Using Duo Two-Factor Authentication with EIS Web Applicationseis.tamu.edu/EIS/media/library/documents/Using-Duo... · verifies your identity. Even if someone knows your username and

Duo™ Two-Factor Authentication is used to secure CAS authenticated applications by requiring authentication methods via: something you know (like a login) and something you have (like a mobile phone).

Duo™ adds a second layer of security by requiring a login confirmation via a device only you control. The result is a more secure application.

This document explains what Duo™ is, why you should use it, how it works, how to enroll, and how to use it successfully in protecting sensitive applications and data.

Using Duo™ Two-Factor Authentication with EIS Web Applications

How to set up and use Duo™ Two-Factor Authentication to protect access to EIS web applications.

As of 06 April 2016

Contents

What’s This All About? ........................................................................................................ 1

Why Should You Use Duo™? ............................................................................................. 1

How Duo™ Works ................................................................................................................. 1

How to Enroll in Duo™ ......................................................................................................... 3

Duo™ For Web Applications ............................................................................................... 5

Helpful Tips for Using Duo™ ............................................................................................... 7

Appendix A: Doing a First-Time Enroll of a Smartphone ............................................. 13

Appendix B: Using Security Tokens with Duo™ ............................................................ 19

Using Duo™ Two-Factor Authentication for EIS Applications

1

What’s This All About?

Two-Factor Authentication (2FA) is a second layer of security in addition to your login credentials. The factors necessary to successfully log in include both:

1) Something you know (like your NetID and password) 2) Something you have (like a mobile phone or other device to approve authentication)

In this document, we will explore how to set up and use a two-factor authentication product called Duo™ by Duo Security, Inc. Texas A&M University is licensed to use this product to protect access to sensitive applications.

Why Should You Use Duo™?

Ninety-five percent of data breaches involve weak or stolen usernames and passwords.1 Hackers may use sophisticated malware, phishing attacks, and social engineering to gain access to this information. In 2015, more than 700 million records were compromised in more than 1,600 breaches worldwide.2 Upwards of 300 million came from the public sector. More than 50 percent involved identity theft. More than 1,200 of the breaches were aimed at U.S. targets, including higher education.

By adding a second layer of security to logins, Duo™ ensures hackers cannot access sensitive applications by using stolen login credentials alone. This does not make it impossible for hackers to defeat security, but it does make it significantly more difficult.

Use of Duo™ is not required currently, but may be required in the future. Texas A&M IT is making Duo™ mandatory for its employees. Increased regulatory and compliance pressure are likely going to make 2FA a normal part of logging in to computer systems.

If your login credentials are easily guessed or stolen, student, faculty and staff information will be at risk, and the university could suffer significant financial and reputation losses. Use of Duo™ to access EIS applications is strongly recommended for EIS applications, including Compass, Howdy and ePrint.

How Duo™ Works

Without Duo™, you enter your username and password, and then access the application (See Figure 1). If a hacker obtains or guesses your login information, they will have the same access to the application as you do.

With Duo™, after you enter your correct username and password, Duo’s™ two-factor authentication verifies your identity. Even if someone knows your username and password, they will not be able to successfully login because an approval from you is required using a physical device that only you have (See Figure 2). Such devices might include your mobile phone, tablet, Duo™ security token, or a landline phone.

1Verizon 2015 Data Breach Investigations Report 2Gemalto, Inc., Breach Level Index, http://www.breachlevelindex.com/

http://www.breachlevelindex.com/


2

Enter Password

Access Application

Enter Username

Figure 1. Normal Application Access

Enter Password

Select Duo™ Authentication Device

Enter Username

Confirm and Approve on Device

Access Application

Figure 2. Simple Access via Duo™


3

The Duo™ implementation used at Texas A&M University is primarily used to protect applications that use the Central Authentication System (CAS). Duo™ will work with some other types of applications, but this document, except as specifically noted, is mainly concerned with CAS logins. Duo™ will not compromise your login credentials.

How to Enroll in Duo™

Before you can use Duo™, you must do a one-time “enroll” so that it knows who you are, and what devices you want to use to confirm your identity. A device might be a mobile phone, landline phone, a tablet (like an iPad, Nexus 7, etc.), or a Duo™ security token. When enrolling, you can set up multiple devices and later choose which one you want to use. That way, should your default device not be with you, you will have other options to authenticate.

Here is information on all the possible authentication devices:

http://infrastructure.tamu.edu/auth/2factor/twofactor.html#tab_tab3

Duo™ only supports these common web browsers: Chrome, Firefox, Safari, Internet Explorer 8 or later, and Opera. Note that Chrome does not support the Java used by many of EIS applications, including Compass.

