Duo Two Factor Authentication
Gustavus requires DUO Two-Factor Authentication (TFA or 2FA) on your Gustavus account. Two-Factor Authenication is also known as Strong Authentication or Multi-Factor Authenticaion (MFA). DUO TFA is required for employees and students. Please note that enrolling in DUO two-factor authentication is permanent and cannot be deactivated.
Learn more about Duo Two-Factor Authentication
Contents
- 1 DUO Two Factor Quick Links
- 2 Why enroll in two-factor authentication?
- 3 How does it work?
- 4 Enrollment
- 5 Additional Information
- 6 Everyday Use of Duo
- 7 Supported Devices
- 8 Video Tutorial
- 9 FAQ
- 9.1 Am I required to enroll in DUO?
- 9.2 Do I need a smartphone to use Duo?
- 9.3 How can I use my FOB all the time?
- 9.4 Does the system allow for multiple hardware tokens and phones to be added to an account?
- 9.5 How does it work?
- 9.6 Do I need to use Duo Two Factor every time I log into my computer?
- 9.7 Which resources will use Duo Two Factor?
- 9.8 Can I set Duo up to automatically send a Push to my phone?
- 9.9 I am traveling abroad and do not have access to texts/internet, how can I use Duo?
- 9.10 I lost my device or I got a new device
- 9.11 I forgot my device at home?
- 9.12 Can I get one time use bypass codes?
- 10 Troubleshooting
- 10.1 When I log into my account on my iPhone, I do not see the Duo screen. I see a blank white/grey screen.
- 10.2 Duo doesn't remember me for 15 days like it says it will on my Internet browsers.
- 10.3 On my Mac, when I try to update my Internet Accounts for GusMail with my new password, the accounts page freezes and doesn't allow me to update the password.
DUO Two Factor Quick Links
- Duo Two Factor Authentication
- Getting Started with Duo at Gustavus Video
- Duo Two Factor - Device Replacement for End Users
- Duo Two Factor - Device Replacement for GTS Staff
Why enroll in two-factor authentication?
Two-Factor Authentication adds an additional layer of security to your Gustavus account. In addition to your password, you will need a mobile device like your phone or a hardware token to verify your identity when logging into your account.
Using just a username and password are no longer considered a secure mechanism for authentication. A password can be stolen or guessed. 2FA protects against password theft or guessing by requiring access to a physical mobile phone or hardware token to successfully login.
A successful information security program is all about adding layers of protection and 2FA is one of those critical layers. Learn more about securing your login by visiting the following page. #LockDownURlogin
How does it work?
- Access a resource protected by 2FA such as the Gustavus website or GusMail.
- Enter your username and password as you normally would.
- Click DUO push to send a verification to your mobile device or it may be automatically pushed to your device. If you do not have a mobile device set up, you can authenticate by entering a previously issued one-time bypass code, or via a hardware token (fob).
- After verifying it from you, by checking location, you accept a prompt from your mobile device to approve the login. If you have a fob, press the button on the fob, and then type the code that appears on your fob into the web page.
- Login is now complete.
Enrollment
Two-Factor Authentication is required on your Gustavus account. Any user may enable 2FA on their Gustavus account by following the instructions below. You will need a mobile device and the password for your phone to install the DUO Mobile App. You will also need your AppleID or Google Play account password to download the App Store or Google Play store. Please note that enrolling in DUO two-factor authentication is permanent and cannot be deactivated.
Follow the steps below to begin the two-factor enrollment, or watch our Getting Started with Duo Two Factor at Gustavus Video.
- Visit the Gustavus DUO Management portal.
- Enter your username and password.
- Click Start Enrollment or proceed to the next step if GTS has enabled your account for two-factor.
- Click Start Setup.
- Select your device type. We recommend a mobile device such as a phone.
- Enter your phone number and select the platform of the device.
- Install the Duo Mobile App from the App or Play store on your mobile device.
- Please enable notifications and access to the camera.
- Activate the Duo Mobile App by opening it and scanning the QR code.
- Click Continue to Login to try 2FA for the first time.
- Select Send Me a Push if you are using a mobile device. Enter code if you are using a bypass code or hardware token (fob).
- Click Accept on your mobile device.
- Your login is complete.
Additional Information
- An enrollment email will be sent to you from Duo as well to enable two-factor authentication.
- A mobile device such as a smart phone with the DUO Mobile App is recommended for security, convenience, and ease of use.
- If you do not want to use your mobile device, you can contact the Technology Services Helpline and request a list of one-time bypass codes, or under certain circumstances, we may advise that a Security Key be purchased. We recommend the Yubikey 5 or Security Key (NFC) from Yubico. There are several options depending on your devices: https://www.yubico.com/store#security-key-series
- GTS recommends installing the Duo Mobile App made by Duo Security on your supported device and enabling Automatically send me a: Duo Push.
To learn more, please visit:
- https://guide.duo.com/enrollment or watch our Getting Started with Duo Two Factor at Gustavus Video.
Everyday Use of Duo
Modifying Settings and Devices
There are two options for modifying your settings or to add an additional device:
- Visit the Gustavus DUO Management portal.
