Duo Two-Factor Authentication FAQ

Overview:

If you have a question about Duo, start with the Duo FAQ below!

Two-factor authentication is a second layer of security besides your username and password for any kind of account. It means you have to confirm your identity in two ways – with something you KNOW and something you HAVE. Duo is the application that WVU is using.

All faculty, students and staff in all WVU locations must use two-factor as of Sept. 10, 2018. Within 48 hours of registering for classes, new students will have 48 hours to voluntarily enroll a smartphone or display token. After that, they will be auto-enrolled, and the first time they try to log into a secure system, they will be prompted to enroll a device.

Students will remain subject to Duo until their student role in Banner (STAR) ends, which can be up to 100 days after the end of the last semester attended.

Two-factor is for faculty, staff and students only. Parents, guardians and partners may NOT use Duo two-factor to access the account of a student or employee. This is a violation of the University's Acceptable Use of Technology Resources Policy.

Retirees who are not Emeritus or otherwise working for WVU are exempt and will not need two-factor to check email.

Passwords can be and are compromised regularly. They’re no longer good enough to protect personal, sensitive or financial information. WVU’s data includes YOUR data. A large security breach could affect both the University’s finances and reputation, while the personal information of individuals could also be at risk.

Two-factor is also required for industries that handle credit card or financial data, including WVU, and it is a cyber liability insurance requirement.

Many universities are adopting the same approach as WVU, with no exemptions for any group of people or any location on campus. That includes the student population. Some of the schools taking the same approach as us are Indiana University, Baylor, Texas A&M, University of Miami, Virginia Tech and Pitt.

Students and employees use two-factor authentication to prove who they are all the time. Two-factor, quite simply, is something you HAVE (your device) and something you KNOW (username and password). The combination proves it’s really you.

Here are a few examples of how you may use two-factor in your everyday activities:

  • Log into Facebook or Twitter from a new computer or phone, and you’ll have to prove it’s you by entering a code.
  • Use a debit card with a chip, and you have to also enter your PIN.
  • Buy gas with a credit card, and you have to enter your ZIP code.
  • Log into a bank account with your password and answer an extra security question for which only you know the answer.

If two-factor or “multi-factor authentication” is offered by a service you regularly use, you should take advantage of it to gain the additional protection.

Most users will install the free Duo Mobile application from the appropriate app store on their smart phones. For set up instructions, view the two-factor authentication instruction guides at twofactor.wvu.edu.

If you select PUSH ALERTS, an alert will appear on your cell phone when you try to log into a secure system. You can tap the APPROVE box to confirm it’s you and complete the login. If the attempt to log in is not your own, tap the red box to DENY access.

If you don’t have cell service or Wi-Fi coverage, you can also select ENTER PASSCODE and enter a code generated by the Duo app installed on your phone or device. Simply open the app and tap the key icon in the upper right-hand corner. That will generate a passcode that will work with any browser.

If someone tries to log into a system using your credentials, please DENY the access request and immediately go to login.wvu.edu to change your password. Your login information may have been compromised.
Yes, Duo Mobile is free to download in the Apple Store, Google Play Store and Windows app store. View the How to Download Duo and Set Up Your Phone for instructions and information about compatible devices. 
If you are downloading the Duo app onto an Apple device, you will need an Apple ID. View Apple's support articles to learn how to create a new Apple ID without adding a payment method or remove a payment method from your existing Apple ID. Contact Apple Support if you need help with your Apple ID.

There is no cost associated with using the free Duo Mobile smartphone app because it uses so little of your data. Cell phones are the most popular choice for two-factor authentication because of the convenience. Most people seldom go anywhere without one. If you find the app isn’t effective, speak to your supervisor about using a hardware token that will generate passcodes.

You probably already use your phone for a work-related purpose, if only to check email or let your boss know that you’ll be out sick. General concerns about cell phone stipends and/or the use of a cell phone for your job, however, should be taken up with your supervisor.

