Multifactor Authentication: Difference between revisions

From William Paterson University - Information Technology's Wiki
Jump to navigation Jump to search
 
(166 intermediate revisions by 5 users not shown)
Line 1: Line 1:
==Multifactor Authentication==
<!-- '''Multifactor Authentication is here! Please see the [[Multifactor Authentication#Campus Announcement about Multifactor Authentication|Campus Announcement about Multifactor Authentication]] sent by Eric Rosenberg.
''' -->


Multifactor<!--(Two Factor)--> Authentication is required for William Paterson University VPN Access, and will be implemented Fall of 2018 for WPconnect, email and additional WP services.  If you are trying to use VPN and do not currently have access, [http://www.wpunj.edu/help please request access using the ticket type Account -> VPN Access].
[[File:duobanner.png|right]]


===What is Duo?===
==Frequently Asked Questions==
Duo is a Multifactor Authentication Product that the university is implementing to secure our WP accounts.  William Paterson University started using Duo in 2016 for all VPN users.  The Duo App is available for use on smartphones to authenticate using a Push notification or a Passcode.  Duo also the product used to authenticate clients via phone call or text message passcodes.


===How do I register my phone number?===
Multifactor Authentication is a second layer of security for your William Paterson account. After typing in your password, you will need a second form of authentication (a push notification or 6-digit code from the duo mobile app, faculty and staff can also receive a call or text.) to log in and prove that it's really you logging into your account. Without two-factor, anyone with your username and password could log into your account. With two-factor, only you will be able to log in because you need to use your phone to approve logins.
Information Technology has prepopulated the Duo system with cell phone, office extension, or home phone information based on phone information available in the university’s Banner system. You can add, edit, and remove devices or phones through the [[Multifactor_Authentication#DUO_Device_Management_Portal_on_WPconnect|Duo Device Management Portal available in WPconnect]] through Duo icon located in the Apps menu.
 
Multifactor Authentication (MFA or Two Factor Authentication) is required for William Paterson University faculty and staff for WPconnect, email, VPN Access, and additional WP services.  WPUNJ’s Duo multifactor authentication application will provide an extra layer of security to ensure that only you login to your account.  We are now encouraging students to enroll as well, and to utilize the Duo Mobile App.
 
'''<big>What is Duo Multifactor Authentication?</big>'''
 
[http://www.duo.com Duo] is a Multifactor Authentication product that the university is implementing to secure our WP accounts.  William Paterson University started using Duo in 2016 for all VPN users.  The Duo App is available for use on smartphones to authenticate using a Push notification or a Passcode.  Duo also the product used to authenticate faculty and staff via phone call or text message passcodes. 
 
'''<big>Why is William Paterson requiring multifactor authentication?</big>'''
 
Universities and other education institutions have encountered a significant increase in phishing and other online attacks in attempt to compromise accounts for financial gain. As passwords alone no longer ensure account security, the university will be implementing multifactor authentication to protect individual accounts and improve the university’s overall online security. Similar to forms of multifactor authentication in use by online banking, shopping, social media, and personal email account sites, WPUNJ’s Duo multifactor authentication application will provide an extra layer of security to ensure that only you login to your account.
 
===='''<big>How does Multifactor Authentication work?</big>'''====
 
[[File:Duo_how-it-works.png|350px]]
 
After your password is entered, the MFA logon procedure will prompt you to validate your login by choosing a notification through the Duo Mobile smartphone app (a phone call, or a text message for faulty and staff) in order to complete the login.
 
===='''<big>What Multifactor Authentication methods can I utilize?</big>'''====
{{#ev:youtube|5n0R28VHE6A|500|right}}
'''Faculty and Staff''' can choose to receive a '''Push notification''' on your iOS or Android device, a '''text message''', or a '''phone call'''.
 
'''Students''' can choose to receive a '''Push notification''' or to generate a '''Passcode''' on your iOS or Android device using the Duo Mobile Application.
 
{|
! style="text-align:left;"|Authentication Method
!  &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp;
! style="text-align:left;"|Faculty and Staff &nbsp; &nbsp; &nbsp; &nbsp; &nbsp;
! style="text-align:left;"|Students
|-
|Duo App Push Verification
|
[[File:Duo check.png]]
|[[File:Duo check.png]]
|
|-
|Duo App to Generate Authentication Code
|     
|[[File:Duo check.png]]
|[[File:Duo check.png]]
|
|-
|Text Message
|[[File:Duo check.png]]
|[[File:Duo x.png]]
|
|-
|Phone Call
|[[File:Duo check.png]]
|[[File:Duo x.png]]
|
|}
 
'''<big>What services require Multifactor Authentication?'''</big>
 
WPconnect, Office365, Email, and other WP online services require you to use Multifactor Authentication once enrolled.  You may be prompted to log in when setting up email thru Outlook on your computer, you may need to remove and add your email account on your mobile device or obtain the Outlook App for your device.
 