- Logout and back into the Gustavus website. Then click My settings & Devices
Automatic Settings
Duo can be configured to automatically send a Push to your default device.
- Access your Duo settings (see above)
- Under the list of current devices, you will see an option to select a Default Device:. If you have more than one device configured, select your default device.
- From the When I log in: pop-down select Automatically send this device a Duo Push.
Unprompted Notifications
If you receive Push notifications that you did not initiate, DO NOT approve them. If your account has been compromised, and someone has your password, they could initiate the Push, if you accept, you have granted them access to your account. If you feel as if the Push Notification is fraudulent, please change your Gustavus password/phrase and contact Technology Services.
Remember Me
You can set Duo to Remember me for 5 days. If you check the box (on the Choose an authentication method window), the authentication is remembered for 5 days on that browser from that machine only.
Supported Devices
- iPhone and iPad
- Android device
- Blackberry
- Windows Phone
- Hardware Token
- Security Key
Video Tutorial
Watch our Getting Started with Duo Two Factor at Gustavus Video.
FAQ
Am I required to enroll in DUO?
Yes, all Gustavus students, faculty, and staff are required to enroll in DUO TFA. This includes anyone who may have retained their Gustavus account after retirement or graduation.
Do I need a smartphone to use Duo?
No, you can have Duo send texts to a regular cellphone, or you can request a list of one-time bypass codes. In certain cases, you may be a good candidate for a hardware token (fob) that you can add your key ring. The fob provides codes that you can enter into the verification menu to access your account. Fobs are easily misplaced and can become unreliable if not used routinely, so this option may not be ideal for everyone.
How can I use my FOB all the time?
The Default Device pop-down does not allow users to choose a FOB as their default device. However, at the Duo Choose an authentication method window, you can select Enter a Passcode. You can then enter a passcode from your fob, the Duo Mobile App on your smart phone, or pre-generated bypass codes.
Does the system allow for multiple hardware tokens and phones to be added to an account?
Yes and we strongly recommend adding multiple options in case one is unavailable. However, GTS only provides one hardware token per eligible user. If an additional one is required, there are several options available for purchase online.
How does it work?
Once you are enrolled, every time you access a web page that uses the Gustavus Single Sign On page, use remote desktop or access the Remote server, you will be prompted with a Duo-Two Factor Authentication option, after you supply your credentials.
If you choose Enter a Passcode, the code can be from the Duo Mobile App on your phone, a fob or generated passcodes.
Do I need to use Duo Two Factor every time I log into my computer?
No, Duo Two Factor is only needed when you are logging into a resource below.
Which resources will use Duo Two Factor?
- Gustavus Google Suite - Drive, Calendar, GusMail
- Moodle
- Remote Desktop
- Gustavus User Settings
- Gustavus Web Resources
- Office 365
- etc
Can I set Duo up to automatically send a Push to my phone?
Yes, you can. Those settings are in the Duo Two Factor settings. There are two options for modifying your settings:
- Visit the Gustavus DUO Management portal.
- Logout and back into the Gustavus website.
Then click My settings & Devices.
You can then choose a Default Device (a hardware token or fob cannot be selected as the default device) and what method to use. Select either
- Ask me to choose an authentication method
- Automatically send this device a Duo Push
I am traveling abroad and do not have access to texts/internet, how can I use Duo?
When you are traveling abroad and do not have access to text messages or phone calls:
- Open the Duo Mobile app on your phone
- Press the down arrow to the right of the Gustavus Adolphus College heading. This will show you a passcode to enter at the two factor authentication screen.
- Instead of choosing push notification, press enter passcode and enter the number it generates in the app.
- If you set it to automatically send you a push notification, press cancel and choose enter passcode.
I lost my device or I got a new device
If you lost your phone and don't have a secondary device added to your account, please contact the Technology Helpline at (507-933-6111 or helpline@gustavus.edu) to get a new device added. You will need to speak with a full time staff member. If you have purchased a new phone, please see our web page Duo_TF_-_Device_Replacement_for_End_Users.
I forgot my device at home?
If you have your cell phone configured as your device, and it isn't available (left at home or dead batteries) you can contact the Technology Helpline (507-933-6111) to get printed bypass codes.
Can I get one time use bypass codes?
Yes, it is possible to get one-time use bypass codes. These are numeric codes you would print or write down and use one time for authentication. You can get a list of bypass codes by contacting the Technology Helpline (507-933-6111 or helpline@gustavus.edu. To use your codes, from the Choose an authentication method window, select Enter a Passcode, and input one of your codes.
Troubleshooting
When I log into my account on my iPhone, I do not see the Duo screen. I see a blank white/grey screen.
This symptom usually indicates a web content restriction. Please see Duo Mobile's help page for information on how to resolve this issue.
Duo doesn't remember me for 15 days like it says it will on my Internet browsers.
Update your browsers to the newest versions, and then try clearing the website data/cache for duosecurity.com. Also allow cookies for websites you visit.
On my Mac, when I try to update my Internet Accounts for GusMail with my new password, the accounts page freezes and doesn't allow me to update the password.
Open Keychain Access on your Mac, and search for Google saved passwords and remove them. Restart your computer and try again.