To do a first-time enroll in Duo™ or manage your account thereafter, go to:

https://gateway.tamu.edu/duo-enroll/

This web page will walk you through the process of setting up a Duo™ account. Many people use their mobile phone as their primary device. You should select more than one device in case your usual device is not available for some reason. If you use a smartphone, you may want to use the Duo Mobile app if you use a smartphone (iPhone, Android or BlackBerry).

There are three ways to authenticate once you’ve setup Duo™ (Duo push, phone call and passcode).

Method Description Duo Push Pushes a login verification request to your phone or tablet (if you have the Duo

Mobile app installed and activated on your iPhone, Android, or BlackBerry device). Just review the request. Click Approve to allow access. Or click Deny to not allow access.

Call Me Authenticate via phone call from Duo™. It will ask you to approve access by entering a code.

Enter a Passcode Log in using a passcode, either generated with the Duo™ Mobile app, sent via SMS (text message), generated by your security token, or provided by an administrator.

http://infrastructure.tamu.edu/auth/2factor/twofactor.html#tab_tab3



4

Duo™ security tokens may also be used. Currently, three different types are available for purchase from the TAMU IT SELL for use with Duo™. One of these, the U2F token, is limited in that can currently only be used with the Chrome web browser. Chrome lacks support for certain EIS applications that use Java. The other security tokens are better choices. See Appendix B for details.


5

Duo™ For Web Applications

Duo™ is used to protect web applications accessed via the “CAS” login screen:

Duo™ also works with the Texas A&M University System “Single Sign On” (SSO) application. Besides going to SSO directly (via https://sso.tamus.edu), SSO is available through Howdy by clicking on the SSO icon.

The UIN-based SSO login uses a separate Duo™ implementation (just for the Texas A&M University System). Most people will find it more convenient to use the CAS login to authenticate to SSO (this is the preferred method), but you should also secure your UIN login on the SSO site as well, even if you don’t normally use it, to protect your information.

https://sso.tamus.edu/


6

Remember, enrolling in Duo™ for the SSO application is separate from the Duo™ for CAS used by Texas A&M University. To enroll in Duo™ for the SSO application, login to SSO (https://sso.tamus.edu) and follow these steps:

1. Go to your Profile tab 2. Select Two Factor Authentication on the left 3. Select USE Two Factor Authentication 4. Press Save 5. To set up devices, please visit the Managing Duo Account page

You can see these same instructions here:

http://it.tamus.edu/sso/how-do-i-sign-up-for-two-factor-authentication/

There are ways to use Duo™ with other products. Those interested in using Duo™ with other products other than CAS or SSO should contact Help Desk Central for details.

https://sso.tamus.edu/

http://it.tamus.edu/sso/how-do-i-sign-up-for-two-factor-authentication/


7

Helpful Tips for Using Duo™

Question: How can I make the authentication process as easy as possible?

Answer:

For your convenience, the system can remember your browser for 60 days if you select to do so. This means you won’t have to acknowledge the two-factor authentication each time you login from that specific device.

Go to the Texas A&M Duo™ website (https://gateway.tamu.edu/duo-enroll/) and click the Enroll / Manage Devices button. Enter your NetID and password on the CAS login.

For each applicable qualifying device, there is a checkbox that says Remember me for 60 days. If this checkbox is checked, then Duo™ will remember for your browser for 60 days and will not contact your device provided you login using the same workstation and browser.

Important Note: If you clear your browser cache, you must login with Duo™ again to set the feature. If your browser is set to clear the browser cache on exit, this Duo™ setting will be cleared on exit.

Important Note: Use the Remember me for 60 days feature only on a private or personal computer. Never use this feature on a publicly accessible shared workstation.



8

Question: I misplaced my phone. I went to the Duo™ website to add use my landline phone to authenticate, but it wants to authenticate using my missing phone. What can I do?

Answer:

If you have defined a second authentication device with Duo™, you can use My Settings & Devices on the Duo™ website to delete your lost or stolen phone. You can also use the second device to authenticate just as you normally would.

If you have no second authentication device, contact Help Desk Central so that they can disable the phone as a Duo™ device, and set up another authentication device.

You can add multiple phone numbers (and devices) for use with Duo™. It is strongly recommended that you set up more than one when you enroll. This enables you to choose the device that is most convenient to you, but it also allows for a fallback device when your default device is unavailable. You can add your home and office landline phones, your mobile phones, your tablets, etc.

Remember, your NetID login will still protect your access even if you lose your phone.

Question: I use Microsoft Internet Explorer. When I set the Remember me for 60 days checkbox, it doesn’t seem to work once I exit the browser.

Answer:

This may be because you or your IT administrator has set up Internet Explorer to clear the browser cache on exit or because you have cleared the cache manually. To see if Internet Explorer is set to clear the cache on exit, select the Tools tab, then Internet Options. You should see something like the following dialog box:

If you have administrator access, you can uncheck the checkbox Delete browsing history on exit. If not, then you will not be able to use this feature with Internet Explorer. You may find that using a different


9

browser may solve the issue. Just remember that Chrome does not support the Java required for many EIS applications.