There is an optional check box on the login screen to [[Multifactor_Authentication#Logging_in_to_WPconnect|remember your device for 12 hours]].  You can also set your account to [[Multifactor_Authentication#Manage_Devices|automatically send your default device a Push notification]].  (Students can remember their device for 24 hours)
 
'''<big>How do I register my phone number?'''</big>
 
Information Technology has prepopulated the Duo system with cell phone, office phone, or home phone information based on phone information available in the university’s Banner system for faculty and staff.  Students will be asked for their phone number upon enrollment in Multifactor Authentication. You can add, edit, and remove devices or phones through the [[Multifactor_Authentication#Duo_Device_Management_Portal_on_WPconnect|Duo Device Management Portal available in WPconnect]] through Duo icon located in the Apps menu.
 
'''<big>How do I download and associate the Duo App to my account?'''</big>
 
Visit your App Store and [[Multifactor_Authentication#Duo_App_for_Mobile_Devices|download the Duo App]].  Once you have the Duo app installed, follow the instructions in the  [[Multifactor_Authentication#Duo_Device_Management_Portal_on_WPconnect|Duo Device Management Portal]] section to associate the newly installed Duo app with your account.
 
===='''<big>What happens if I get a new smartphone?'''</big>====
 
Not a problem!  If you change mobile devices, or if your Duo App becomes disassociated with your account you will need to [[Multifactor_Authentication#Reactivating_the_Duo_App|reactivate your App]].  Use the passcode authentication method, or use a secondary device, to authenticate to WPconnect and visit the [[Multifactor_Authentication#Duo_Device_Management_Portal_on_WPconnect|Duo Device Management Portal]] to reactivate your Duo App on your new device.  Students can utilize duo push or passcode on their previous device to authenticate to the [[Multifactor_Authentication#Duo_Device_Management_Portal_on_WPconnect|Duo Device Management Portal]] or create a '''[[Multifactor_Authentication#Reactivating the Duo App using a One-Time Temporary Passcode|one-time bypass code]]'''.
 
'''<big>What happens if I don't have access to my primary device or I forget or lose my mobile phone?'''</big>
 
Information Technology suggests having several devices or phone numbers on your Duo settings, you should review and update them as needed.  Additionally, you can request a '''[[Multifactor_Authentication#Reactivating the Duo App using a One-Time Temporary Passcode|one-time bypass code]]''' thru the [https://wpconnect.wpunj.edu/mypwd/ '''Forgot Account/Password or Need Login Help?'''] button at the WPconnect login page.  (The Helpdesk has the ability to provide a one-time bypass code over the phone (additional information will be required to verify your identity) if needed, call our Helpdesk at 973-720-4357 for assistance.)
 
'''<big>What happens if I travel internationally or have limited cell/WiFi signal for my mobile phone?'''</big>
 
You can use the Duo Mobile app to generate a passcode without cellular data or an internet connection.
 
'''<big>What issues should I know about before I enroll?'''</big>
 
If you have configured an iOS or Android device to check your WPUNJ email or calender, you may need delete the account and re-add it. Please see the [https://itwikipub20.unv.campus.wpunj.edu/index.php/Multifactor_Authentication#Email_and_Multifactor_Authentication Email and Multifactor Authentication] section with more information.
 
'''<big>Regarding privacy, what information does Duo collect?'''</big>
 
Duo's Privacy and information collection statements are available at:
*Duo Services Privacy Notice - https://duo.com/legal/privacy-notice-services
*Duo Mobile Privacy Information - https://help.duo.com/s/article/4683
*What data does Duo collect? - https://help.duo.com/s/article/2939


==Authentication and Software==
==Authentication and Software==
Line 28: Line 118:
* [https://guide.duo.com/iphone iOS devices (iPhone and iPad)]
* [https://guide.duo.com/iphone iOS devices (iPhone and iPad)]
* [https://guide.duo.com/android Android devices]
* [https://guide.duo.com/android Android devices]
* [https://guide.duo.com/windows-phone Windows Phone]  **[https://help.duo.com/s/article/windows-phone-end-of-support?language=en_US Please note that as of January 1, 2019, Duo will no longer support the Duo App on Windows Phones.]**
 
====Duo Mobile App Push Troubleshooting====
====Duo Mobile App Push Troubleshooting====
If you have authorized your Duo Application, but you are not recieveing a notification on your phone, you may have disabled notifications for the Duo App.
If you have authorized your Duo Mobile Application but you are not receiving a notification to your phone, please make sure you have Enabled Notifications for Duo through your phone settings.  
 
