DUO Multi-Factor Authentication

Context: 

Ever increasing computing security threats raise risks to our campus data and computing services. Threats, which include phishing, spying malware, and even bad actors gaining access to our network make additional safeguards to access our network a must.  The Claremont Colleges Services (TCCS) have jointly contracted with a leading Multi-Factor Authentication (MFA) vendor, DUO Security, to implement MFA in our computing environment.  This effort is also being driven by requirements for us to comply with legislation including the Gramm-Leach-Bliley Act (GLBA), which mandates use of MFA for securing systems that may process Confidential Unclassified Information (CUI). As such, we are implementing MFA for Claremont McKenna College (CMC) Staff, Faculty, and Students. 

MFA provides a second layer of security during login by requiring “something you know” (your password) and “something you have” (an authenticating phone or device).  This will protect user logins from remote attacks that may try to exploit stolen usernames and passwords.

DUO has been implemented for all services accessed using The Claremont Colleges Central Authentication Service (CAS) for MFA. CMC ITS will designate accounts to be active with DUO.  When authenticating through the CAS login screen with an account enabled for DUO, the CAS service will pass control to DUO Security which will implement the MFA process. 

DUO can be configured to authenticate users through multiple methods. We recommend that you download and install the DUO Mobile App from the Apple App Store or Google Play Store.  When you login and send a push request, the DUO Mobile App will open and request an “approve” or “deny” response. DUO can also call landlines or other mobile phones instead of using a Smartphone app. The phone call will ask you to respond with a “1” from your keypad to approve the login request.  DUO can also be configured for tablets and hardware tokens (similar to a car fob) to complete the DUO authentication process.

DUO will allow you the option to remember that device as being authorized for a period of time.  For staff, the device will be remembered for seven days, while for faculty and students it will be remembered for thirty days. Subsequent logins on that device will not prompt the MFA portion of authentication until the designated number of days has elapsed.

Procedure:

Activation of DUO

Once CMC ITS has designated your account as active for DUO, the next time you login to the CAS screen, you will be prompted to set up DUO on a new device.

CMC Duo “What Type of Device are you adding?” Page with choices Mobile Phone, Tablet, Landline, Security Key, with arrow pointing to Mobile Phone and Continue

If you would like to set up DUO on your smartphone, select the Mobile Phone option and the interface will begin the process of installing the DUO Mobile App.  

If you would like to set up the DUO Mobile App on an iPad or Android tablet, select the Tablet option and follow the process of adding a tablet device. 

If you would like to set up DUO to call your office phone or other phone number, select the Landline option to add a phone number to be called. 

Authenticating Logins with DUO

Once you complete the initial setup for DUO, you will be prompted to approve your login based on the option(s) you configured. A sample login may look like this:

1. Enter account information on the Central Authentication Services page.

Select Claremont McKenna College from the Institution drop down list.  

Enter your CMC username and password.

Click Login to continue. 

The Claremont Colleges Central Authentication Service with example login prompt for CMC users “ASmith”

2.    DUO will prompt to choose an authentication method.

CMC Duo “Choose an authentication method” Page with choices i. A. Send Me A Push, B. Call Me, C. Enter a Passcode and ii. Remember Me for 7 Days Choice Selected

i.    First, check the Remember me for X days box.
ii.   Then select from one of the following options to approve your login request: 
Send Me a Push - To use the DUO Mobile App.
Call Me - To approve access through a phone call.  
Enter a Passcode - If you have a DUO token or bypass code.The DUO Mobile app also provides time-based passcodes that work even without a WiFi connection or cellular data on the phone (i.e. on an airplane).

3.    Unlock your phone and launch the DUO Mobile App.

Duo Mobile Login Request from the CAS: (Central Authentication Service) on an iPhone iOS 10 interface

4.    From the DUO banner, tap ‘Request Waiting. Tap to Respond…‘

Duo Mobile app interface: With “1 Request Waiting. Tap to Respond” banner visible and arrow pointed to it and Duo-Protected Claremont McKenna College block underneath

5.    Tap the Approve button on the next screen to proceed.

Duo Mobile app interface: Approve/Deny Login request powered by Duo Security coming from the CMC  CAS service with user “ASmith”, IP Address: 123.456.789.01 in the U.S. at 12:12:23 P.M. PDT on June 25, 2019 with arrow pointing to Approve

Frequently Asked Questions:

How do I setup DUO – For My Smartphone? For My Tablet? For My Landline?
What if my app asks for approval and I am not trying to log in?
I have a new phone or tablet – how do I add it to DUO?
My phone was lost or stolen – what do I do?
I changed/upgraded my phone – what do I do? 
I changed my phone number – what do I do?
What if DUO doesn’t seem to remember me when I check the box?
What if I have given away or sold my phone or tablet?
How Do I Use Duo to Sign In if I’m Traveling Abroad?
Common issues and Troubleshooting
How do I get added by ITS so my account is covered by DUO?
What are my options if I don't want to use my personal devices for DUO?
Why is DUO in place at CMC? (Policy)