Duo Security Issues and Common Solutions

Tags duo mfa 2fa

Overview

What is Duo Security?

Duo security is a multi-factor authentication tool that allows enrollees to protect their EMU accounts from compromise, even if your password is stolen. Much like your ATM PIN and ATM card, Duo makes use of "something you know" like your password and "something you have" such as your phone. Even if your password is stolen, cybercriminals cannot access your Duo protected services without access to your phone.

Additional Information

  • This article covers Duo Security Multi-Factor Authentication.
  • This article is applicable to all employees, students, alumni and contractors.
  • This article includes step by step instructions for resolving common issues/questions with

Relevant Information

Who can sign up for Duo at EMU?

All members of the EMU community including EMU employees and student employees are authorized to use Duo.  All EMU Employees and students are required to use Duo.

How do I self-register for Duo and setup my smartphone?

You can self-enroll by following these instructions:

  1. From a browser on your computer go to http://tiny.emich.edu/duodevices

  2. Enter your email address and click Next, then enter your password and click Log in.

  3. Click Next to start enrollment.

  4. Choose Duo Mobile as a verification method.

  5. On the Enter your phone number page enter in your 10 digit phone number and click Add phone number.

  6. You will be asked to verify your ownership of the number. You may choose Send me a passcode or Or call my phone to confirm. You will be prompted for the six digit code provided via your chosen method.

  7. On the Now Download the Duo app page you will be directed to go to the App Store on your mobile device and search for Duo Mobile. Download this free app. Once it is installed, click Next.

  8. You will be presented with a QR barcode. On your mobile device open the Duo Mobile app. Click Use QR Code in the app on your mobile phone. Your camera will activate, point your camera at the QR code on your computer screen. The QR code will activate and an Eastern Michigan University account will be added in your Duo Mobile app.

  9. On the Added Duo Mobile screen click continue.

  10. On the Add another way to log in? Screen you may choose to add a backup device in case you lose access to your smartphone. You will also be able to add an additional landline phone later, if desired.

  11. Next you will see a screen that says Setup is now complete. Click the button to Login with Duo

How can I use Duo to authenticate when I do not have access to cellular or WiFi signal?

Anytime your phone doesn't have network service, the Duo app can function like a token allowing you to login without cellular or WiFi service.  To login using a passcode:

  1. Login to the service with your email or NetID and Password as you normally would.

  2. Open the Duo Mobile App on your smartphone or tablet.

  3. Press the key icon to the right of "Eastern Michigan University".  A six digit number will be displayed.

  4. At the Duo login prompt on your computer, click “Other options” and then "Use Duo Mobile passcode" button and then type the six digit code displayed in the app.

  5. Complete the login process.

How can I use Duo to authenticate to the EMU VPN when I do not have access to cellular or WiFi signal?

Anytime your phone doesn't have network service, the Duo app can function like a token allowing you to login without cellular or WiFi service.  To login using a passcode:

  1. Open the VPN application on your computer.

  2. Type your NetID in the username dialog.

  3. Open the Duo app on your smartphone or other device.

  4. Press the key icon to the right of "Eastern Michigan University".  A six digit code will be displayed.

  5. In the password dialog, type your password, followed by a comma and then the code from the Duo app.  e.g. mypassword,123456

  6. Click the OK button.  

What are my options for using Duo when traveling internationally?

  • Please Note: If you are traveling to Cuba, Iran, Crimea, North Korea, Syria, or Sudan, you must delete the Duo Mobile app from any devices you take with you. Additionally, you cannot take a Duo hardware token with you. Both Duo Mobile and the hardware tokens use cryptographic technology that is subject to Federal export control regulations. While in one of these embargoed countries, use a phone call or passcodes retrieved using SMS to authenticate with Duo.  Contact the Office of Research Compliance (7-3090) if you have questions.

  • The Duo Mobile app will deliver a "push" anywhere globally that one has Internet access on the device.

  • The Duo Mobile app will function as a token globally even without access to Internet service.  The app can be used to generate a code that can be typed into the Duo authentication prompt.

  • Submit a Help Desk ticket to Request a Duo token device that you can use for the duration of your international travel.  Include your business need describing why you need a token in the ticket.  Request the token several days in advance of your departure and then return it to I.T. when you return to the U.S. so we can re-use the device for other travelers.

