Duo Account Security
Effective December 1, 2020, Duo Security will end support of the Duo Mobile application for iOS 11 and Android 7. What does this mean to me?
Account security has never been more important as an increasing number of businesses and users are targeted by hackers. Password management has always been a weak point in systems that rely solely on a knowledge-based authentication factor (something you know). Passwords are reused across multiple systems, making all accounts vulnerable when a reused password is leaked.
When all is said and done, passwords are simply no longer reliable as the sole method of authentication to sensitive systems. A better security option is having two (or more) factors needed before gaining access to an account. These come from different categories:
- Something you know (password)
- Something you have (phone)
- Something you are (biometric, such as a thumbprint)
What is Duo Account Security?
The UofM Single Sign-On System (SSO) now includes Multi-factor Authentication (MFA) capabilities. This means that users can protect their accounts by requiring a second means to authenticate in addition to their password. Passwords alone have become increasingly easy to hack and MFA substantially reduces the threat of unauthorized access to accounts.
The ITS Security team has implemented MFA using a product from Duo Security, which allows users to use their phones as a second factor for authentication. Users can use the Duo Mobile app to enroll their smartphone or tablet to receive online push notifications, or generate a one-time passcode. Other methods of second factor authentication are available with Duo.
Am I required to enroll in Duo Account Security?
As of February 4, 2019, all regular employees, including all faculty, staff and course instructors, are required to utilize Duo Account Security to protect their accounts. Students may opt in to use the service but are not required to do so at this time.
How do I enroll or change my devices in Duo Account Security?
To enroll in Duo or to see your settings, login to https://iam.memphis.edu/duo. If you are setting up your account, you will be guided through the process of registering your device(s). Once you have enabled Duo, you will be prompted to authenticate with your second factor the next time you log in to any SSO-protected web resource. New hires are guided through the enrollment process during orientation.
It is strongly recommended that you have more than one device registered in case there is an issue with your primary device.
If you change devices, even if you keep the same phone number, that device needs to be registered with Duo to work. Register the new device at the above link.
Where can I get help with Duo Account Security?
Full documentation for the Duo Account Security service can be found in the Duo Account Security documentation. For further assistance, please contact the ITS Service Desk at 901.678.8888.
How can I give feedback on the Duo Account Security service?
The ITS Security team would appreciate any feedback that you might have regarding your experience using Duo or registering devices within iAM. Suggestions for improving the service can be submitted via the ITS Suggestion Box.
Why is this service necessary?
Threats such as social engineering and phishing increase the risk of an individual inadvertently sharing their username and password. MFA helps protect critical University resources by requiring an additional piece of information or factor during login that a hacker will not have access to. Even if a password is suspicious for an account, the account cannot be used to access critical or important University information.
What methods are supported by Duo MFA?
When paired with an app installed on a smartphone or tablet, Duo can send a push message to the app. The user only has to acknowledge the push to login. The Duo app can also be used to generate one-time passcodes in the event that the device does not have an WiFi or cellular data connection. Duo MFA also supports text messaging and voice calls. ITS also has a limited number of Duo tokens available, which can be used to generate a code when an individual has no usable phone options or if traveling internationally. The token will need to be kept near or on the person to whom it is assigned, as it will be needed whenever you attempt to login a system protected by Duo. Please see the Duo Account Security documentation for further assistance with Duo MFA methods.
When do I have to use Duo?
Duo is required whenever you log on to a website protected by our Single Sign-On (SSO) authentication service, such as the myMemphis Portal, eCourseware, email, and others. It is not required to log on to your computer.
Do I have to do this every time I log on?
You will have to use Duo MFA the first time you log on to a website behind our SSO authentication service. You will not be prompted to use Duo on other sites if you already have an active logon session to another site. If you restart your browser or computer, you may be prompted to use Duo again. You can also use the "Remember me" option at the bottom of the Duo screen to remember your Duo session on that device for a seven day period.
Who is required to use multi-factor authentication?
As of February 2019, employees are required to use Duo MFA, due to the risk to University data being exposed in the event of suspicious activity. Students are urged to opt-in to use Duo MFA by January 2021. As of January 25, 2021, students will be required to use Duo MFA to secure their access to University computer resources. The requirement for students' use of Duo MFA will be enforced on February 1, 2021.
What is a Duo Token?
The Duo token is a small, thumb-sized device that generates 6-digit codes to be used during Duo sign-on. The device requires no internet connection, no phone number, and is suitable for situations where the mobile app or phone cannot be used, such as in secure areas or when traveling.
Duo tokens must be assigned to specific user accounts and cannot be shared. A token can be requested via the following Service Desk form. Tokens are available for $20 and can be charged to a departmental index #. Tokens that are lost or damaged are subject to a $20 replacement fee.
What if I don't have my cell phone with me or it is not charged?
When enrolling in Duo, you are prompted to enroll a backup device or phone number, such as an office or home phone, that can be used in the event your primary device is not available. When logging in with Duo, simply select the backup device instead of your primary device to authenticate.
I travel frequently and don't always have cell service. How can I use the Duo service?
The Duo app, installed on a smartphone or tablet, can be used to generate a one-time passcode even when the device does not have an internet connection. Please see the "Using the Duo Mobile Application in location with poor cell coverage or no WIFI" section of the Duo Account Security documentation. If you are traveling internationally, you can also request a Duo token to use in cases where taking your smartphone or tablet are not safe or feasible.
Why can't I receive an email as a second factor?
The Duo MFA service does not currently support email as a second factor. Email uses Duo MFA and is not a good candidate for use as a second factor.
- I use the Duo services at another University. Do I need to install a different app?
No, you can use the same app. Simply open your existing app and press the (+) icon to scan the barcode and add your UofM account.
Duo didn't work. How do I get help?
Please see the Duo Account Security documentation or contact the ITS Service Desk at (901) 678-8888.