Why is Clarkson implementing Two Factor Authentication?
In higher education our information systems are subject to increasingly sophisticated and persistent attacks that seek to steal the information that we are entrusted with protecting. Passwords alone have proven to be an ineffective means to mitigate the current threat to our information resources. Two-factor authentication decreases the risk of compromises and data breaches by requiring two factors to confirm your identity -- something you know (your password) and something you have (eg. mobile phone or hardware token).
Enrollment in Duo is mandatory for all faculty and staff (including student workers) and is a key component of Clarkson’s information security initiative. Beginning today, you can enroll your account by visiting the Clarkson Duo Self-Service Portal at https://duoportal.clarkson.edu/. This begins the six week soft-launch, during which you may enroll at your convenience. Beginning on October 14, 2019, enrollment will be mandatory and unenrolled accounts will be denied access to Clarkson services.
How does Duo work?
Duo is a two-factor authentication system that Clarkson is implementing on multiple services to increase security. After you login with your username and password, Duo confirms your identity using one of the following methods you choose:
Sending a push notification to the Duo Mobile app on your smartphone that you acknowledge to confirm your identity.
Requiring a passcode:
that you requested via the Duo Authentication prompt,
that you generated on your Duo Mobile app,
or that is displayed on a hardware token
Where has Duo been implemented at Clarkson?
Duo has been deployed as part of the Central Authentication Service (CAS), which protects myCU (PeopleSoft Student), PeopleSoft Finance, PeopleSoft HR, Moodle, Slate, Nolij, Intranet, Concerto (Digital Signage), and many other services.
In the coming months, Duo will be expanded to protect G Suite (which includes: Gmail, Google Drive, etc.). At that future date, Duo will replace the Google Two-Factor Authentication mechanism that is currently used to protect all staff accounts.
What are my authentication options?
Currently we support three forms of additional authentication:
- Push notifications on a cell phone through the Duo app, also known as a "Duo Push" (Strongly Recommended, requires an Internet connection)
- If you have been issued a Clarkson owned cell phone, this is the mandatory methods
- Entering a security key generated by the Duo app on your cell phone (does not require an Internet connection).
- Entering a security key generated by a Duo hardware token (does not require an Internet connection).
How do I enroll in Duo?
Detailed instructions for enrolling your cell phone in Duo are available here.
Do I have to use Duo every time I login?
You will have the option to "trust" the computer you are logging in from for 15 days. (This options requires you use the same browser and not clear your browser cache.)
There are several common reasons why you may not be able to select the option to remember your device:
- If you have configured Duo to automatically send you a push instead of asking you which method to use.
- If you are connecting via an iPad, iPhone, or Android device
- If your web browser does not have cookie support enabled.
What if I don't have a data plan on my phone? What if I don't have a connection?
The Duo smart phone app provides options that work without a data plan, a texting plan or even a connection, if necessary. The app can generate the required code without need of either a telephone signal or data plan, and it can do so anywhere in the world. If you have a signal and data plan, the app makes two-factor authentication as easy as a pushing a single button, but if you don't, you can use the app to generate a six digit code and enter that instead.
What if I don't have my phone?
You can contact the Clarkson IT HelpDesk. They will verify your identity and provide a temporary passcode.
What if I lose my phone?
Please contact the Clarkson IT HelpDesk. They will immediately lock your Duo account and will provide you with an alternative method to authenticate. (You should also contact your mobile carrier and have them lock your mobile account as well)
What if I get a new phone?
You can use the self-service portal at https://duoportal.clarkson.edu to add a new mobile device. If your Duo account was previously locked due a lost phone incident, please contact the HelpDesk for assistance.
Can I opt-out of using Duo?
No. Enrolling in Duo helps protect your account from compromise even if you never expect to need it. Consequently, for the increased protection of your own personal information, the information of our faculty, staff, and students, as well as other Clarkson Information Systems, all faculty and staff (including student workers) must enroll in Duo Security.
Can I use Duo while outside of the United States?
If you’ll have reliable internet access on your device while abroad, Duo Mobile and its “Send Me a Push” option for signing in will work normally.
If you won’t have internet access on your device, Duo Mobile can operate while offline using the “Enter a Passcode” option. A hardware token will also work offline but, since it is a physical device, it must be obtained before you begin traveling.
Use of Personal Devices
Can I use my own personal smartphone or tablet for 2FA?
Yes, absolutely. The University values personal choice and recognizes the convenience of using a personal device for 2FA.
Can employees use a personal device for 2FA, even for conducting University business?
Yes, again. Employees can use a personal device for 2FA, even for University business. A personal device enables safe and convenient two-factor authentication to systems used to conduct University business. From a cost and risk perspective, it’s often more effective than other 2FA options (such as landlines and hardware tokens). “Bring your own device” (BYOD) is a common operational model that acknowledges trends in society toward use of personal devices for user authentication.
Why does Duo Mobile ask for permission to use my camera?
Duo Mobile only needs permission to use your camera when you set up your smartphone or tablet. It only uses your camera to scan the Quick Response (QR) code used for activation. After activation, Duo Mobile doesn’t access your camera. You can remove this permission and Duo Mobile will work fine.
Will Duo Mobile monitor my personal device or data?
In general, Duo Mobile cannot access private data (like contacts, photos, text messages, email, etc.) on your phone. This article from Duo gives a description of what data Duo collects.
Does it cost me anything to use the service via my phone? If so, will I be reimbursed by Clarkson?
There is no cost to download or use the Duo Mobile smartphone app. Using the app to authenticate does not require an active data plan, texting plan or even a connection to the Internet. Clarkson will not reimburse you for using the Duo Mobile smartphone app on your personal device.
What if I don't have a cell phone or I don't want to install the Duo Mobile app on my personal smartphone?
The Duo Mobile app provides the most user-friendly experience; however, there is no requirement to use it on your personal smartphone. All users who have been issued a University-owned mobile device are required to use the Duo Mobile app on that device. Employees who do not own a personal smartphone or table or who are unwilling to run the Duo Mobile app on their personal device are eligible to receive an authentication token at no cost to their department. If the initial token is lost or damaged, departments will be charged a replacement cost of $30. To request a token, please contact the IT HelpDesk (firstname.lastname@example.org or 315-268-HELP).