* [https://help.duo.com/s/article/2051?language=en_US iOS Device Troubleshooting]
* [https://help.duo.com/s/article/2051?language=en_US iOS Device Troubleshooting]
* [https://help.duo.com/s/article/2050?language=en_US Android Device Troubleshooting]
* [https://help.duo.com/s/article/2050?language=en_US Android Device Troubleshooting]


===Duo Multifactor for Landline and other Mobile Devices===
If you have changed mobile devices, you will need to [[Multifactor_Authentication#Reactivating_the_Duo_App|reactivate your App]]. '''[[Multifactor_Authentication#Reactivating the Duo App using a One-Time Temporary Passcode|If you do not have a secondary device]]''', you can utilize our [https://wpconnect.wpunj.edu/misc/pwd_reset/ "I Don't Have My Duo Device"] app found in the [https://wpconnect.wpunj.edu/mypwd/ "Forgot Account/Password or Need Login Help?"] button on WPconnect's login page. (Faculty and Staff can receive a passcode by text message or authenticate by phone call as well.)


If you are unable to utilize the Mobile App, you will still be able to register a Generic Mobile phone number to receive text message passcodes or phone calls, or a Landline to receive calls.  These devices are [[Multifactor_Authentication#DUO_Device_Management_Portal_on_WPconnect|registered and managed thru WPconnect]].
===Duo Multifactor for Landline and other Mobile Devices for Employees===


==Logging in to WPconnect==
If an employee is unable to utilize the Mobile App, they will still be able to register a Generic Mobile phone number to receive text message passcodes or phone calls, or a Landline to receive calls.  These devices are [[Multifactor_Authentication#Duo_Device_Management_Portal_on_WPconnect|registered and managed through WPconnect]].
 
==Duo Device Management Portal on WPconnect==
{{#ev:youtube|hCYUd6Sp4Zs|500|right}}
[[File:Duo1.S.PNG|right|200px]]
 
To manage your multifactor authentication devices you will need to visit the Duo Device Management Portal through WPconnect. The Duo Device Management Portal is listed as Duo under Applications. You can Add or Remove devices from this portal.  Mobile devices, both cellphones and tablets, as well as Landline phone numbers can be added for Authentication.  Additional documentation can be found on the [https://guide.duo.com/manage-devices Duo guide] as well.
 
If you get a new phone, please see our Frequently Asked Questions [[Multifactor_Authentication#What_happens_if_I_get_a_new_smartphone.3F|here]].
 
===Manage Devices===
 
To manage your devices you must first authenticate against one of you existing devices. Click one of the green icons to start the process and follow the on-screen prompts. If you recently got a new phone, please see our Frequently Asked Questions to re-activate [https://itwiki.wpunj.edu/index.php?title=Multifactor_Authentication&action=submit#What_happens_if_I_don.27t_have_access_to_my_primary_device_or_I_forget_or_lose_my_mobile_phone.3F here].
 
[[File:DuoManagementWPconnect1.png|300px]]
 
From '''My Settings & Devices''' you can add a device or remove an old device, or select a device to automatically send a push notification to upon login.
 
[[File:DuoManagementWPconnect2.png|300px]][[File:DuoManagementWPconnect4.png|300px]]
 
===Reactivating the Duo App===
{{#ev:youtube|F0TG3WTO_88|400|right}}
To Reactivate your Duo App, please login to WP Connect and navigate to the Duo Management Application from Apps.  You will need to receive a second phone call or passcode to access this App.
 
From '''Device Options''' you can '''Activate''' or '''Reactivate Duo Mobile''' (if you have a new mobile device), or change the description of you device.
 
[[File:DuoManagementWPconnect3a.png|300px]][[File:DuoManagementWPconnect3.png|300px]]
 
Follow the onscreen instructions until you reach the QR code.  Scan the QR code with your Duo Mobile App.
 
===Reactivating the Duo App using a One-Time Temporary Passcode===
Reactivating your Duo App will follow the above instructions, however if you do not have your previous device, or if the App has stopped working, you will need to request a Duo Temporary Passcode from the [https://wpconnect.wpunj.edu/mypwd/ Login Assistance page] (This is the "Forgot Account/Password or Need Login Help? button on the WPconnect login page) and login to the [https://wpconnect.wpunj.edu/duo_device_management.cfm Duo Device Management] page directly.
 
[[File:Duo1.1.JPG|400px]][[File:Duo1.2.JPG|600px]]
 
===Add a new a device===
 
When adding a new device, you will be asked for the device type, Mobile Phone, Tablet, or Landline. (Landline is only available on employee accounts)  Please provide the phone number and device type for mobile devices.  Download the Duo App for your smart phone, and scan the QR code provided on the screen to associate the App to your account.
 
