NetID activation process once.  

If you've been at Rice a long time and never set up Duo, logging back into https://MyNetID.rice.edu with your NetID and password should be enough to start enrollment.  

Duo enrollment process

WARNING

The enrollment process will only require you to define ONE Duo device.  Some individuals find that if they only set up a platform authenticator tied specifically to one device, they cannot get into sites requiring Duo if they change their device.  It is always best to set up multiple (2 or more) devices capable of responding to Duo, like using a roaming authenticator or the Duo Mobile app on your smartphone. 

 

More Information

 

Need Help?

Contact the OIT Help Desk.

 



KeywordsDuo two factor authentication second layer online accounts security logging passwords critical duo login enrollment manage device 2FA MFA multi factor twofactor multifactor https kbriceedu duoguide pagephpid78235utm campaignoit20announcementsutm sourcehs emailutm mediumemail hsencp2anqtz bymdu5 mbyyk dlhcuhoz2kdte1raixbyz0xrodjgkrgxw5hcchiojhc4u2dwtexkqldp   Doc ID78235
OwnerNeedsOwner U.GroupRice U
Created2017-11-14 11:25:28Updated2024-11-11 15:34:52
SitesRice University
Feedback  5   19