Stipends have been reduced or eliminated because of ongoing budget pressures. ITS considers the use of your phone for two-factor authentication incidental, much like the incidental use of a WVU computer to email your significant other or check your Facebook account on a break.

One reason that WVU chose Duo Security is that it supports hardware alternatives to the free Duo Mobile app. For example, you may purchase a Duo display token and link it to your account. Hardware display tokens are about the size of a key fob and are used to generate codes to complete your login.

Yes. The Duo app will work on a smart phone even if you have no cell service or Wi-Fi coverage. Simply open the app and tap the key icon in the upper right-hand corner. That will generate a passcode, so your phone essentially functions like the display token. If you don’t want to use your phone at all, we recommend you purchase the Duo Digipass display token from a WVU Barnes & Noble store.

Once you enroll in Duo, you should be prepared to add the device you intend to use. If you don’t add the device at that time, you may lose your access and will have to call the ITS Service Desk for assistance at 304-293-4444.

After setting up Duo correctly, you will be prompted to enter your WVU Login credentials when accessing certain systems such as eCampus, Portal and MIX. Then you will be prompted to confirm your identity by sending yourself a push notification or code. You will prove it’s you by either opening the notification and tapping Approve on your mobile device, or entering a code generated by the Duo Mobile app or Duo display token.

To use Duo two-factor authentication you must download the FREE Duo Mobile app on your mobile device or purchase a Duo display token for $24.98 at any WVU Barnes & Noble bookstore.

If you’re using personal funds, you can buy a Duo display token for $24.98 at any physical or online WVU Barnes & Noble bookstore. Search for "Duo Security." The display token works with any web browser or device. Just push the green button to generate a one-time code that will complete your login.

Note: Sharing either your Duo security account or your WVU Login account with anyone, including parents or guardians, is a violation of the University's Acceptable Use of Data and Technology Resources Policy.
Duo display tokens have an expected minimum battery lifetime of seven years. Attempting to change the battery will destroy the device.
Your Duo display token may fall out of sync if the button is pressed many times without using the generated codes. Make sure you store your token safely to prevent other objects from accidentally pressing the button.
No. Both of those practices raise security concerns. It’s the electronic equivalent of taping a Post-It note with your password to your monitor. If you leave your device unattended, others could take advantage of your access. You should carry the Yubikey or display token with you.
No. Your token device will be associated with your account only. It cannot be shared with other users. Both devices will work for your account on any computer where you log in with your WVU username and password.

Other authentication apps will not work with WVU systems. Only Duo Mobile is compatible with systems that are behind Duo protection.

If you already have a Yubikey token, one that plugs into the USB port on your PC, you may add it as one of your device options for authentication with Duo. Directions can be found here.

Display tokens, ones that display a number when you press a button, will NOT work with Duo unless they are purchased directly from WVU. ITS will have more information on how these will be distributed later this year.

Yes. You won't be able to receive Push notifications, but if you touch the Key symbol in the Duo App, it will give you a 6-digit code to enter and get access.
No. Because we are One WVU and we use the same systems, two-factor authentication is required on all WVU campuses, including Keyser and Beckley.
Yes, but if you’re going abroad, we recommend you take a token device or print 10 one-use passcodes to take with you. View How to Generate Bypass Codes for Duo Authentication for steps to generate and use these codes. If you need assistance with other options, contact the ITS Service Desk.
Not really. Many people already use two-factor for online banking and shopping. Social media sites ask you to confirm your identity when you try to log in from a new device or location, and you may have to enter your ZIP code when you use a credit card to buy gas. That’s two-factor at work. Even the State Auditor’s Office is now offering it on the MyApps site, where you can check your pay stub.
The Duo Mobile app needs access to your camera because you have to scan a QR code to add your device to your account. You can’t complete the process without taking a picture. You also have to enable notifications because that’s how the Push service works. You enable cookies so the app remembers your device. Unlike many other apps you may use, Duo Mobile at WVU does not use location tracking. The app only uses this information to verify your identity when logging into WVU systems.

