Duo - Frequently Asked Questions

Tags Duo MFA FAQ

If you are a user (or soon will be a user) of the Duo system - you may have some questions.  We will try to answer the most common questions here (email chauvetp@newpaltz.edu if you have any other question).

Why Is New Paltz using the Duo system?

What is MFA?

How does Duo Work?

What email applications work with Duo?

How do I get setup for Duo?

How to add a backup device for Duo

Can I use the Duo phone app when my phone doesn't have Internet access?

Will students need to use Duo?

What about the security or privacy of the Duo app?

What if I don't have a smartphone?

Why is New Paltz using this system?

You may ask "Why is New Paltz using Duo, or Multi-Factor Authentication (MFA)?".  There are a number of reasons.

  • Phishing: Phishing has continued to be a significant problem both at New Paltz and at organizations worldwide.  Although the vast majority of these phishing messages are being blocked or marked as spam here at New Paltz (and many of our faculty and staff are fantastic about reporting these messages) some do get through.  At this point, the training and simulations are not a sufficient defense on their own.
  • Password reuse: Though we want all people to use a different password for all systems - we know that doesn't always happen.  People sometimes use the same password on multiple services.  When an external service gets compromised - the passwords used at that external site may be at risk.  They may be used to try to access other accounts, including those at New Paltz.  The same is true of common passwords.
  • Brute force attacks: Hackers are often trying to just 'guess' passwords.  They are doing this based on patterns of password.

We have a duty to protect the data of our students, faculty, staff, alumni and donors.  Even an account of someone who does not have direct access to that data - can provide a criminal a level of access to the college which could lead to a further breach.  Because of this - we need to protect accounts with more than just a username and password.

That is why we are expanding the usage of the Duo MFA (Multi-factor Authentication) system, which is currently in-place for a number of users with the most sensitive data/system access.  We will be expanding both the departments and users included in this program, as well as the systems which are protected by it.

New Paltz has chosen Duo specifically as our MFA provider for its affordability, ease of use, and compatibility with the systems that we use here.


What is MFA?

Multi-factor Authentication systems are those that require at least two of the following factors (only the first two being used by New Paltz).

  • Something you know (such as usernames and passwords)
  • Something you have (such as an app on a smartphone, or a small key chain token) which is tied to your account
  • Something you are (biometrics such as fingerprints - don't worry - we have no intention of using biometrics at New Paltz)

An account protected by MFA cannot be accessed by one of those factors alone.  Were someone to get my password - but not have my smartphone, they would be unable to access accounts protected with MFA.  Vice-versa, if someone had my phone but not my password, they would also be unable to access accounts protected with MFA.

MFA is increasingly used to protect data on systems such as financial/banking accounts, email, social media, or other systems which are at high risk for compromise for criminals.  New Paltz has implemented, and is expanding the usage of, MFA to better protect the sensitive data, systems, and accounts that our faculty and staff are entrusted with.



What email applications work with Duo?

Only applications which support "Modern Authentication" (a Microsoft protocol) are compatible with Duo.  

The following applications are compatible, and recommended:

  • Outlook Web Access (i.e. when you access your Office 365 account via your web browser)
  • Outlook 2016 or later
  • Outlook (mobile app on iPhone or Android)
    • Note: Android must be version 6.x (AKA Marshmallow) or higher as of December 2019.

The following are compatible - but unsupported by ITS:

  • Apple Mail (on MacOS Mojave or later versions)
  • iOS Mail (on iPhones or iPads running iOS 11 or higher)
  • Windows 10 Mail app
  • Microsoft Office 2013 (configuration change required for 2013 to work)

The following are incompatible: Mozilla Thunderbird, the GMail app on Android or iOS, Microsoft Office 2011 or earlier, and any other application not otherwise listed

Unfortunately - not all applications support the Multi-Factor Authentication system.  Any application that doesn't support this is a vulnerability as it would allow a criminal to gain access to an account that is protected by MFA via a method that is not.


How do I get setup for Duo?

Go to www.newpaltz.edu/duo-signup

Once you go there, you'll be asked to state that you are "Ready for Duo".  This means you either have downloaded the free Duo Mobile app on your smart phone, or that you have one of the Duo security keys or login tokens.  If you do not have a smartphone, you can order the security keys online (see "What do I do if I don't have a smartphone" section near the bottom of this page for details), or you can contact our Service Desk for a token.


Can I use the Duo phone app when my phone doesn't have Internet access?

If you are using the Duo phone app, when you don't have Internet access on your phone (such as when you are out of the country) you can still use Duo.

  • Instead of clicking "Send me a Push" when logging in, instead click "enter a passcode"
  • Go into the Duo app and click where it says "State University of New York at New Paltz".  A six digit number will come up.
  • Enter that number on the Duo login page


Will students need to use Duo?

Yes!  For now - the service is opt-in.  You can sign up by going to: https://www.newpaltz.edu/duo-signup

We are gradually adding to the number of services which require Duo.  As of now the following services are not accessible without Duo:

  • The New Paltz VPN (Virtual Private Network)
  • Microsoft Office 365
  • Virtual Desktop Infrastructure (VDI)
  • CashNet (the college's online payment system)

We expect to add additional services, most notably Blackboard at sometime in the Fall 2020 semester.


What about the security or privacy of the Duo app?

New Paltz ITS and the information security industry in general have a very positive impression of Duo and the Duo app.  Duo’s app only asks for the permission to show notifications and to access your camera.  The camera permission is just for the initial setup (to scan the Duo QR code) and you can revoke that permission afterwards.  The notifications are only used to send you the ‘push’ notification that you need to approve when logging in.

Duo does not have access to the data on your phone such as pictures, files, etc. 

If your concerns are privacy related – please see the information on Duo’s site about “What data does Duo collect” and “Duo Mobile Privacy Information”.

What if I don't have a smart phone?

If you do not have a smart phone - you can login with a hardware security key.  We have two types of these:

  • Yubikeys - These are small USB devices which you can keep on your key chain.  When prompted by Duo to login - just put the USB key into the computer you are logging in at - and push the button when prompted.
  • OTP tokens - OTP, or "One-Time-Passcode" tokens are small devices (screenshot below) which have a tiny screen and push button.  When prompted by Duo - you click "Enter a passcode" then push the button on the token to get it to display a six digit code.  You can then enter the code into the Duo prompt.  A picture of the token with a keyboard for scale is below:

Active faculty, staff, and students, who do not have a smart phone can get the token from us.  Just email InformationSecurity@newpaltz.edu (make sure to email us from your college email address - and include your full mailing address).



Article ID: 76102
Mon 4/15/19 3:46 PM
Tue 9/22/20 10:32 AM