FAQs regarding URI’s 2-factor authentication solution DUO.
-What is two-factor authentication?
Two-factor, two-step, or multi-factor authentication (MFA) is a security process that requires you to use two different authentication factors (methods) to verify your login. Think of your first factor as the lock on the front door of your house and the second factor as the door’s deadbolt. The first factor is your URI SSO credentials, and the second factor is a push notification, a code or call sent to your mobile device or landline. Two-factor authentication is the most effective way of protecting both your credentials and the resources you access with those credentials. With two-factor authentication, you can ensure that all your data remains safe, even if your password is compromised.
-Who is required to use two-factor authentication?
Two-Factor Authentication is required for all active student, staff, faculty, and sponsored affiliates accounts.
-When will I be prompted to authenticate with 2FA?
You will be prompted with 2FA whenever you login to a URI SSO, Microsoft 365 starting on May 20th, 2022.
-I have enrolled a 2FA device, why am I not seeing a DUO prompt when I log into my SSO account?
The 2FA device enrollment period begins two weeks before the 2FA enforcement date, however, DUO 2FA prompts will not be enforced until May 20th 2022.
-What if I already have Microsoft Authenticator setup on my SSO account?
Leading up to the DUO deployment ITS Security will be replacing Microsoft authenticator with DUO. After the go live date DUO will be the only prompt you will see when logging into your SSO account.
-What versions of Android and IOS does DUO support?
DUO Mobile supports iOS 13 or later and Android 8 or later
-What if I don’t have a smartphone?
If you do not use a smartphone, you can utilize the DUO mobile app on a tablet, or set up your mobile phone, office or home landline phone for authentication via SMS or voice call authentication
-Can I use a YubiKey with DUO?
Yes, DUO supports the use of security keys, like Yubico’s YubiKeys.
To use a security key with DUO, make sure you have the following:
- A supported browser (Chrome 70, Firefox 60, Safari 13or later), or Microsoft Edge 79 or later.
- An available USB port.
- A supported USB security key. WebAuthn/FIDO2 security keys from Yubico or Feitian are good options. We do not recommend U2F-only security keys (like the Yubikey NEO-n).
Note: At this time Security Key authentication will only work with SSO/Office 365 logins
VPN authentication will not work with security keys
-Can I use Hardware Tokens to use with DUO?
Yes, DUO supports the use of HOTP (event based) hardware tokens. These tokens generate a one time passcode which lasts for 30 seconds .
Hardware tokens need to be enrolled into DUO and assigned to your user account by a DUO admin.
If you have personally purchased a HOTP hardware token, please contact the service desk to have your token enrolled in DUO. You will need to provide the Token SEED file for enrollment.
Hardware tokens can be used to authenticate to both SSO/Office 365 and VPN
-Will URI provide Hardware Tokens to use with DUO?
URI has a limited number of tokens which can be provided to URI community members that cannot authenticate through the following methods:
- Duo Mobile App (Mobile Device/Tablet)
- Landline (Phone Authentication via Office phone/home phone)
- Non-Smart Mobile Device (Phone/SMS Text authentication)
Anyone requesting a hardware token provided by ITS need to have their manager’s approval prior to the distribution of the token.
All Service Requests for hardware tokens need to be submitted with the manager/approver copied on the ticket
URI provided hardware tokens must be listed on any URI Remote Work agreements under University Owned equipment (serial number must be included on the form).
The requesting department will be charged for any lost/replacement tokens. The replacement cost of the token will be $20 billable to the department through Pinnacle.
-What if I do not have internet or cellular service?
The DUO Mobile app can utilize one time passcodes (OTP) through the “Enter a Passcode” authentication option on the DUO login screen. This method will work without an active data or cellular connection
Step 1. Log into your account and use your SSO user name and password to get to the DUO authentication screen.
Step 2. Select “Enter a Passcode”
Step 3. Open the Duo Mobile app and tap on University of Rhode Island. A 6-digit number will be displayed.
Note: The passcode is one-time use. To generate new passcodes, simply swipe down on your smartphone screen or press on the circular blue arrow.
Step 4. On your computer, enter the 6-digit passcode and click Log in.
-What happens if my phone is lost or stolen?
Contact the URI service desk to have your lost or stolen authentication device removed and another device added.
-How do I add another authentication device to my DUO account?
Visit https://guide.duo.com/add-device for instructions adding additional devices to your DUO account.
NOTE: You will need at least one active authentication device in place to confirm your identity in order to add additional devices.
-Are there any location-based restrictions for DUO service?
In order to comply with U.S. regulations, Duo blocks authentications from users whose IP address originates in a country or region subject to economic and trade sanctions enforced by the U.S. Office of Foreign Assets Control.
Users attempting to authenticate to a Duo-protected application from an access device with an IP address originating in an OFAC-regulated country or region will be blocked from completing their login and receive an error message.
Web-based applications will display the following error message: “Access denied. Duo Security does not provide services in your current location.” Other applications may display a generic failed login message.
OFAC restrictions relevant to Duo currently apply to the following countries or regions:
- Cuba (CU)
- North Korea (KP)
- Iran (IR)
- Sudan (SD)
- Syria (SY)
- Crimea region (43)
- Donetsk region (14)
- Luhansk region (09)
- Sevastopol region (40)
-What about my privacy with the DUO mobile app?
Duo Mobile cannot see your user data like your contacts, it cannot read your text messages, it cannot access your photos (but it can use your camera to scan a QR code if you explicitly allow that permission), it cannot access your files, it cannot erase your device, it cannot see information about other applications on your device. Duo Mobile cannot track your location. In general, the only personal data that Duo Mobile knows about you are the service accounts that you explicitly add to Duo Mobile. However, Duo does not track personal data about these accounts–only the name of the service.
The DUO Mobile application will also ask you whether you wish to share Application usage information with the creator of the DUO product. This is optional to allow or deny.
For additional information, please see Duo’s Privacy Information.