No. WVU purchased a basic version of the software that only tells us your username, the IP address used and what type of device you are using to authenticate. We see what time you authenticated and logged in, or if your attempt to authenticate failed. We don’t even know what system you’re logging into. We just know whether it worked.

We need to see the IP address that was used to be able to identify situations where someone was trying to gain fraudulent access to a student account. We can tell, for example, if a bad guy trying to log in was in Kentucky while the targeted student was in Morgantown.

We are obligated to protect students’ academic and financial information, and WVU has a privacy policy that was created specifically to respect individual privacy. It limits the collection, access, use, disclosure and storage of personal data. We put this policy in place to protect students’ information, as well as that of employees, the University and third parties with whom we do business. Duo supports that policy and helps protect that data. It does not infringe on privacy. We would never select a vendor or a product that would compromise the personal information of any student or employee.

Two-factor authentication is required for access to any WVU system that contains personal, academic, financial, medical or credit/debit card information, regardless of what role you have with WVU. It’s needed for our cyber liability insurance coverage, and it is an industry standard for any business that handles payment cards. That includes universities.

Many universities are adopting the same approach as WVU, with no exemptions for any group of people, including students. Some of those schools include: Indiana University, Baylor, Texas A&M, University of Miami, Virginia Tech, the University of Kentucky and the University of Pittsburgh.
Any system or application that displays a Central Authentication Service screen and requires you to enter your Login credentials will be behind two-factor authentication. That list is always changing but will include sensitive systems including eCampus, Portal, DegreeWorks, SEI and WVU+kc (Kuali).
At some point during the next day, you will have to re-authenticate. Every session lasts 24 hours per browser/device combination. So, if you open a secure application in a new browser, you’ll have to re-authenticate even if you’re using the same computer.
The Service Desk can always generate a one-time code, but the better alternative would be a pre-emptive approach: Duo will let you print out 10 single-use codes that won't expire until you use them. Learn how to generate codes at login.wvu.edu. If you print them out and stick them in your wallet, you'll have an emergency backup. The Duo display token is another option for a backup.

If you have a secondary authentication device such as a tablet or token set up in Duo, you can use it to authenticate and set up your new mobile phone. If you do not have a secondary device set up in Duo, there are two ways to obtain a single-use passcode to authenticate.

  1. Before you replace your phone, you can visit Login.wvu.edu and click on My Login to view your Two-Factor account options. You must authenticate to access your account settings. On the My Login page, you can click a link that will generate a set of 10 passcodes for your account. You can print this list of single-use passcodes and put them in your wallet to be used as needed. Mark out each passcode after it has been used.

  2. If you do not have any passcodes written down or printed out, you can contact the ITS Service Desk (304-293-4444) for assistance. They will ask for your WVU ID number, and then provide a passcode you can use to authenticate and set up your new device.

There are two ways you can get a passcode to authenticate if you forgot your device. You can go to Login.wvu.edu and click on My Login to see a link that will generate a set of 10 passcodes for your account. You can also contact the ITS Service Desk (304-293-4444) for assistance with accessing WVU systems if you do not have a secondary device on your account.

No, they can't. That's a violation of the University's Acceptable Use of Data and Technology Resources Policy. Duo security and WVU Login accounts are for STUDENTS AND EMPLOYEES ONLY. The appropriate way for parents or guardians to access student records is through the Parent Guest Portal at parent-guest.portal.wvu.edu.

Adding someone else's device to your account also increases the likelihood of problems when you try to log into a secure application. if someone else has already added a device to your account, please contact the Service Desk at 304-293-4444 to have it removed immediately.

The wired network at HSC will not require two-factor authentication because there are hardware controls in place for security. The locations using the wired network include:

  • Morgantown, Charleston and Eastern campuses
  • HSC managed off-site locations (CED, CPRC, ICRC, RDTP)
  • Ruby Memorial Hospital and WVUH clinics

However, two-factor is required if you connect to the HSC student or WVU.Encrypted wireless networks. This also includes the HSC instructor computers in HSC classrooms.