<gallery>
File:DuoManagement-AddDevice1.png
File:DuoManagement-AddDevice2.png
File:DuoManagement-AddDevice3.png
File:DuoManagement-AddDevice4.png
File:DuoManagement-AddDevice5.png
File:DuoManagement-AddDevice6.png
File:DuoManagement-AddDevice7.png
File:DuoManagement-AddDevice8.png
</gallery>
 
==Logging in to WPconnect==  
{{#ev:youtube|q4WDggAxeTY|500|right}}


After you have logged in to the "Shibboleth" login page, you will be redirected to the Multifactor Authentication page for Duo.
After you have logged in to the "Shibboleth" login page, you will be redirected to the Multifactor Authentication page for Duo.
Line 45: Line 187:


This page will allow you to select the Device you would like to use for Authentication.  You can enroll multiple phone numbers or mobile device including tablets.  
This page will allow you to select the Device you would like to use for Authentication.  You can enroll multiple phone numbers or mobile device including tablets.  
'''Note: There is an option to remember your device by using the "Remember me for 4 hours" option if you do not want to be prompted everytime you log in to WPconnect'''
 
'''Note: There is an option on the login screen to remember your device by using the "Remember me for 12 hours" option if you do not want to be prompted everytime you log in to WPconnect. If you later notice the option is greyed out, you'll need to click on the CANCEL button first, then you'll be able to click on the "remember for 12 hours" option.'''


[[File:DuoLoginWPconnect2.png|300px]][[File:DuoLoginWPconnect2-1.png|300px]]
[[File:DuoLoginWPconnect2.png|300px]][[File:DuoLoginWPconnect2-1.png|300px]]
Line 57: Line 200:
[[File:DuoLoginWPconnect4.png|300px]][[File:DuoLoginWPconnect4-2.png|400px]]
[[File:DuoLoginWPconnect4.png|300px]][[File:DuoLoginWPconnect4-2.png|400px]]


==Account Lockout==
'''Please note that your account will be locked out after a number of authentication failures.'''  Please [https://www.wpunj.edu/helpdesk submit a ticket], or calling 973-720-4357 to have your account unlocked.
'''Please note that your account will be locked out after a number of authentication failures.'''  Please [https://www.wpunj.edu/helpdesk submit a ticket], or calling 973-720-4357 to have your account unlocked.


[[File:DuoLoginWPconnect5.png|300px]]
[[File:DuoLoginWPconnect5.png|300px]]


==DUO Device Management Portal on WPconnect==
<!-- ==Authorizing Email Applications==


To manage your multi function authentication devices you will need to visit the DUO Device Management Portal thru WPconnect.  The DUO Device Management Portal is listed as Duo under Applications.  You can Add or Remove devices from this portal.  Mobile devices, both cellphones and tablets, as well as Landline phone numbers can be added for Authentication.
-->


===Manage Devices===
==Email and Multifactor Authentication==
 
'''Please note you may need to reconfigure email on mobile devices once you have moved to using Multifactor Authentication'''


To manage your devices you must first authenticate against one of you existing devices.
===Office 365 Login===


[[File:DuoManagementWPconnect1.png|300px]]
#Provide your full email address at the Microsoft Login Page
#On the WP Login page, for Office 365, use your '''full email address''' and WP password
#Select the device you would like to use for Multifactor Authentication
#Authorize Multifactor Authentication
#If you are using your own computer '''you may select Yes to stay logged in'''.  Please note that this will keep your Office 365 connection open and you will not be prompted for your user name and password or Multifactor Authentication method for an extended period of time.  '''Select No''' if you are using a shared computer or someone elses machine.


From '''My Settings & Devices''' you can add a device or remove an old device, or select a device to automatically send a push notification to upon login.
[[File:MFA-Office365-1.PNG|200px]]
[[File:MFA-Office365-2.PNG|200px]]
[[File:MFA-Office365-3.PNG|200px]]
[[File:MFA-Office365-4.PNG|200px]]


[[File:DuoManagementWPconnect2.png|300px]][[File:DuoManagementWPconnect4.png|300px]]


===Outlook===


===Reactivating the Duo App===
#Outlook may prompt you to login using the same Office 365 login screen.<br>[[File:MFA-Outlook-1.PNG|200px]]


From '''Device Options''' you can '''Reactivate your Duo Application''' (if you have a new mobile device), or change the description of you device.
===Apple Mail===


[[File:DuoManagementWPconnect3.png|300px]]
Apple Mail is supported on 10.14, Mojave.  Older versions of Apple Mail do not support Microsoft Modern Authentication and Multifactor Authentication.


When configuring your email, you will be prompted to log in, with the same orange login screen that appears when using Office 365.


===Add a new a device===
===Email on Smartphones===
The Outlook App for both [https://itunes.apple.com/us/app/microsoft-outlook/id951937596?mt=8 iOS] and [https://play.google.com/store/apps/details?id=com.microsoft.office.outlook&hl=en_US Android] devices allows access to your Email, Calendars and Contacts in one convient App.