Question: I am running iOS 4.3 (or lower) and I am not able to install Duo Mobile 3.1.0 from the App Store on my iPhone.

Answer:

The minimum supported operating system version for Duo Mobile 3.1.0 and above is iOS 6.0. Users installing Duo Mobile for the first time with devices running pre-iOS 6.0 need to download Duo Mobile from the App Store using the iTunes application on a Mac or PC computer. You must be signed in with the same iTunes account you plan to use with your phone.

When the download is complete, open the App Store on your pre-iOS 6.0 device and install Duo Mobile. You will be prompted with an alert informing you that you will receive the latest compatible version of Duo Mobile (v3.0.2).


10

Question: I notice that the Duo Mobile app for my smartphone requires camera access. Why would it need camera access?

Answer:

During the setup process, a QR activation barcode is scanned to add your account to the app.

Question: I value my privacy. I do not want to divulge my personal mobile phone number.

Question: I don’t want “office” apps taking space and consuming CPU time on my personal mobile phone.

Answer:

If you do not wish to divulge your personal mobile phone number, or you have no personal phone, or you do not want to allow the Duo Mobile app on your phone, you can set up Duo™ to call your office landline phone number or use a Duo™ security token. The Duo Mobile app is intended for your convenience, but is not a requirement.

Question: I see this in Duo’s “Service Terms and Conditions” (https://duo.com/legal/terms ):

“3.3. Customer acknowledges that the Services will require the Users to share with Duo Security certain information for the purposes of providing the Services, such as user names, password and other login information.”

Does this mean that Duo™ can access my CAS login credentials?

Answer:

TAMU NetID account passwords are not shared with Duo™. Things that are technically passwords are Duo™ administrator accounts and 2nd-factor authentication tokens such as OTP and SMS "passwords".

Usernames are shared with Duo™ for the purposes of matching an authentication request to a 2nd factor mechanism. Usernames are provided to Duo™ either by web services (if you activate, for example, at the https://gateway/duo-enroll page) or by direct entry at the Duo™ website, if a local application integration allows self-service registration.

Question: My Duo Mobile app is hung on my smartphone. How can I fix it?

Answer:

Duo™ is a cloud based service using a sometimes unreliable Internet connection. To correct the issue, try putting the phone into airplane mode, and then backing out of the application. If that fails, try rebooting the phone by doing a restart or shut down.

https://duo.com/legal/terms

https://gateway/duo-enroll


11

Question: I want to test Duo but I am logged into CAS. How can I make sure that I am logged out of CAS?

Answer:

You can log out of CAS using this web address: https://cas.tamu.edu/cas/logout

Question: Who do I contact to for Duo™ support or to report an issue?

Answer:

You can contact Help Desk Central (available 24 hours a day, 7 days a week):

Phone: 979.845.8300 Email: [email protected] Visit: Computing Services Center, Room 1112 (8 a.m. – midnight)

https://cas.tamu.edu/cas/logout

mailto:[email protected]


12

This page is intentionally blank.


13

Appendix A: Doing a First-Time Enroll of a Smartphone

Here is an example of enrolling an iPhone so you can see what’s involved. The process is very similar for other types of mobile phones.

Step 1: Go to your mobile phone’s app store and install the Duo Mobile app onto your phone

Step 2: On your workstation, get into a web browser and go to:


Step 3: Enter your NetID and password to authenticate via CAS.

Step 4: Duo™ will detect that you are a first-time enrollee and will display the following screen:

Step 5: Click the Start setup button to begin the enrollment process.



14

Step 6: You will want to select the type of device that you are adding. In this case, click the Mobile Phone option and then click the Continue button.

Step 7: Enter your mobile phone number. Duo™ uses this information to call your phone to authenticate.


15

Step 8: Click on your mobile phone’s type and press the Continue button.

Step 9: Click on the I have Duo Mobile installed button.


16

Step 10: Open the Duo Mobile app on your mobile phone and tap the “+” button. Then scan the QR barcode presented. After a successful scan, you will see a screen similar to that below. Click the Continue button.

Step 11: Click the Save button to save the device settings.


17

Step 12: You are successfully enrolled! Now, when you authenticate to a CAS enabled web application, Duo™ will send you a verification request.

Now, use your web browser to go to a CAS protected application, such as Howdy (https://howdy.tamu.edu/). Click the Log In button. The familiar CAS login page will appear. Login using your NetID and password.

https://howdy.tamu.edu/


18

You will next see the following Duo™ screen:

Go ahead and click the Remember me for 60 days option, and then click Send me a Push. Duo™ will call your mobile phone and ask you to approve the authentication. Click Approve on your phone. The following screen will briefly appear before you see the Howdy application.