Also, it’s important to note that HSC employees will have to use two-factor if they connect to systems from off-site, and when they travel elsewhere on WVU campuses. Health Sciences Center employees can choose to install the Duo app on their phone or to use the Duo display token; HSC will not use the Yubikey token.

That depends. If you use the email app on your device, you’ll never need to authenticate. However, if you use the Outlook Web App on any device, you’ll have to use two-factor authentication. If you check your email via portal.wvu.edu, you’ll have to authenticate only when you log in to the portal, but not a second time to read email.
Yes. Students will be required to use two-factor in all computer labs, classrooms with computer equipment, and multi-purpose classrooms used as testing labs after Aug. 1, 2018. After reviewing all of the potential implications for teaching and learning, the Office of the Provost decided that no location will be exempted from this important security initiative. No group of employees will be exempted, either.

No. Shared email addresses, also called resource accounts, CANNOT be used for two-factor authentication. Two-factor relies on the identity of the individual to prove who he or she is. Resource accounts by nature are not tied to an individual.

If you are using a shared account to access a system that requires WVU Login credentials, you will have to change your practice and log in as an individual user. This is best practice from a security standpoint as well.

For six months, you will retain your student role in WVU systems and will need to use two-factor if you are accessing your Gmail through the Portal. However, you can avoid the Portal by going directly to mix.wvu.edu/gmail. Eventually, you’ll be removed from the Duo system.

Turn it in at either of the ITS Service Centers, located at G118 of Lyon Tower and in the Vandalia Lounge of the Mountainlair. ITS will determine who the token is assigned to and contact that person to report it has been located. We will not reassign the token to the person who finds it.

Contact ITS immediately to have the device removed from your account. You can call 304-293-4444 or go to one of the ITS Service Centers, located at G118 of Lyon Tower and in the Vandalia Lounge of the Mountainlair. We will provide a one-time code for you to log in and print out 10 more codes that will let you log in while you obtain a new device.

No. If an employee is leaving WVU, and the token was purchased with either state or Research Corp. funding, the device belongs to the University and should be returned to the supervisor. If the supervisor wants to reassign the device to another employee, he or she can make the request.

ITS won’t reassign a privately purchased display token without the explicit, in-person consent of both the owner and the person to whom the token would be reassigned. Both parties must visit an ITS Service Center and provide proof of identity.

Go to any WVU Barnes & Noble bookstore, in store or online. When shopping online, type the words “Duo Digipass” in the search box.

Yes, you must use Duo if you are accessing WVU systems.

You can still authenticate two other ways: Print out 10 passcodes and carry them with you or purchase a Duo display token to generate codes on demand.

When these 10 codes are used up, you can repeat this process and print 10 more. However, you must have a device registered to your account to generate the codes. DON’T use the Duo Mobile app to generate passcodes and write them down; those are for immediate use only. As soon as you generate a new code, the previous code expires.

Duo display tokens cost $24.98 at any WVU Barnes & Noble bookstore. If purchasing online, search for the words “Duo Digipass” in the top right search box. Call the Service Desk at 304-293-4444 if you need help.

That would be our recommendation. You can purchase tokens online if you type “Duo Digipass” in the search box on any WVU Barnes & Noble site, or you can purchase them in person on the WVU campuses.

For additional information, view the Two-Factor Authentication Instruction Guides provided by the ITS Training Group. You can also browse Duo's Common Issues page for more information.

If you need additional assistance and are able to sign into this site, visit the Duo Two-Factor Authentication Support service page to submit a ticket. If you need assistance and are unable to sign into this site because you cannot authenticate using Duo, visit the Duo Two-Factor Authentication Help (Unable to Log Into Site to Submit a Ticket) service page.

Details

Article ID: 15390
Created
Thu 7/28/16 9:20 AM
Modified
Mon 12/3/18 1:44 PM

Files (2)

pdf

PROVE its you.pdf

4/28/2017 10:10:17 AM 
mp4

Two-Factor Authentication.mp4

8/31/2018 4:22:18 PM