[[File:DuoManagement-AddDevice1.png|300px]][[File:DuoManagement-AddDevice2.png|300px]][[File:DuoManagement-AddDevice3.png|300px]][[File:DuoManagement-AddDevice4.png|300px]]
[[IOS_Email_Settings|iOS]] users, using the Apple Mail App, will need to remove the email account and re-add the account to their devices. [[IOS_Email_Settings|Instructions on adding Email to iOS devices can be found here]].


[[File:DuoManagement-AddDevice5.png|300px]][[File:DuoManagement-AddDevice6.png|300px]][[File:DuoManagement-AddDevice7.png|300px]][[File:DuoManagement-AddDevice8.png|300px]]
[[Android_Email_Settings|Android]] users, please note that the native android mail client is not compatible with Microsoft Modern Authentication. [[Android_Email_Settings|Please download the Outlook App for Android.]]


==Additional VPN Authentication for Cisco Any Connect Client==
==Additional VPN Authentication for Cisco Any Connect Client==


Multifactor (Two Factor) Authentication is required for William Paterson University VPN Access.  If you have not signed up for Multifactor Authentication, [http://www.wpunj.edu/help please request access using the ticket type Account -> VPN Access].
Multifactor Authentication is required for [[VPN_Remote_Access|William Paterson University VPN Access]].  If you require access to VPN, [http://www.wpunj.edu/help please request access using the ticket type Account -> VPN Access].
{{#ev:youtube|pgrzRIQ9874|400}}
{{#ev:youtube|pgrzRIQ9874|400}}


Line 100: Line 255:


===Second Password Field===   
===Second Password Field===   
[[File:Anyconnect3.PNG|thumb|left|alt=The second password field appears in the Cisco Anyconnect tool.|The second password field appears in the Cisco Anyconnect tool.]]


The following is utilized when using the Cisco Any Connect Client for VPN.  The second password field is where you define the method of multifactor authentication you will be utilizing.  
The following is utilized when using the Cisco Any Connect Client for VPN.  The second password field is where you define the method of multifactor authentication you will be utilizing.
 
{|
{|
! style="text-align:left;"|Authentication Method
! style="text-align:left;"|Authentication Method
!  &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp;
!  &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp;
! style="text-align:left;"|Passcode
! style="text-align:left;"|Second Password
|-
|-
|Duo App Push Verification  
|Duo App Push Verification  
|   
|   
|push
|'''push'''
|(See image 1. below)
|(See image 1. below)
|-
|-
|Duo App to Generate Authentication Code
|Duo App to Generate Authentication Code
|       
|       
|Enter Code displayed in App
|'''Enter Code displayed in App'''
|(See image 2. below)
|(See image 2. below)
|-
|-
|Text Message
|Text Message
|   
|   
|sms &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp;
|'''sms''' &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp;
|(You will receive a text message with a key that will expire after one hour)
|(You will receive a text message with a key that will expire after one hour)
|-
|-
|Phone Call
|Phone Call
|   
|   
|phone &nbsp; &nbsp; &nbsp; &nbsp;  
|'''phone''' &nbsp; &nbsp; &nbsp; &nbsp;  
|(If you have registered multiple phone numbers, enter phone1, phone2, as needed)
|(If you have registered multiple phone numbers, enter phone1, phone2, as needed)
|}
|}
Line 137: Line 293:
<p>[[File:duo_iphone1.PNG|200px]]</p>
<p>[[File:duo_iphone1.PNG|200px]]</p>
|}
|}
<!-- ==Campus Announcement about Multifactor Authentication==
From: Eric Rosenberg<br>
Sent: Wednesday, November 28, 2018<br>
Subject: IMPORTANT: Implementation of Multifactor Authentication for WPUNJ Accounts<br>
<br>
<font color=red>'''Please read the important information below regarding changes affecting your WPUNJ account.'''</font><br>
<br>Summary:<br>
*''WP is implementing multifactor authentication (MFA) for WPconnect, email, and associated systems''
*''Employees can review/edit their MFA phones/devices and opt-in to use MFA now thru WPconnect. ''
*''MFA will be required for all employee logins starting on January 14th 2019''
<br>
In recent months, William Paterson has encountered a significant increase in phishing and other online attacks by individuals seeking to compromise WPUNJ accounts for financial gain. This includes attempts to manipulate bank account information for employee direct deposits and student refunds, as well other scams intended to defraud employees and students.<br>
<br>As passwords alone no longer ensure account security, the university will be implementing multifactor authentication (also known as two-factor or multifactor verification) to protect individual accounts and improve the university’s online security. Similar to forms of multifactor authentication in use by online banking, shopping, social media, and personal email account sites, WPUNJ’s [http://www.duo.com Duo] multifactor authentication application will provide an extra layer of security to ensure that only you login to your account.<br>
<br>'''Beginning today,''' employees can opt-in to use Duo authentication for WPconnect, WPUNJ email, and other associated systems.<br>
<br>'''Starting on January 14, 2019, all active employees will be required to use Duo authentication when logging into these systems.'''<br>
<br>'''How It Works'''<br>
After entering your username and password, you will be prompted to validate your login by choosing a notification through the Duo Mobile smartphone app, a phone call, or a text message in order to complete your login. Please see our [https://www.youtube.com/watch?v=q4WDggAxeTY video tutorial] that demonstrates the Duo login process.<br>
<br>'''Managing Your Duo Phones/Devices'''<br>
Your Duo account will include the cell, campus, and home phone numbers on file in the university’s Banner and Emergency Alert systems. Prior to opting in, you can review these numbers. Once you have opted in, you can add and activate existing phones or devices through the Duo Device Management Portal available in WPconnect (accessed by clicking the Duo icon in the Apps menu.)<br>
<br>'''Steps to Opt-in and Enable Multifactor Authentication (MFA)'''<br>
#Login to WPconnect. Click Notifications, then ‘Action required: Opt-in for Duo Multifactor Authentication'
#Review/update the phone numbers associated with your account. Review the tips, videos, and additional information on using Duo.
#Click Enable Duo to confirm your opt-in.
#(Optional, but highly recommended) Activate the Duo smartphone app using the Duo Device Management Portal (video tutorial below.)
<br>
Rollout of multifactor authentication for WPUNJ students is expected to occur in Spring 2019.<br>
If you have any concerns please feel free to e-mail or call me. Questions about set-up or use of Duo can be directed to the Helpdesk at [http://www.wpunj.edu/help www.wpunj.edu/help] or (973) 720-4357.<br>
<br>
Thank you for working with us to ensure a secure system environment at William Paterson University. '''Please opt-in soon.'''  <br>
Eric Rosenberg<br>
Chief Information Officer<br>
-->


