Duo - two-factor authentication

Duo two-factor authentication at Wellesley College

Duo Security is a two-factor authentication (2FA) system that adds an extra layer of security to Google Apps and Workday for your Wellesley domain account.  When it comes to account security, it’s best to protect it with both something you know (your password) and something you have (Duo with your phone or mobile app) protecting your account. 

Effective May 25, 2017: All administrative staff and faculty will be required to use two-factor authentication no later than fall 2017.  For more information on the time line, please see the LTS News posting or contact the Help Desk.

After setting up Duo, when you login to your Wellesley Google Apps or Workday account, you will get an additional login prompt to authenticate with Duo.  This prevents hackers from accessing your account, because even if they might get your password, they won't have access to your office, home or mobile phone to approve the authentication request from Duo.


Getting started

First, fill out this Google form to request Duo.  Once Duo has been activated for your account, you will receive an email, and the next time you login to Wellesley Google Apps or Workday, you will be asked to setup Duo by following the steps below:

  1. Make sure you are near the phone or device you want to setup Duo on - either your office, home, or mobile phone. 

    • If you are going to use a mobile phone, which we strongly recommend, download the free Duo Mobile app from the the App Store (Apple devices) or the Play Store (Android devices).  If prompted for access to your camera, you can select Yes or No.  The Duo Mobile app only uses the camera during setup to take a picture of the barcode to link it to your Wellesley account.  You can choose not to allow access to your camera and Duo will ask to email you a link that you open on your phone via email that will link the Duo app to your account.

    • If you don't have a mobile phone, you can request a Yubikey U2F token from the Computing Help Desk.  Yubikeys only work with Chrome and only on Windows or Mac OS X computers.

  2. Login to Wellesley Google Apps or Workday from a web browser on a desktop or laptop computer.

  3. After logging in, you will see a Duo Enrollment screen instead of your email, click Start Setup.

  4. Follow the directions below for the first phone you want to setup.  You can setup additional phones later.

    1. Setting up your office, home, or mobile phone without using the app or text messages:

      1. Select Landline and click Next.
      2. Enter your phone number, including the area code. (eg: 781283xxxx).  leave the extension field blank, check the box to confirm the number, then click Continue.
      3. Click Call me, answer your phone when it rings, then enter the six-digit code and click Verify.
      4. Click Continue.
    2. Setting up your mobile phone to use the Duo App and receive text codes:

      1. Open the Duo App on your mobile phone.

      2. On your computer's web browser, select mobile phone and click Next.

      3. Enter your phone number, including the area code. (eg: 781283xxxx), check the box to confirm the number, then click Continue.

      4. Select the type of mobile phone you have (iPhone, Android, etc.) and click Continue.

      5. Click I have Duo Mobile Installed.
      6. At the Activate Duo Mobile window, go to the Duo Mobile app on your phone and tap Add Account, then take a picture of the QR barcode on the screen to add your account to the app.  You may have to allow the app access to your camera.  

      7. Once it takes a picture of the QR code, "Wellesley College" should show up as an item in the app with a lock icon next to it. The screen on your browser will also now have a green checkmark over the QR code.  In the browser, click Continue.

  5. If you want to set a default method for Duo so that it will automatically call or push a request to that phone or app, check the default box, select the option you wish as default, click Save, then click Continue to Login.  

  6. If you don't want to choose a default, so you will have to choose an option manually each time you login, skip the options and click Continue to Login


Best Practice: Add another device to your Duo authentication

We strongly recommend setting up at least two devices with Duo in case you are not near the original device you setup in Duo.  You can add as many devices as you wish by following the directions below:

  1. Login to Wellesley Google Apps.  

    If you have a default setup and Duo starts to authenticate, click Cancel.

    If you selected Save for 30 Days and the page automatically loads to your Wellesley Email, open a new Chrome Incognito Window and log into your Wellesley Email there to ensure Duo will prompt to authenticate again.
     

  2. In the list of options on the left of the Duo Authentication Page, click Add a new device.  You will be prompted to authenticate with Duo.

  3. Select the device you wish to setup and follow the directions for that device.

    • For phones, you will be asked to enter the full phone number, then Duo will call that number to verify it.

    • For mobile apps, you will be asked to take a picture of the barcode with the app, then verify it worked.

  4. After adding the device, you can either add a new device, or continue to authenticate through to Google Apps.


Tips for logging in with Duo

Set Duo to remember you for 30 days in your browser / device

You can set Duo to remember that you authenticated for 30 days. This is a per-device, per-application, so for example if you use both Chrome and Firefox on the same computer, you will have to follow these steps in both Chrome and Firefox.

  1. Visit Google Apps with your Wellesley account.

  2. If Duo automatically starts to verify your account via your default method, click Cancel.

    • You will still need to answer your phone or accept the push request.

  3. Check the “Remember me for 30 days” checkbox, then choose one of your authentication methods to continue authenticating through Duo.

Using other mobile apps (e.g. Gmail app)

When setting up your Google account in a mobile app, at the Google login window, enter your username@wellesley.edu.  You will then get directed to a Wellesley login window where you can enter your Wellesley username and domain password as usual, and will then be prompted for Duo if you have it enabled.

Note: Yubikeys cannot be used to authenticate with Duo on mobile devices.

Choosing a different device

If you setup multiple devices for Duo and you don’t want to use the one you set as default, when the Duo screen appears, click Cancel in the bottom right.  You will then be given the option to choose a different device that you have setup on your account.


Using Duo when you're off-campus, abroad, or traveling

There are several ways you can still use Duo when you are traveling or may not have internet access.

  • Forward your office phone to your mobile phone or Google Voice.

    • When Duo calls your office phone, it will be passed along to the phone you forwarded it to and you can authenticate as usual.

  • Use Passcodes from the Duo app, even without an internet connection.

    • The Duo Mobile app for Android and iOS also works without an internet connection by giving you Passcodes if you click on the lock icon next to Wellesley College.  Passcodes change every so often, so make sure you have your device and check it when you need to authenticate.

    • To use a Passcode instead of Push in Duo, if you have a default set, click Cancel in the popup, then click Enter a Passcode and enter your Passcode.

  • Send text messages to your phone before you leave.

    • If you set up your mobile phone as a mobile phone in Duo, you can request Passcodes sent to it via text messaging (SMS).  Duo will send 10 one-time use codes in each text message, and they do not expire.  The section below explains how to do this.

    • When logging into Google Apps at the Duo authentication screen, if you have a default set, click Cancel.  Then click Enter a Passcode.  Next, click the Text me new codes button that appears in the blue bar at the bottom of the Duo screen.  You will get 10 codes each time you click the Text me new codes button, and these codes will not expire.

 


New August 2017: Duo Restore

This new feature will allow users to securely restore their accounts.

  • Late August: new Duo mobile app for Android and iOS

  • Duo Restore is an opt-in feature

    • Android: Android users must first connect to a Google account to complete an initial backup of non-sensitive data. Users will be prompted to do so in the app upon installing the latest version of Duo Mobile. Once synced with a Google account, users must sign into the same Google account within Duo Mobile on their new device and they can then restore their account(s) on a new device by selecting “Get Working” and then completing primary and secondary authentication.

    • iOS: iOS users who already have their device backed up to iCloud can restore their accounts by opening Duo Mobile and selecting “Get Working” in the app and then completing primary and secondary authentication.

  • Requirements for Account Recovery

    • You must be able to to complete two-factor authentication at the Duo Prompt. You could use phone callback authentication, an SMS passcode, an administrator-issued bypass code, or a different Push-enabled device that you may have previously associated with your account.