Multi-factor authentication (aka, MFA) is a way to improve on traditional userid and password security by also requiring pass code entry or authentication from a secondary device, such as a phone, tablet or hardware token associated with your NetID. As of July 1, 2016 MFA becomes mandatory for use of the Duke@Work website. Work at Duke is used for clearing receipts, viewing pay stubs and other financial activity. To perform MFA enrollment, visit the OIT link below, review the page, then proceed to the page's Enroll Here link in the highlight box:
After enrolling, you should register one or more devices to use with MFA. To manage your MFA life after enrollment there are two key links:
The Multi-factor Authentication Home Page - used to enroll or delete devices, generate pass codes and set MFA preferences
The Multi-factor Authentication User Guide - provides online assistance for MFA topics
The links above cover the how to aspects. The notes below are contextual to help a bit in understanding MFA complexity.
- Each device must be registered to associate it with your Duke NetID.
- Once registered, the device may be used for MFA purposes only by you.
Up to 4 devices per person may be registered.
Office/Home Land Line or Basic Cell Phone: Land line handsets or basic cell phones may be used for MFA.
MFA results in a phone call to the device that must be answered. The automated caller identifies as being from Duo, then pressing any number on the keypad completes authentication.
Smartphone or Tablet: Windows, Mac and Android smartphones and tablets may be used for MFA.
The Duo Mobile app must first be installed on the smartphone or tablet. Installation requires that the device uses some form of screen-locking.
To complete registration the smartphone or tablet must scan a QR code (one of those square matrix barcodes) from the screen of the computer you are using to register the device. Use of this code is imperative to ensure a Duke-configured installation.
A Duo device can be used to authenticate in two ways. It can be selected on the Duke Sign In screen to send a push notification to the device, which is then confirmed on the device. Or the key icon of the Duo screen can be pressed to generate a 6-digit pass code, which can then be typed into the pass code field of the Duke Sign In screen.
Hardware Token: The YubiKey is the recommended hardware token for users who must authenticate from many devices and locations.
YubiKeys are available to Sociology faculty and staff by request.
Sociology graduate and post-doctoral students may order a YubiKey from the OIT Software License Office for $21 each.
A YubiKey must be registered and may only be used by the person to whom it is registered. [You cannot borrow the key of someone else, nor can anyone who takes your key use it successfully unless they have also gained your NetID credentials.]
A YubiKey is inserted into the USB port of a laptop or deskstop. A green LED indicator on the YubiKey must light up. If it fails to light, try reversing the way the key is inserted in the port.
- Many tablets lack USB ports, but tablets themselves can be registered as MFA devices. (See above discussion)
Selecting YubiKey authentication requires cursor positioning in the pass code field of the Duke Sign In screen, then a finger touch of the gold disk on the key. The touch transmits a one-time pass code that displays through the pass code field as it is sent.
Pass codes are generated in various ways and are typed or pasted into the Enter pass code or insert YubiKey® option of the Duke Sign In screen.
- A batch of ten 9-digit pass codes may be generated from the MFA home page. Each code is valid for 72 hours and may be used for one instance of multi-factor authentication.
A batch of ten 7-digit pass codes may be generated from the Send SMS pass codes option of the Duke Sign In screen. These codes are sent as a text message to your cell phone. They do not expire and each is good for one-time use.
If you have the Duo Mobile app installed on your smartphone or tablet, a single 6-digit pass code may be generated by tapping the key icon by Duke University on the Duo Mobile screen. The code is for immediate use.
When using a YubiKey for the first time with a particular computer, a device driver setup occurs that may take a minute or two. You are informed this is taking place.
MFA can be set to persist for 12 hours by selecting the "Remember this device for 12 hours?" checkbox on the Duke Sign In screen, which allows you to get through a typical workday with just one MFA sequence. This presumes use of the same computer, IP number, and browser through the day. You are still asked for NetID credentials for protected sites at the Duke Sign In screen, but the MFA portion of the sign in is not repeated during the 12 hour period.
The website preferences section of the MFA Home Page, when set for selected NetID-protected websites, allows you to control which Duke managed sites require MFA.