[[Category:Network Services]]
[[Category:Network Services]]

Latest revision as of 07:17, 25 September 2023


Duobanner.png

Frequently Asked Questions

Multifactor Authentication is a second layer of security for your William Paterson account. After typing in your password, you will need a second form of authentication (a push notification or 6-digit code from the duo mobile app, faculty and staff can also receive a call or text.) to log in and prove that it's really you logging into your account. Without two-factor, anyone with your username and password could log into your account. With two-factor, only you will be able to log in because you need to use your phone to approve logins.

Multifactor Authentication (MFA or Two Factor Authentication) is required for William Paterson University faculty and staff for WPconnect, email, VPN Access, and additional WP services. WPUNJ’s Duo multifactor authentication application will provide an extra layer of security to ensure that only you login to your account. We are now encouraging students to enroll as well, and to utilize the Duo Mobile App.

What is Duo Multifactor Authentication?

Duo is a Multifactor Authentication product that the university is implementing to secure our WP accounts. William Paterson University started using Duo in 2016 for all VPN users. The Duo App is available for use on smartphones to authenticate using a Push notification or a Passcode. Duo also the product used to authenticate faculty and staff via phone call or text message passcodes.

Why is William Paterson requiring multifactor authentication?

Universities and other education institutions have encountered a significant increase in phishing and other online attacks in attempt to compromise accounts for financial gain. As passwords alone no longer ensure account security, the university will be implementing multifactor authentication to protect individual accounts and improve the university’s overall online security. Similar to forms of multifactor authentication in use by online banking, shopping, social media, and personal email account sites, WPUNJ’s Duo multifactor authentication application will provide an extra layer of security to ensure that only you login to your account.

How does Multifactor Authentication work?

Duo how-it-works.png

After your password is entered, the MFA logon procedure will prompt you to validate your login by choosing a notification through the Duo Mobile smartphone app (a phone call, or a text message for faulty and staff) in order to complete the login.

What Multifactor Authentication methods can I utilize?

Faculty and Staff can choose to receive a Push notification on your iOS or Android device, a text message, or a phone call.

Students can choose to receive a Push notification or to generate a Passcode on your iOS or Android device using the Duo Mobile Application.

Authentication Method             Faculty and Staff           Students
Duo App Push Verification

Duo check.png

Duo check.png
Duo App to Generate Authentication Code Duo check.png Duo check.png
Text Message Duo check.png Duo x.png
Phone Call Duo check.png Duo x.png

What services require Multifactor Authentication?

WPconnect, Office365, Email, and other WP online services require you to use Multifactor Authentication once enrolled. You may be prompted to log in when setting up email thru Outlook on your computer, you may need to remove and add your email account on your mobile device or obtain the Outlook App for your device.

