Multi-Factor Authentication (MFA) adds a second layer of security to help prevent anyone other than you from accessing your sensitive information online. The service UCD uses for MFA is called Duo.
MFA is mandatory on all UCD staff IT accounts.
Duo Mobile App
UCD IT Services recommends the Duo Mobile app
Faster than a phone call
No Phone Signal? No WiFi?
About the Duo Mobile App
- The Duo Mobile App is not a Mobile Device Management (MDM) tool.
- The Duo Mobile App does not track your geographic location information.
- Camera access is only required during initial setup to scan a QR code from the enrolment email.
- Data usage to receive a 'Push Verification' is less than 2kb per Push.
- Push Verification works via Wi-Fi or mobile networks.
- Installing the Duo Mobile application will take up approximately 8MB of space on your mobile device.
See the UCD IT Services Privacy Statement on Duo Mobile App
UCD IT Services recommends using the Duo Mobile app as your second-factor authentication method. The app is available to download from the app store on your device.
Installing the Duo Mobile App does not mean you have to share your mobile number. You can register your smartphone as a tablet, and you will not be required to share your mobile number.
Why 2-Step Authentication?
Your password alone is not enough to keep identity thieves from getting into your account.
You could be at risk of having your password stolen if you:
- Click the links in email messages
- Download software online
- Infrequently change your password
- Use the same password for multiple accounts
If an identity thief steals your UCD username and password, they can:
- Delete your contacts and files
- Lurk in your email account to get information about your work
- Use your account to get to your personal accounts (bank, credit card, etc.)
- Impersonate you to gain access to your contacts’ accounts
You will receive an automated email from Duo Security. The email will guide you through the enrolment process. Once you receive this email you must complete the enrolment process otherwise you will be required to do so during your next login.
MFA Second Factor Options
A hardware token is a small device you carry that generates a 6-digit passcode that you type into the multi-factor prompt. It is a battery-powered item that can be attached to your keychain and is sometimes called a key fob. Pressing a button on the token generates the passcode. No connection to the Internet is required.
Most people will not want or need a token. A smart device will be the preferred verification device to complete authentication and securely access UCD systems.
Important information about hardware tokens:
- There will be a cost of €35 per hardware token, charged directly to the School or Unit of the person requesting it.
- Hardware tokens will be issued from the IT Centre in the Daedalus Building. A staff member will be required to show a valid UCD Staff ID card in order to collect the token.
- A Hardware Token is a consumable item with an expected battery life of between 2 to 4 years. At the end of the battery life the unit must be replaced. A replacement device will incur an additional charge.
Callback and SMS Messaging:
Another option you can choose as your verification step is known as SMS message.
SMS works following a successful login with your username and password and when prompted to verify it is you, you’ll need to click on Text Me. Once you receive the text message (containing a 6 digit code) simply click on enter passcode and type in the code. And that’s it you logged in.
Another option you can choose as you second factor verification step is known as CALLBACK.
Callback works with a landline or a mobile phone. When choosing this method and following a successful login (username/password) you would select Call Me at the verification stage. Your phone will ring, you will need to answer it, listen to the recorded message and press the # on your phone keypad key to confirm the login is you. Please note the voice recording is Americanised and instructs users to press the pound key. We do not have a pound key on this side of the Atlantic, so it’s the # key for us. It’s also worth noting that the number that will be calling you will be (+353 1) 716 2700 which is the number for the IT Services Helpdesk.
How to request a Hardware Token
In cases where no other second factor authentication method will work. A user can request a hardware token. A Hardware Token is a chargeable, consumable item with a cost per token of €35. Users must first request a Hardware Token using InfoHub. As a chargeable item your request must then be approved by your Head of School/Unit.
You will receive an email confirmation that the MFA Hardware token request has been submitted, the request is automatically sent to your Head of School/Unit. You will also receive an email confirming your Head of School/Unit decision
The following guide outlines the process involved here
Do I need a smartphone or special data plan to use multi-factor authentication?