Tip: You might want to add other devices as a fall back in case your mobile phone is not available.


19

Appendix B: Using Security Tokens with Duo™

Duo™ can use security tokens as authentication devices. These normally plug into a USB port on your workstation like a thumb drive. They are typically made largely of plastic. There are no moving parts.

There is a hole to place the device on a keyring if desired. Physically, they are very durable.

Even though most tokens look similar to the picture to the left, there are different kinds of tokens, each offering different features and methods of authentication.

They work by using a security protocol, essentially a short electronic conversation between Duo™ and the token, to perform the authentication. There are different security protocols. And some tokens can do more than one.

When prompted, the token is inserted into a USB port and the button on the token is pressed to authenticate. The security protocol generates a one-time password (or key value) so that even if the password is somehow intercepted, it can only be used for one authentication.

Before a token device can be used, it must be defined to Duo™, and only certain tokens work with Duo™ as implemented at Texas A&M. There is a limit to the number of authentications that a token can do, so there is a lifetime (in years) after which it will no longer work. As security protocols improve over time, it is possible that tokens will use more long lived protocols so that it may become less of an issue. Some tokens can be “reset” so that they can continue to be used, while others cannot. If your token ceases to function, contact Help Desk Central for information on how to proceed.

Currently, three different kinds of tokens will work with Duo™ as implemented at Texas A&M. These are available for purchase from TAMU IT’s Software Center (SELL). Here is a link:

https://sell.tamu.edu/Departments/Departmental_Software_List_A-G/Duo_Two_Factor_Authentication_Tokens.php

The three tokens are:

1. Duo hardware token 2. FIDO U2F Security Key by Yubico 3. YubiKey Neo by Yubico

The Duo hardware token works until the non-replaceable built-in battery dies, about two years. This token has a button and a display screen. It displays a passcode which must be manually entered into Duo™ to authenticate. Because this token is not as convenient to use as the other tokens, and because it is limited in terms of its lifespan, it is not recommended.

The FIDO U2F Security Key by Yubico will only work with the Chrome Browser at this time. Chrome does not work well with the Java based applications used in EIS, so its use is not recommended. However, other browser makers do have plans to eventually support the U2F security protocol, including Mozilla’s Firefox and Microsoft’s Edge browsers. When these browsers support U2F, then this token may become more useful. It is designed to provide 5+ years of service. It offers simple one button press authentication.

The YubiKey Neo by Yubico is currently the only recommended option, but authentication requires clicking a Duo™ button and then pressing the token button, so it requires an extra click to authenticate. It also is designed for 5+ years of use. It is the most expensive token option at this time.

https://sell.tamu.edu/Departments/Departmental_Software_List_A-G/Duo_Two_Factor_Authentication_Tokens.php


20

Over time, this list of tokens will likely be changed to drop older technologies and add new ones. If you do want to use a token, you should consult the TAMU IT Software Center (see link above) for the latest information.

There are some things to know about token use.

1) Tokens are small parts that can be easily lost. As a result, you will want to have another means to authenticate besides a token. If you do lose your token, all is not lost. Your NetID is still protected by your login credentials. Anyone who attempts to use it would need your credentials plus the token to successfully authenticate. So, it is basically useless to anyone else. If you do lose one, authenticate to A&M’s Duo™ website and remove the lost token device from your Duo™ account (or contact Help Desk Central to assist).

2) Duo™ will not currently accept a token as a default device. Currently, Duo™ offers only phone devices as defaults. This means that you can’t enroll in Duo™ with just a token. You must also have a phone device defined to Duo™. This also means that you will need to manually select the token as the device to use before authenticating (because it cannot be a default device).

3) If you remote in to your workstation from home (or other location outside the university firewall), and you try to authenticate using a token, your success will depend on the type of token and the security protocol used.

a. The YubiKey Neo by Yubico token works by using the Windows clipboard and the cut and paste operation which is supported by the Windows remote desktop application. As such, it will work both with applications accessed directly via VPN or by indirectly by remoting into your workstation and accessing applications from there.

b. The Duo hardware token will work because you must manually enter the passcode displayed on the token. It also will work both with applications accessed directly via VPN or by indirectly by remoting into your workstation and accessing applications from there.

c. The FIDO U2F Security Key by Yubico will work with applications accessed directly via

VPN, but it will not work indirectly by remoting into your workstation and accessing applications from there because it looks for the token to be accessible via your workstation, not the remote PC. Note that even if you leave your U2F token plugged into the USB port on your office workstation, you will not be able to press the button on the token remotely.

Documents

Using Duo Two-Factor Authentication with EIS Web Applicationseis.tamu.edu/EIS/media/library/documents/Using-Duo... · verifies your identity. Even if someone knows your username and