There is an optional check box on the login screen to remember your device for 12 hours. You can also set your account to automatically send your default device a Push notification. (Students can remember their device for 24 hours)

How do I register my phone number?

Information Technology has prepopulated the Duo system with cell phone, office phone, or home phone information based on phone information available in the university’s Banner system for faculty and staff. Students will be asked for their phone number upon enrollment in Multifactor Authentication. You can add, edit, and remove devices or phones through the Duo Device Management Portal available in WPconnect through Duo icon located in the Apps menu.

How do I download and associate the Duo App to my account?

Visit your App Store and download the Duo App. Once you have the Duo app installed, follow the instructions in the Duo Device Management Portal section to associate the newly installed Duo app with your account.

What happens if I get a new smartphone?

Not a problem! If you change mobile devices, or if your Duo App becomes disassociated with your account you will need to reactivate your App. Use the passcode authentication method, or use a secondary device, to authenticate to WPconnect and visit the Duo Device Management Portal to reactivate your Duo App on your new device. Students can utilize duo push or passcode on their previous device to authenticate to the Duo Device Management Portal or create a one-time bypass code.

What happens if I don't have access to my primary device or I forget or lose my mobile phone?

Information Technology suggests having several devices or phone numbers on your Duo settings, you should review and update them as needed. Additionally, you can request a one-time bypass code thru the Forgot Account/Password or Need Login Help? button at the WPconnect login page. (The Helpdesk has the ability to provide a one-time bypass code over the phone (additional information will be required to verify your identity) if needed, call our Helpdesk at 973-720-4357 for assistance.)

What happens if I travel internationally or have limited cell/WiFi signal for my mobile phone?

You can use the Duo Mobile app to generate a passcode without cellular data or an internet connection.

What issues should I know about before I enroll?

If you have configured an iOS or Android device to check your WPUNJ email or calender, you may need delete the account and re-add it. Please see the Email and Multifactor Authentication section with more information.

Regarding privacy, what information does Duo collect?

Duo's Privacy and information collection statements are available at:

Authentication and Software

Duo App for Mobile Devices

"Duo Mobile" can be downloaded from either the Apple App Store or the GooglePlay Store.

iPhone Duo Application

Duo iphoneApp.PNG

            Android Duo Application

Duo androidApp.PNG

            Download the Duo Mobile App

Duo Mobile for iPhone

Duo Mobile for Android

If you change mobile devices, or if your Duo App becomes disassociated with your account you will need to reactivate your App.

Duo Mobile App Support Documentation

For more information on the Duo Mobile Applications please see the Duo Support Documentation -

Duo Mobile App Push Troubleshooting

If you have authorized your Duo Mobile Application but you are not receiving a notification to your phone, please make sure you have Enabled Notifications for Duo through your phone settings.

If you have changed mobile devices, you will need to reactivate your App. If you do not have a secondary device, you can utilize our "I Don't Have My Duo Device" app found in the "Forgot Account/Password or Need Login Help?" button on WPconnect's login page. (Faculty and Staff can receive a passcode by text message or authenticate by phone call as well.)

Duo Multifactor for Landline and other Mobile Devices for Employees

If an employee is unable to utilize the Mobile App, they will still be able to register a Generic Mobile phone number to receive text message passcodes or phone calls, or a Landline to receive calls. These devices are registered and managed through WPconnect.

Duo Device Management Portal on WPconnect

Duo1.S.PNG

To manage your multifactor authentication devices you will need to visit the Duo Device Management Portal through WPconnect. The Duo Device Management Portal is listed as Duo under Applications. You can Add or Remove devices from this portal. Mobile devices, both cellphones and tablets, as well as Landline phone numbers can be added for Authentication. Additional documentation can be found on the Duo guide as well.

If you get a new phone, please see our Frequently Asked Questions here.

Manage Devices

To manage your devices you must first authenticate against one of you existing devices. Click one of the green icons to start the process and follow the on-screen prompts. If you recently got a new phone, please see our Frequently Asked Questions to re-activate here.

DuoManagementWPconnect1.png

From My Settings & Devices you can add a device or remove an old device, or select a device to automatically send a push notification to upon login.

DuoManagementWPconnect2.pngDuoManagementWPconnect4.png

Reactivating the Duo App

To Reactivate your Duo App, please login to WP Connect and navigate to the Duo Management Application from Apps. You will need to receive a second phone call or passcode to access this App.

From Device Options you can Activate or Reactivate Duo Mobile (if you have a new mobile device), or change the description of you device.

DuoManagementWPconnect3a.pngDuoManagementWPconnect3.png

Follow the onscreen instructions until you reach the QR code. Scan the QR code with your Duo Mobile App.

