- Duo Security is a solution that uses two-step or two-factor authentication to protect Fredonia electronic services (e.g. GSuite, SUNY,edu etc.). This process asks individuals logging into Fredonia protected services to confirm their identity using their password AND another factor such as a smartphone, landline phone, tablet, or a hardware token.
What is Two-Factor Authentication?
- Two-factor authentication adds a second layer of security to your online accounts. Verifying your identity using a second factor (such as your smart phone, landline, hardware token or other mobile device) along with your password prevents anyone but you from logging in, even if they know your password. Please check out the Guide to Two-Factor Authentication for more information.
- Enter username and password as usual
- Use your phone to verify your identity
- Securely logged in
Once you've enrolled in Duo you're ready to go: You'll login as usual with your username and password, and then use your device to verify that it's you.
Why is Fredonia implementing Duo Security?
- Due to Federal regulatory compliance requirements and the increasing number of number of phishing scams that target the campus community everyday, we are implementing Duo Security for Fredonia eServices and other critical electronic resources.
What should I expect during the Duo Security enrollment process?
The Duo enrollment process takes approximately 5 to 10 minutes to complete. Please visit the Duo Security Enrollment Guide to learn more and be sure to watch the brief tutorial.
Am I required to use Duo Security?
- All Fredonia employees will eventually be required to use Duo Security to access Fredonia protected services (e.g. email). All Fredonia staff members and all Virtual Private Network (VPN) users are scheduled to be enrolled in the Duo Security service by the end of the spring 2018 semester. Faculty members will be scheduled to enroll into the Duo Security service at a later date that is yet to be determined. Students are not required to enroll into the Duo Security service unless they are a student employee with access to Fredonia protected services. Students will be issued a separate eServices account for this purpose.
Whom should I contact if I have questions or concerns about the requirement to use Duo?
We encourage you to contact us with feedback, or with questions or concerns about the project in general. Please contact the Information Security Office at 673-4725 or email@example.com.
How will Duo change how I log into Fredonia electronic services?
First, Duo will require a second method of confirmation for a person logging in to view or edit Fredonia data. Individuals will be asked to confirm their identity using a smartphone app, via automated calls to a mobile or landline phone, or using a hardware token.
What Fredonia electronic services are currently protected with Duo Security?
- Currently Duo Security is protecting the following Fredonia electronic services:
- Drupal Web Publishing
- FredApps (GSuite)
- SUNY Employee Portal
- 1Password Teams
- Remote access to University owned computers
- Local and remote access to University servers
- NOTE: We will be adding other Fredonia electronic services as funding and resources permit.
Do I need a smartphone to use Duo?
No. Duo provides a great deal of flexibility and you do not need a smartphone to use it.
The recommended smart mobile phone option makes two-factor authentication extremely easy, but a lot of other easy options exist as well. Duo can place a voice call to your office landline phone or cell phone. If you have a University provided smartphone then you are required to use it with Duo Security. You are not required to use your personnel cell phone.
What if I do not wish to use my personal smartphone and I teach in classrooms or labs that do not have a landline available?
The University will issue you a OTP hardware token at no cost to you or your department. You will be required to sign for this token and return it to the Information Security Office upon seperation from University employment. Please see the bottom of this KB article for further information regarding hardware tokens.
If I choose to use my personal smartphone using the Duo Mobile app, what kind of information does Duo have access to?
- Duo does not collect personal information from your smartphone. By using your personal smartphone to access Duo protected services, you are consenting for Duo to store your personal cell phone number and if you select the "call me" option, charges may apply.
Do I have to use Duo every time I log in to FredApps?
Duo allows you to remember a device for 12 hours. You can approve any computer that you commonly use and will not be required to provide two-factor authentication confirmation during the 12 hour period as long as you use the same computer (or other device) and browser. For example, if you have a desktop and a laptop, you can approve both computers as trusted devices and not have to confirm your identity with a phone until after the 12 hours has expired.
Can I set up Duo on more than one phone?
You are required to set up Duo on more than one device which can be another phone in case you forget a phone at home or are not at your office phone. When you are doing your initial setup, you may add a landline and/or mobile. After that, when you are logging in, you can choose which line Duo will send the authentication request to (via Duo Mobile app or phone call depending on what you chose).
What is Duo Push?
Duo Push is a feature within the Duo Mobile app that delivers two-factor push notifications to your phone for fast and secure access. Duo Push is resilient against man-in-the-middle attacks that allow attackers to steal your password and your second factor. After logging in with your username and password, choose Duo Push on the authentication prompt. Then, tap ‘Approve’ on the push notification sent to your phone seconds later to securely access your application.
I have a new phone and the Duo app stopped working. What should I do?
If you get a new phone make sure you install and re-activate the Duo app. You can re-activate the Duo Mobile app on your new phone by going to the Settings menu in the Duo login screen (you have to logon to any service protected by Duo to get the login screen), selecting the My Settings and Devices option, go thru the Duo authentication by placing a call to the phone. Click on the phone number to go to the settings of your phone and select Reactivate Duo Mobile. Follow the instructions to install and add your account to Duo Mobile.
NOTE: When adding a new device, it is easier to use an Incognito / Private Browser window to get to the Setting menu on a Duo login panel, than it is to completely log out of a browser.
If you have difficulties with this process, you can submit a ticket to the Information Security Office by emailing firstname.lastname@example.org.