No. Having a smartphone makes for an easier and more secure experience with Duo. However, it is also possible to enrol a non-smartphone mobile device or landline to receive SMS passcodes or phone calls.
What is the Duo Mobile App?
Duo Mobile is a mobile application (app) that you install on your smartphone or tablet to generate passcodes for login or receive push notifications for easy, one-tap authentication on your mobile device. It works with Duo security’s multi-factor authentication service to make your logins more secure.
What is the recommended multi-factor authentication method?
If you have a smartphone or tablet, we recommend Duo Push, as it is quick, easy-to-use, and secure. See an introduction to Duo security and a demonstration of Duo Push in this short video: https://www.youtube.com/watch?
How much data does a Duo Push request use?
Duo Push authentication requests require a minimal amount of data -- less than 2KB per authentication. For example, it would only consume 1 megabyte (MB) of data if you were to authenticate 500 times in a given month.
Why does the Duo Mobile App need to access my camera?
Duo Mobile only accesses your camera when scanning a QR code during activation.
Why have I stopped receiving push notifications from Duo Mobile?
There are several reasons this could be happening. Please try the following to troubleshoot:
- Make sure your enroled device has a mobile network or Wi-Fi connection.
- Have the Duo Mobile App open when you authenticate.
Try these additional push troubleshooting steps:
If the above solutions don’t work, try using another authentication method, such as passcodes provided in the Duo Mobile App.
How can I authenticate if I am somewhere with no mobile signal or Wi-Fi access?
See this Duo knowledge base article for information on authenticating without mobile or internet service: https://help.duo.com/s/article/4449
Can Duo see my password?
No. Your password is only verified by UCD and never sent to Duo. Duo only provides the second factor, using your enroled device to verify it’s actually you who is logging in.
Does using Duo give up control of my device?
No. The Duo Mobile App has no access to change settings or remotely wipe your device. The visibility Duo Mobile requires is to verify the security of your device, such as OS version, device encryption status, screen lock, etc. This is used to help recommend security improvements to your device. You are always in control of whether or not you take action on these recommendations.
Duo Mobile has no more access or visibility into your phone than any other app. Duo Mobile cannot read your emails or track your location, it cannot see your browser history, and it requires your permission to send you notifications.
Does "remember me" defeat the purpose of multi-factor authentication?
No. Even if an attacker knew your username and password, they would still have to access the same physical device and use the same browser to take advantage of "remember me." The probability of this is so low that it makes “remember me” a safe and convenient addition.
Even though I check the "remember me" box, I still get challenged for 2-step authentication when I log in?
The remembered device feature works by setting cookies on your browser. That means "remember me" only works on the exact device and same browser in which you checked the box -- you have to remember all browsers on all devices that you use to not get prompted for 2-step authentication.
You can also check your browser settings to see if it's blocking cookies. You can set an exception in your browser's security settings to allow third-party cookies from Duo Security.
Duo's cookies are only used to remember a device. The cookies and associated data are never used for advertising or marketing purposes.
Use the following formats to add exceptions for Duo-served cookies:
Internet Explorer: *.duosecurity.com
Note: Safari does not allow third-party exceptions.
I don’t have access to anything that would interest anyone. Do I still need to use Duo?
Yes. You likely have access to more than you think, including information that can be of great value to attackers. If your account is compromised, it creates the opportunity to spread attacks elsewhere at UCD.
For instance, your email account could be used to spread phishing attacks to your contact list. Shared files to which you have access could be infected, so that other users who access those files could have their accounts compromised. Your account could be used to log into various University systems.
Doesn’t using Duo attract attackers, since having it suggests we possess something of value?
No. Higher Education Institutions are known to be a target for cyber criminals, particularly universities where a significant amount of research is done. Universities house a great deal of sensitive data of value to cyber criminals and, by their nature, have an open-access, decentralised environment.
If I use Duo, will “big brother” be watching me?
No. UCD's intent is to provide a safe and secure online environment.