Reactivating the Duo App using a One-Time Temporary Passcode

Reactivating your Duo App will follow the above instructions, however if you do not have your previous device, or if the App has stopped working, you will need to request a Duo Temporary Passcode from the Login Assistance page (This is the "Forgot Account/Password or Need Login Help? button on the WPconnect login page) and login to the Duo Device Management page directly.

Duo1.1.JPGDuo1.2.JPG

Add a new a device

When adding a new device, you will be asked for the device type, Mobile Phone, Tablet, or Landline. (Landline is only available on employee accounts) Please provide the phone number and device type for mobile devices. Download the Duo App for your smart phone, and scan the QR code provided on the screen to associate the App to your account.

Logging in to WPconnect

After you have logged in to the "Shibboleth" login page, you will be redirected to the Multifactor Authentication page for Duo.

DuoLoginWPconnect1.png

This page will allow you to select the Device you would like to use for Authentication. You can enroll multiple phone numbers or mobile device including tablets.

Note: There is an option on the login screen to remember your device by using the "Remember me for 12 hours" option if you do not want to be prompted everytime you log in to WPconnect. If you later notice the option is greyed out, you'll need to click on the CANCEL button first, then you'll be able to click on the "remember for 12 hours" option.

DuoLoginWPconnect2.pngDuoLoginWPconnect2-1.png

The suggested method of Multifactor authentication is to use Duo Push which utilizes the Duo Mobile Application on your mobile phone or tablet.

DuoLoginWPconnect3.png

Additionally, you can select to receive a phone call and acknowledge you login by pressing any key, or by using a Passcode that you generate using the Duo Mobile Application or by receiving a text message.

DuoLoginWPconnect4.pngDuoLoginWPconnect4-2.png

Account Lockout

Please note that your account will be locked out after a number of authentication failures. Please submit a ticket, or calling 973-720-4357 to have your account unlocked.

DuoLoginWPconnect5.png


Email and Multifactor Authentication

Please note you may need to reconfigure email on mobile devices once you have moved to using Multifactor Authentication

Office 365 Login

  1. Provide your full email address at the Microsoft Login Page
  2. On the WP Login page, for Office 365, use your full email address and WP password
  3. Select the device you would like to use for Multifactor Authentication
  4. Authorize Multifactor Authentication
  5. If you are using your own computer you may select Yes to stay logged in. Please note that this will keep your Office 365 connection open and you will not be prompted for your user name and password or Multifactor Authentication method for an extended period of time. Select No if you are using a shared computer or someone elses machine.

MFA-Office365-1.PNG MFA-Office365-2.PNG MFA-Office365-3.PNG MFA-Office365-4.PNG


Outlook

  1. Outlook may prompt you to login using the same Office 365 login screen.
    MFA-Outlook-1.PNG

Apple Mail

Apple Mail is supported on 10.14, Mojave. Older versions of Apple Mail do not support Microsoft Modern Authentication and Multifactor Authentication.

When configuring your email, you will be prompted to log in, with the same orange login screen that appears when using Office 365.

Email on Smartphones

The Outlook App for both iOS and Android devices allows access to your Email, Calendars and Contacts in one convient App.

iOS users, using the Apple Mail App, will need to remove the email account and re-add the account to their devices. Instructions on adding Email to iOS devices can be found here.

Android users, please note that the native android mail client is not compatible with Microsoft Modern Authentication. Please download the Outlook App for Android.

Additional VPN Authentication for Cisco Any Connect Client

Multifactor Authentication is required for William Paterson University VPN Access. If you require access to VPN, please request access using the ticket type Account -> VPN Access.

Using VPN with Multifactor Authentication

  1. After you have set up your account, you will continue to use the Cisco AnyConnect client as you have in the past.
  2. When you provide your login credentials you will now be provided with a secondary authentication box. You can then either use an app on your android (or iphone) to generate a key OR type "push" in the secondary authentication box. Using "push" will send a notification to the app on your phone. (Using "sms" will initiate a text with an authentication key that will expire after one hour, or "phone" if you have signed up for a phone call.)

Second Password Field

The second password field appears in the Cisco Anyconnect tool.
The second password field appears in the Cisco Anyconnect tool.

The following is utilized when using the Cisco Any Connect Client for VPN. The second password field is where you define the method of multifactor authentication you will be utilizing.

Authentication Method             Second Password
Duo App Push Verification push (See image 1. below)
Duo App to Generate Authentication Code Enter Code displayed in App (See image 2. below)
Text Message sms             (You will receive a text message with a key that will expire after one hour)
Phone Call phone         (If you have registered multiple phone numbers, enter phone1, phone2, as needed)



1. Authorizing access through the Duo App

Duo iphone2.PNG

            2. Generating a Key in the Duo App

Duo iphone1.PNG