I can't get the Duo Mobile app from the app store in my country. How should I enroll in Duo?

You can still enroll your phone and use voice or text messages to authenticate. In the enrollment process select "Mobile phone" and then enter your phone number. Next choose "Other (and cell phones)" for the type of phone and not iPhone, Android, or Windows regardless of whether it is one of those or not.

Solutions for Common Duo Issues:

I have a new phone AND a new phone number and need to install the Duo App on my new phone.

  1. If you are transitioning from one Apple phone to another it may automatically restore from an iCloud backup in which case no additional steps will be required. If you are moving from one Android device to another and you still have your previous Android device you may be able to restore directly from that device. If these options are unavailable, continue to step two.

  2. Download the Duo Mobile app on the new phone from the App Store

  3. On a computer, go to https://tiny.emich.edu/duodevices

  4. Log in with email address and password

  5. You will be presented with your default authentication method, often a Duo push. Since this may be unavailable on your new device choose Other options, select Manage devices and select another registered device, if available (Desk phone, for example). Duo will call the device. Follow the prompts over the phone to authenticate. NOTE: If there are no devices registered, stop this procedure and instead contact the Help Desk to receive a temporary bypass code. Once past the Duo authentication, you will see your currently registered devices

  6. Click "Add a  device"

  7. Follow the on screen prompts

  8. Click "Edit" next to the old phone, and select "Delete"

I have a new phone - but kept my existing phone number and I Need To Re-activate Duo Push.

  1. Download the Duo Mobile app on the new phone from the App Store

  2. On a computer, go to https://tiny.emich.edu/duodevices

  3. Log in with email address and password

  4. If you cannot complete the default verification select Other options and choose an authentication method. Select one that you already have enrolled (voice call to your cell phone, for example)

  5. Complete the authentication

  6. Once past the Duo authentication, the you will see a list of their registered devices

  7. Click the "I have a new phone below your cell phone

  8. Follow the on screen prompts

 

What if I request a phone call but don't receive it? 

  • Make sure your phone is not set to Do Not Disturb.

  • Check your list of blocked callers to make sure the number is not accidentally blocked. Please consult your device provider (e.g., Apple, Samsung, etc.) for instructions.

How can I order a Duo token device if I do not have a SmartPhone or I do not want to use the Duo App on my SmartPhone?

You can request a token by submitting a Help Desk ticket that includes the token request and your business need for the token.

Where can I find instructions for using a Duo Token?

Instructions for using a Duo D100 Hardware token are available as a downloadable PDF.  

What if my Duo token stops working?

If the token no longer displays numbers when the green button is depressed, please submit a help request to the Help Desk explaining the issue.

If the token still displays the number, but the code doesn't seem to work, the token may need to be reset.  If your code does not work, please try again with a different code, then again with a different code, up to four times, to resynchronize your token. Do not use the same code twice or you'll need to start over. 

How can I use Duo with VPN?

VPN does not prompt users for Duo like most other applications.  If you use the Duo App on your smartphone, the VPN login process will automatically send a push or call to your default device.  If you use a token, see next section for instructions.

How can I use a Duo token  or Bypass Code with the Cisco AnyConnect VPN?

1.  Open the VPN application.  

2.  Type your NetID in the username dialog.

3.  In the password dialog, type your password, followed by a comma and then the code from your token or your bypass code.  e.g. mypassword,123456

4.  Click the OK button. 

How can I use a landline as my second factor with Duo when I'm using VPN?

If you only have your landline enrolled the VPN will use it by default.

If you have a mobile phone with Duo push this will be preferred automatically over the landline. If you want to use your landline instead you can append the device after your password when logging into the VPN. Usually this would be phone2, so input password,phone2 (with the comma and without spaces) to receive a voice call. 

Alternatively, you could temporarily unenroll your smartphone and re-enroll it later when you have it available.

Can I "opt-out" of using Duo?

No.  All EMU employees and students are required to enroll in Duo Security.  

I don't always have my phone / device with me.

We suggest that you enroll as many devices as you wish. You can enroll your phones, tablets and even security tokens so that you have a high probability of having at least one of those devices available for authentication when needed.

If you have any other questions about Duo, submit a Service Request and we will be happy to assist you.

General documentation is available on the Duo web site at: https://guide.duosecurity.com/