Is there a cost associated when requesting a Hardware Token as my second factor device?
Requesting a MFA Hardware Token will incur a cost of €35 per token
What is a Hardware Token?
A hardware token is an electronic device that generates one-time passwords for logging into a computer system. A hardware token provides an extra layer of security called multi-factor authentication.
How to use the Hardware Token?
To authenticate using a hardware token, click the “Enter a Passcode” button. Press the button on your hardware token to generate a new passcode, type it into the space provided, and click “Log In” (or type the generated passcode in the Second Password field). Using the “Device:” drop-down menu to select your token is not necessary before entering the passcode.
My hardware token was lost or stolen. What do I do?
Please contact the UCD IT Helpdesk immediately in order for the hardware token to be disabled.
Who should have a Duo MFA token?
No one is required to have a Duo MFA token, and most people will not want (or need) a token. Only in special cases (e.g. where no other option can be used for MFA) should a token be used. (Note: using a smart device, phone (mobile and/or landline) are the preferred verification methods. Also please note a Hardware Token is a consumable item with a time limited battery life of between 2 to 4 years.
I’m leaving the University. Do I have to return my Duo MFA token?
Yes. If you are leaving the University, you should return your Duo MFA token to your department for re-distribution and re-use.
I do not own a smartphone or smart device. What are my options?
Users will be required to choose one second factor authentication method from the following options:
Duo Mobile App on a Smart Device (IOS, Android or Windows), Call-back or SMS to a mobile phone, Call-back to a Landline or a hardware token. You can register your mobile device as a mobile to authenticate by using a “Phone Call” or by receiving a 7-digit passcode sent by “text message” options.
My mobile number is not an Irish number. Does this matter?
You can use the Duo Mobile App on any smartphone or smart device. When registering your device, you can select your country of choice from the drop-down list.
I am unable to download the Duo Mobile App on my Apple/Android device. What can I do?
In the case of Android Devices, the Duo Mobile App can only be downloaded on devices running Android 8 or greater.
For Apple devices (iPhone, iPad, iWatch etc.) the Duo Mobile App can only be downloaded on devices running IOS 12.0 or greater.
You can register your mobile device as a mobile to authenticate by using a “Phone Call” or by receiving a 7-digit passcode sent by “text message” options.
When I receive a phone call to authenticate, it states the pound key is to be pressed?
The pound key on our keypads is the # key
Does Duo Mobile work in China?
Duo Mobile does work in China.
Most of the following issues are related to enrollment, if you've already enrolled and travelled to China The Duo Mobile App will work. But there are some considerations you should be aware of, more information can be seen on the Duo Support site here:
Duo MFA in China - https://help.duo.com/s/article/2094?language=en_US
MFA Enrolment for Android Users when in China
Android Users should note that the Google Play Store is not available in China, and SMS messages containing links will be blocked. This can make enrollment when in China a challenge and prevent Android users from being able to download the Duo Mobile application. However, you can download the Duo Mobile APK directly here: http://dl.duosecurity.com/DuoMobile-latest.apk
MFA Enrolment for iOS Users when in China
There are no commonly known issues associated with using Duo Mobile and iOS in China.
Where can I get a copy of the Webinar presentation?
Download a PDF version of the presentation here.
The following videos were used during the presentation:
1) What is Two-Factor Authentication? (2FA)
2) Getting Started with Duo Security
3) Authenticate with Duo Push on iPhone - Duo Security
I am already using DUO Mobile App from another institution.Can I use this also with my UCD account?
As you already have the Duo Mobile app installed and you are using it to access your account from another institution,you will see two accounts in the App after you enroll your device on your enrolment day for your UCD account.
One from your current institution and the other from UCD which would work independent of each other .
This would not interfere with a Push from UCD or vice versa when you use a Push from your current institution.
UCD IT ServicesComputer Centre, University College Dublin, Belfield, Dublin 4, Ireland.
Contact us via the UCD IT Support Hub: www.ucd.ie/ithelp