Can I use the Duo Security internationally?
- The Duo smartphone app is designed to work internationally. However, you are required to notify the Information Security Office (email@example.com) prior to using it internationally if you are traveling to areas that are part of the European Union due to privacy laws restrictions. The ISO will temporarily disable your Duo Security account protection while you are in the European Union. Your access to email and other protected services will not be disabled during this time only Duo.
How do I select the "Remember me for 12 hours..." checkbox if the Duo Authentication Prompt is automatically sending a push?
- The Duo Authentication Prompt will gray out the rest of the prompt during an automatic push. Follow these steps to select the "Remember me for..." checkbox:
Click Cancel on the automatic push message at the bottom of the prompt.
Select the Remember me for 12 hours... checkbox.
Initiate another push and authenticate. You will now be remembered on that browser on that computer for 12 hours.
What happens if I set up my browser to clear cache/cookies after exiting?
The “Remember your device for 12 hours” option uses a persistent cookie. If you clear cookies after you log off of the browser, the device will not be remembered and you will have to confirm your identity again when logging in.
If your browser is not remembering that you checked the “Remember Me” box, then check the cookie settings of your browser.
Chrome's “incognito” setting, Firefox's“ private window,” and Internet Explorer's/Edge's “InPrivate"” settings will affect this behavior and the “Remember Me” feature will not work.
Can Duo's Remembered Devices feature work if third-party cookies are blocked?
- The Remembered Device feature will work if an exception is made in the browser's security settings for third-party cookies coming from Duo Security.
Duo's cookies are only used to remember a Remembered Device. The cookies and associated data are never used for advertising or marketing purposes.
To add an exception for Duo-served cookies, use the following format, depending on which browser you're using:
Internet Explorer: *.duosecurity.com
Chrome and Opera: [*.]duosecurity.com
Note that Safari does not allow setting exceptions for third-party cookies
What if I forget my phone at home?
You will need to use your backup second factor to authenticate (e.g. hardware token, landline etc..)
What if I lose my phone?
Contact the ISO at firstname.lastname@example.org immediately and we will lock your Duo account to prevent malicious activity.
After confirming a legitimate login attempt, I'm stuck on a strange two-step screen. Why?
What if I don't have a cellphone?
If you don’t have a cell phone, Duo allows you to use your landline phone. You would receive an automated phone call that requires you to hit any button to confirm your identity.
What if I don't have a data plan on my phone? What if I don't have a connection?
The Duo smartphone app provides options that work without a data plan, a texting plan or even a connection, if necessary. The app can generate the required code without need of either a telephone signal or data plan, and it can do so anywhere in the world. If you have a signal and data plan, the app makes two-factor authentication as easy as a pushing a single button, but if you don’t, you can use the app to generate a six digit code and enter that instead.
What data is being collected by Duo?
- First Name
- Last Name
- Fredonia Email Address
- University Phone Number (only if the employee enrolls their University owned cell phone or landline)
- Personal Phone Number (only if the employee enrolls their personal cell phone or landline)
- IP Address of the device used to access a University protected service
- Date and time that you access Fredonia electronic services
What if I want to use a Hardware Token with Duo?
A security token (also referred to as a hardware token) is a small hardware device carried by a user to authorize access to a protected service. Duo supports standalone (USB) and one-time passcode (OTP) hardware tokens for two-factor authentication.
Fredonia currently offers the following options for hardware tokens for 2 factor authentication.
Option 1 - If you do not have a University issued cell phone and you do not have a dedicated landline assigned to your office then the University will provide you a OTP hardware token. You will be required to sign for the token when it is issued to you and return it to the Information Security Office when you are no longer employed with Fredonia. If you lose the token you will be required to replace it at the cost of $20.00 each. These tokens use a non-replaceable battery, typically last two years and have a six month warranty. NOTE: Please be aware that these tokens may get out of sync and not work properly if you repeatedly press the button without entering the code to authenticate (e.g. storing on your keychain).
Option 2 - If you prefer, you can get a USB device that you can automatically generate and submit a one-time password into a text field validated by Duo. There are two models supported and both require a USB port. Departments are responsible for purchasing these hardware tokens and then provide them to the Information Security Office for initial (one-time) programming before they can be used with Duo. Please contact the Information Security Office (716) 673-4725 or email@example.com for more information.
(Please request a quote for Yubikeys from Byron Hemingway at Byron@yubico.com or 650-862-9136.)
How do I use a Hardware Token with Duo?
Please visit the following URLs short instructional videos:
OTP Hardware Token
What if I have student employees that access University Duo protected services?
Student employees that access protected Fredonia electronic services (e.g. department email account, SUNY Employee Portal etc.) are required to use Duo Security. The Information Security Office will issue the student employee's supervising department head a new generic eServices account solely to be used for the student employee's work responsibilities. Supervising department head's are responsible for the appropriate use of the issued eServices account in accordance with all Fredonia policies and applicable laws. They are responsible to provide the eServices account credential to their student employee, reset the password each time they reissued it to a new student employee and collect the hardware token from the student employee when their employment ends. The eServices account will use a University provided OTP hardware token (Option 1 above) as the primary second factor and the departmental office landline as the back up second factor device. Departments need to contact the Information Security Office (firstname.lastname@example.org) to request a new Student employee eServices account and Duo Security hardware token.
Short URL to this page: https://answers.fredonia.edu/x/ZoM4