Multi-Factor Authentication with Duo Frequently Asked Questions
In a process approved by the President's Cabinet to meet university compliance requirements, Multi-Factor Authentication with Duo has been selected as the university's Multi-Factor Authentication method to secure access to Protected Data. University Information Services has developed this Frequently Asked Questions (FAQ) page to answer questions you may have about using Multi-Factor Authentication.
Table of Contents
- Why are we being required to use Multi-Factor Authentication?
- Who is required to use Multi-Factor Authentication?
- What is the official name of the new system?
- Which services require that we use Multi-Factor Authentication?
- Aren’t you worried people will confuse MFA with Master of Fine Arts?
- What device will employees use for Multi-Factor Authentication with Duo?
- How do I get the Duo Mobile App for my smartphone?
- Can the university require people to use their personal cell phones?
- What if I do not want to use my personal cell phone when setting up this service?
- What if I do not have a smartphone?
- Who pays if I need a hardware security key?
- Where can I get a hardware security key device?
- What if my device does not have a USB-A port for the least expensive Yubikey?
- What happens if I forget my cell phone or security key at home?
- What other options are available besides purchasing a security key?
- Does adding a second authentication device create another layer of problems?
- How often would we have to use Multi-Factor Authentication?
- What if my smartphone does not have data service?
- What happens if I choose not to use Multi-Factor Authentication?
- Will I need to carry around my cell phone everywhere I go?
- Am I limited to using only University owned computers?
- Which Phones will work with Duo Mobile?
- What do I need to do if I get a new cell phone?
- Do I need to authenticate with Duo if I am accessing a site on my mobile phone that has the Duo app installed?
- Where do I go for help if I’m having problems with Multi-Factor Authentication?
Every University employee has access to data that is protected by some form of regulation. Passwords alone are no longer enough to secure protected data and auditors are asking us to do more. Failing to secure protected data can result in large fines and loss of funding for the University. We also are concerned for the privacy of our students, patients, and fellow employees and want to do our best to protect their information.
Currently, only full and part time university employees are required to use Multi-Factor Authentication.
Multi-Factor Authentication with Duo will be the official name used by UIS. Sometimes referred to as MFA, or Two-Factor Authentication (2FA).
Duo is currently configured to protect web logins to Pacific's single sign-on environment. These include myAccount, Moodle, Box, BoxerApps (Google), Boxer Alerts, Compliance Training, Qualtrics, Zoom, and others. We plan to add employee access to Webmail in the near future.
No, because UIS will not refer to it as “MFA” alone.
Since most employees are already using personal cell phones for accessing University email and accessing Boxer Wireless, our hope is that most employees will use their cell phone for push notifications using the Duo Mobile app.
The Duo Mobile App can be downloaded from either the Apple or Google Play app stores.
If you have been provided a university funded cell phone or you receive a cell phone stipend for required university usage of the device, then you would be required to us the university funded device. Cell phone requirements may also be included as part of an employment contract or job requirements for particular positions. Other employees may choose to use their personal cell phone as a convenience, but not a requirement. Since many employees are already using personal devices on the campus wireless network, no additional costs would be incurred by the employee to install and use the free Duo Mobile app.
Any employee who doesn’t want to use a personal phone for this purpose should talk to their supervisor, director or dean about it. The gap between what an employee needs to be able to do their job, what personal resources the employee is willing to use and what resources their department is willing and able to provide is a matter for each employee to work out with their supervisors. UIS’ only role is to provide the required security framework and to assist employees with whatever is their chosen method for authenticating.
Hardware security keys are also available for purchase to use when a smartphone is not available.
University departments may choose to pay for employee hardware tokens like they would for other office supplies. Employees may also bring their own hardware token that can be used for both work and personal online accounts.
UIS recommends Yubikey hardware security keys from yubico.com that cost as low as $20 per device. You may also check with the University Bookstore. We suggest caution when finding less expensive security key devices made outside the United States since these devices are given access to your computer and data by connecting through a USB port or other methods.
Currently, the only computers UIS has issued without USB-A ports are the recent MacBook Pros. With each of these USB-C-only MacBook Pros we ordered USB-A to USB-C adapters and delivered those when we deployed the MacBook Pros. We plan to continue doing this for any computer we deploy that is USB-C only. It is true, however, that having a more expensive USB-C Yubikey would make it more convenient for those users.
If you leave your Multi-Factor Authentication device at home, please contact the Technology Helpdesk and we will assist you with temporary access. You may consider purchasing a hardware security key to keep on a key ring for backup if needed.
Using the Duo app on a smartphone, using the Duo app on a tablet and using a hardware authentication device (a key) are the only ways employees can authenticate to Duo protected systems.
Our experience is that having a second device reduces problems (or at least makes them less urgent), as one can be used as a backup to the other. For instance, if one’s phone is acting weird, one can use a Yubikey instead. If a Yubikey is lost or stolen, employees can (and should) disable that device from being able to be used to authenticate.
For one’s primary web browser, it should generally be once a week, since one can tell Duo to keep one logged in for five days. Using other systems (e.g. a web browser on a classroom PC) that may require authentication more often (as often as a faculty member or staff logs into a protected system).
The Duo Mobile app will allow you to generate a one time code that can be used when your smartphone does not have data service.
If you choose not to use Multi-Factor Authentication you will not be able to use any of the services protected by it an may not be able to complete your job duties.
Employees who may need to login on multiple devices at various locations will need to carry either their cell phone or a hardware token in order to login. For example, a faculty member needing to log into a single sign-on server from a classroom computer will need a device to authenticate.
Multi-Factor Authentication with Duo will work on any computer used to access University resources protected behind Multi-Factor Authentication.
Duo Mobile will work on many of the recent versions of Apple iOS and Android versions as long as the phones have screen locks enabled and have not been "rooted".
Please see this Duo web site for supported Apple iOS versions.
Please see this Duo web site for supported Android OS versions.
If you are a university employee using Multi-Factor Authentication with Duo, and you use your phone as an authentication device, and you get a new phone, you will need to transition over to using the new phone as your authentication device. Please see our Knowledgbase article for Changing Multi-Factor Authentication with Duo to a New Phone.
Do I need to authenticate with Duo if I am accessing a site on my mobile phone that has the Duo app installed?
One can log onto a Duo-protected application using the browser on one’s cellphone, and authenticate using the Duo app on the same device.
Please contact the Pacific Technology Helpdesk at 503-352-1500 or by email at email@example.com of account related issues. Please note that the Technology Helpdesk will refer usage questions to the Box Help site.