Duo - Frequently Asked Questions and Troubleshooting

Tags Duo MFA FAQ

If you are a user (or soon will be a user) of the Duo system - you may have some questions.  We will try to answer the most common questions here (email chauvetp@newpaltz.edu if you have any other question).

Why Is New Paltz using the Duo system?

What is MFA?

How does Duo Work?

What email applications work with Duo?

How do I get setup for Duo?

What do I do if I forget my device at home and cannot login?

I got a new phone and Duo isn't working anymore - what do I do?

How to add a backup device for Duo

I use the Duo token and it isn't working

Can I use the Duo phone app when my phone doesn't have Internet access?

Can students use Duo?

What about the security or privacy of the Duo app?

 

Why is New Paltz using this system?

You may ask "Why is New Paltz using Duo, or Multi-Factor Authentication (MFA)?".  There are a number of reasons.

  • Phishing: Phishing has continued to be a significant problem both at New Paltz and at organizations worldwide.  Although the vast majority of these phishing messages are being blocked or marked as spam here at New Paltz (and many of our faculty and staff are fantastic about reporting these messages) some do get through.  At this point, the training and simulations are not a sufficient defense on their own.
  • Password reuse: Though we want all people to use a different password for all systems - we know that doesn't always happen.  People sometimes use the same password on multiple services.  When an external service gets compromised - the passwords used at that external site may be at risk.  They may be used to try to access other accounts, including those at New Paltz.  The same is true of common passwords.
  • Brute force attacks: Hackers are often trying to just 'guess' passwords.  They are doing this based on patterns of password.

We have a duty to protect the data of our students, faculty, staff, alumni and donors.  Even an account of someone who does not have direct access to that data - can provide a criminal a level of access to the college which could lead to a further breach.  Because of this - we need to protect accounts with more than just a username and password.

That is why we are expanding the usage of the Duo MFA (Multi-factor Authentication) system, which is currently in-place for a number of users with the most sensitive data/system access.  We will be expanding both the departments and users included in this program, as well as the systems which are protected by it.

New Paltz has chosen Duo specifically as our MFA provider for its affordability, ease of use, and compatibility with the systems that we use here.

 

What is MFA?

Multi-factor Authentication systems are those that require at least two of the following factors (only the first two being used by New Paltz).

  • Something you know (such as usernames and passwords)
  • Something you have (such as an app on a smartphone, or a small key chain token) which is tied to your account
  • Something you are (biometrics such as fingerprints - don't worry - we have no intention of using biometrics at New Paltz)

An account protected by MFA cannot be accessed by one of those factors alone.  Were someone to get my password - but not have my smartphone, they would be unable to access accounts protected with MFA.  Vice-versa, if someone had my phone but not my password, they would also be unable to access accounts protected with MFA.

MFA is increasingly used to protect data on systems such as financial/banking accounts, email, social media, or other systems which are at high risk for compromise for criminals.  New Paltz has implemented, and is expanding the usage of, MFA to better protect the sensitive data, systems, and accounts that our faculty and staff are entrusted with.

 

 

What email applications work with Duo?

Only applications which support "Modern Authentication" (a Microsoft protocol) are compatible with Duo.  

The following applications are compatible, and recommended:

  • Outlook Web Access (i.e. when you access your Office 365 account via your web browser)
  • Outlook 2016 or later
  • Outlook (mobile app on iPhone or Android)
    • Note: Android must be version 6.x (AKA Marshmallow) or higher as of December 2019.

The following are compatible - but unsupported by ITS:

  • Apple Mail (on MacOS Mojave or later versions)
  • iOS Mail (on iPhones or iPads running iOS 11 or higher)
  • Windows 10 Mail app
  • Microsoft Office 2013 (configuration change required for 2013 to work)

The following are incompatible.  They may work now (as of April 2019) but will no longer function when basic authentication is disabled in Summer/Fall 2019:

  • Mozilla Thunderbird
  • The GMail app on Android or iOS
  • Any other mail app on Android not already listed.
  • Microsoft Office 2011 or earlier
  • Any other application not otherwise listed

Unfortunately - not all applications support the Multi-Factor Authentication system.  Any application that doesn't support this is a vulnerability as it would allow a criminal to gain access to an account that is protected by MFA via a method that is not.

 

How do I get setup for Duo?

If let Information Technology Services know that you will be using the phone app (or don't reply to the request for your choice) - your account on Duo will be activated.  When it is activated - you'll be prompted to download and activate the Duo app on your phone.

The site will ask for your cell phone number.  This is only needed in case you need your device reactivated (in case of getting a new phone with the same number, or if you've had to factory reset your phone).  In that case - we can send a reactivation text to you.  Duo will not contact you via your cell phone otherwise.

 

What do I do if I forget my device at home and cannot login?

If you don't have access to your device for the day (you forgot it at home for example) we can provide you a temporary code which you can use to login.  To provide this we need you to either:

  • Visit the Service Desk (Humanities 103).
  • Call the Service Desk (845-257-HELP) - ideally from your office or department phone.

I got a new phone and Duo isn't working anymore - what do I do?

The activation for Duo is tied to a specific device - not just a phone number.  We can help you reactivate your device.  You'll need to either:

  • Visit the Service Desk (Humanities 103).
  • Call the Service Desk (845-257-HELP) - ideally from your office or department phone.

If you still have your old device though - see "Add a Backup Device".

 

I use the Duo token and it isn't working

The Duo token generates codes based in part on the time on the device.  It is possible that the time is slightly off on the device.  Don't worry though - there's an easy way to fix it.

If you enter three successive numbers in the Duo system - the fourth number will work.  To be specific - what you do is:

  1. Push the button on the Duo token and get the number
  2. Enter it into a Duo login screen (in the "Enter a passcode" window).
  3. Wait for the screen to go dark and push the button again, repeating steps 1 & 2.
  4. Do this three times in total (until you've entered three numbers).  

Your fourth code will work.  If it doesn't - or if this keeps happening - please call the Service Desk.  We'll replace your token.

Note: If your token doesn't show numbers at all anymore when you push the button - please contact the Service Desk.

Can I use the Duo phone app when my phone doesn't have Internet access?

If you are using the Duo phone app, when you don't have Internet access on your phone (such as when you are out of the country) you can still use Duo.

  • Instead of clicking "Send me a Push" when logging in, instead click "enter a passcode"
  • Go into the Duo app and click where it says "State University of New York at New Paltz".  A six digit number will come up.
  • Enter that number on the Duo login page

 

Can students use Duo?

At this time - our license for the Duo software only covers employees (which includes student employees).  Our focus in 2019 is on getting all New Paltz employees on the Duo system.  Student employees will be required to use Duo if they have certain levels of access or are in certain positions.  We will be considering this for the regular student population in the future.  Stay tuned!

 

What about the security or privacy of the Duo app?

New Paltz ITS and the information security industry in general have a very positive impression of Duo and the Duo app.  Duo’s app only asks for the permission to show notifications and to access your camera.  The camera permission is just for the initial setup (to scan the Duo QR code) and you can revoke that permission afterwards.  The notifications are only used to send you the ‘push’ notification that you need to approve when logging in.

Duo does not have access to the data on your phone such as pictures, files, etc. 

If your concerns are privacy related – please see the information on Duo’s site about “What data does Duo collect” and “Duo Mobile Privacy Information”.

Details

Article ID: 76102
Created
Mon 4/15/19 3:46 PM
Modified
Tue 10/1/19 1:10 PM