Security - Two-factor Authentication (Duo) FAQ

Frequently asked questions regarding two-factor authentication using Duo at UW-Platteville


Sections:

  1. General
  2. Perceptive Content/Experience
  3. Office 365 
  4. Single Sign On

General


Q: What is two-factor authentication?
A: Two-factor authentication – a.k.a. multi-factor authentication (MFA) - is a second layer of protection that combines something you know (your password) with something you have (phone or tablet). Verifying your identity using a second factor (like your cell phone or tablet) prevents anyone but you from logging into a system, even if they know your password.


VIDEO: What is two-factor authentication?

Q: Why is two-factor authentication important?
A: Information security is everyone’s responsibility. Verifying your identity using a second factor prevents anyone but you from logging in, even if they know your password. The extra step protects your online identity as well as our employees and students and the University as a whole. Two-factor authentication also mimics real life; chances are, you are already using two-factor authentication in your personal online business (e.g. Amazon, Gmail, etc.).

In addition, this effort conforms to existing UW System policy on authentication related to high-risk data. Read the UW System Information Security: Authentication Policy at https://www.wisconsin.edu/uw-policies/uw-system-administrative-policies/information-security-authentication/information-security-authentication/

Q: What is Duo?

A: Duo is the service UW-Platteville uses for two-factor authentication.

Q: Of the two-factor options provided, is there a recommended method?
A: All of the options will do the job, but we strongly recommend using the app on your phone or tablet if possible.
  • The app is easy to read.
  • The app sends notices if someone tries to access your account.
  • The app is free while texts cost the University money.
We also recommend that you choose more than one option if possible to cover bases.  If you forget one device at home, you have another option. If you are not able to choose more than one option, and you find yourself without a device when you need it, call the ITS Help Desk at 608.342.1400.

Q: What if I do not have a cell phone/device?

A: Call the ITS Help Desk at 608.342.1400 to request a hardware token, a.k.a "fob".  NOTE: University-issued fobs must be returned to the ITS Help Desk when an employee leaves employment at UW-Platteville.

Q: What if I break, lose, or do not return my university-issued fob?

A: Call the ITS Help Desk at 608.342.1400.  There will be a $20 charge to replace the device.


Q: What if I only enroll one device, and I forget it at home?

A: ITS recommends generating one-time use back-up codes for times when your device is not available.  For more information see Security - Generating and Using Duo Self-Service Backup Codes

You may also call ITS Help Desk at 608.342.1400.  They will ask you to verify your identity using the Help Desk questions you set up for your password. Once verified, staff will issue a temporary code to get you into the system.

Q: If I use my personal device, will it be subject to open records requests?

A: No. Duo does not capture or store University data. It is merely a method for verifying logins.


Return to Top

For Perceptive Content/Experience

Q: Why do all Perceptive Content and Perceptive Experience (formerly WebNow) users require two-factor authentication?
A: Perceptive Content contains sensitive data including Personally Identifiable Information (PII) and financial data related to Purchasing and Accounts Payable.  Because of this, all Perceptive Content (and Perceptive Experience) users are required to authenticate using two-factor.

Q: What is the Duo LDAP Proxy?
A: For applications that do not natively support two-factor authentication (such as Perceptive Content), the Duo Self-Service box will not appear to ask you which authentication method you want to use. Instead, Duo LDAP Proxy service is used to facilitate two-factor authentication.

The Duo LDAP Proxy service will automatically use the default device* you selected in Duo. The system name will appear as "LDAP Proxy" on your device instead of "Perceptive Content". (See comparison below when default is push notification.) (Need to enroll in Duo? Go to Security - Enrolling in Duo and Managing your Devices  for instructions.)


Sample push notification using Duo Self-Service (displays name of system: Shibboleth SSO)

v4SSOApprove

Sample push notification using LDAP Proxy (displays LDAP Proxy instead of Perceptive Content)

v4LDAPProxy


Q: How do I authenticate with the Duo LDAP Proxy if I do not have my default device?

A: If you need to use a device other than your default device* to authenticate using LDAP Proxy, you can enter additional information after your password on the login window for your application, e.g. Perceptive Content.

To use a push notification to the Duo App on your cell phone:
NetID: username
Password: password,push

To use a passcode from a fob or the Duo App (example passcode: 1234567):
NetID: username
Password: password,1234567
*NOTE: Texting cannot be set as a default in Duo. To utilize texting with Perceptive Content, you will need to generate back-up codes PRIOR to logging into Perceptive Content. (See Security - Generating and Using Duo Self-Service Backup Codes ) You will then follow the instructions below using one of those one-time-use codes.
To use a one-time back-up code (example passcode: 1234567):
NetID: username
Password: password,1234567
If you access Perceptive Content often, ITS strongly recommends using the Duo app or a hardware token ("fob").

Return to Top


For Office 365

Q: Will I have to use two-factor authentication every time I log into my email account?

A. If you use the Office 365 web application in a browser, you will have to use two-factor every time you log in.  The same is true of related apps like Teams, OneDrive, and SharePoint.

For the Outlook app or the native app on your mobile device, you will log in once with two-factor, and that should last for awhile.  Factors that may require you to use two-factor include changing your password or system updates.

For Outlook desktop client, you will log in once with two-factor, and that should last you until you change your password.  Again, factors such as system updates may require you to use two-factor on occasion.

Q: I tried logging into my Office 365 account, but the app is asking for approval to Microsoft Azure Active Directory.  Is this legitimate?

A. Yes. Azure Active Directory is a system Microsoft uses for authentication. (See example below.)

Sample push notification displaying Microsoft Azure Active Directory instead of Office 365

v4Azure


Return to top

For single sign-on systems


Q: For single sign-on (SSO) systems, how often will I have to use two-factor authentication? once and out? once a day?

A: The term "single sign-on" can be a bit misleading.  The first sign-on only lasts 30 minutes.  For example, if you log into one SSO system using two-factor at 9:00 a.m., and then you log into additional systems before 9:30 a.m. you will only have to use two-factor the first time.  However, if you sign into a SSO system at 9:00 a.m. and then you sign into another SSO system at 9:45 a.m., you will be required to use two-factor for that second system.

Alternatively, as you log in, you may opt to check "remember me for 12 hours" before choosing an authentication method. You will remain logged in on that browser and device for 12 hours.

screenshot highlighting authentication methods for Duo and the option to "remember me for 12 hrs"

Return to top



If you have questions, please contact the ITS Help Desk at 608.342.1400 or helpdesk@uwplatt.edu.  You may also visit the Help Desk on the first floor of the Karrmann Library.
 

See Also: