Multi factor authentication

As part of our Digital Transformation initiative and in order to enhance UCD account security, IT Services are rolling out multi-factor authentication (MFA) using Duo.

MFA offers an extra layer of account security which requires you to verify your identity when you log in. As well as your username and password, MFA requires that you have an authentication device such as a mobile phone or tablet allowing you to respond with a tap or a code as you log in.

MFA has been enabled on staff accounts from a number of UCD Units already and will soon be rolled out to the wider UCD Community. MFA currently protects access to Google Workspace applications (Gmail, Google Drive, Google Calendar etc.), tableau, CoreESS and exams manager.

This website provides information on MFA, its benefits, FAQs and supporting documentation. If you require additional information or support, please contact us via the IT Support Hub (https://www.ucd.ie/ithelp).

What is Duo?

Duo has been chosen as the multi-factor authentication (MFA) solution for UCD. The system will make it more difficult for hackers to access your UCD IT account. Even if someone has your password, they will need a “second factor” to gain access to your account. Check out this short video to learn more.

Why Do I Need This?

Passwords are increasingly easy to compromise. They can often be stolen, guessed, or hacked — you might not even know someone is accessing your account. Multi-factor authentication adds a second layer of security, keeping your account secure even if your password is compromised. With Duo Push, you will be alerted right away (on your phone) if someone is trying to log in as you.

This second factor of authentication is separate and independent from your username and password — Duo never sees your password.

MFA is an essential service to help safeguard access to critical systems or systems storing sensitive and research data. MFA provides stronger assurance that your information is only accessible to the intended people, and that UCD systems and services remain highly available.

Why 2-step authentication?

Your password alone is not enough to keep identity thieves from getting into your account.

You could be at risk of having your password stolen if you:

  • Click the links in email messages
  • Download software online
  • Infrequently change your password
  • Use the same password for multiple accounts

 

 

 

 

If an identity thief steals your UCD username and password, they can:

  • Delete your contacts and files
  • Lurk in your email account to get information about your work
  • Use your account to get to your personal accounts (bank, credit card, etc.)
  • Impersonate you to gain access to your contacts’ accounts

Duo Mobile App

Duo Mobile App FAQs:

  • The Duo Mobile App is not a Mobile Device Management (MDM) tool.
  • The Duo Mobile App does not track your geographic location information.
  • Camera access is only required during initial setup to scan a QR code from the enrolment email.
  • Data usage to receive a 'Push Verification' is less than 2kb per Push.
  • Push Verification works via Wi-Fi or mobile networks.
  • Installing the Duo Mobile application will take up approximately 8MB of space on your mobile device.

UCD IT Services Privacy Statement on Duo Mobile App

 

 

 

 

 

IT Services recommends using the Duo mobile app as your second-factor authentication method. The app is available to download from the app store on your device.

 

Please Note:

Installing the Duo Mobile App does not mean you have to share your mobile number. You can register your smartphone as a tablet, and you will not be required to share your mobile number.

 

Supported Devices

Enrolment process

You will receive an automated email from Duo Security.  The email will guide you through the enrolment process. Once you receive this email you must complete the enrolment process otherwise you will be required to do so during your next login.

Duo enrolment guide

Add a second device

MFA Second Factor Options

Hardware Token:

A hardware token is a small device you carry that generates a 6-digit passcode that you type into the multi-factor prompt. It is a battery-powered item that can be attached to your keychain and is sometimes called a key fob. Pressing a button on the token generates the passcode. No connection to the Internet is required.

Most people will not want or need a token. A smart device will be the preferred verification device to complete authentication and securely access UCD systems.

Important information about hardware tokens:  

  • There will be a cost of €35 per hardware token, charged directly to the School or Unit of the person requesting it.
  • Hardware tokens will be issued from the IT Centre in the Daedalus Building. A staff member will be required to show a valid UCD Staff ID card in order to collect the token.
  • A Hardware Token is a consumable item with an expected battery life of between 2 to 4 years. At the end of the battery life the unit must be replaced. A replacement device will incur an additional charge.

Please Note

At present as our IT Centre is currently closed due to Level 5 Restrictions (of the Plan for Living with COVID-19), we are unable to issue any hardware tokens until our IT Centre can reopen safely.

 

 

 

Callback and SMS Messaging:

Another option you can choose as your verification step is known as SMS message.

 SMS works following a successful login with your username and password and when prompted to verify it is you, you’ll need to click on Text Me. Once you receive the text message (containing a 6 digit code) simply click on enter passcode and type in the code. And that’s it you logged in.

 Another option you can choose as you second factor verification step is known as CALLBACK.

 Callback works with a landline or a mobile phone. When choosing this method and following a successful login (username/password) you would select Call Me at the verification stage. Your phone will ring, you will need to answer it, listen to the recorded message and press the # on your phone keypad key to confirm the login is you. Please note the voice recording is Americanised and instructs users to press the pound key. We do not have a pound key on this side of the Atlantic, so it’s the # key for us. It’s also worth noting that the number that will be calling you will be (+353 1) 716 2700. Which is the number for the IT Services Helpdesk.

Hardware Token

How to request a Hardware Token

token

In cases where no other second factor authentication method will work. A user can request a hardware token. A Hardware Token is a chargeable, consumable item with a cost per token of €35. Users must first request a Hardware Token using InfoHub. As a chargeable item your request must then be approved by your Head of School/Unit.

You will receive an email confirmation that the MFA Hardware token request has been submitted, the request is automatically sent to your Head of School/Unit. You will also receive an email confirming your Head of School/Unit decision

The following guide outlines the process involved here

 

Frequently Asked Questions

Do I need a smartphone or special data plan to use multi-factor authentication?

No. Having a smartphone makes for an easier and more secure experience with Duo. However, it is also possible to enrol a non-smartphone mobile device or landline to receive SMS passcodes or phone calls.

What is the Duo Mobile App?

Duo Mobile is a mobile application (app) that you install on your smartphone or tablet to generate passcodes for login or receive push notifications for easy, one-tap authentication on your mobile device. It works with Duo security’s multi-factor authentication service to make your logins more secure.

What is the recommended multi-factor authentication method?

If you have a smartphone or tablet, we recommend Duo Push, as it is quick, easy-to-use, and secure. See an introduction to Duo security and a demonstration of Duo Push in this short video: https://www.youtube.com/watch?v=_T_sJXnSM98

How much data does a Duo Push request use?

Duo Push authentication requests require a minimal amount of data -- less than 2KB per authentication. For example, it would only consume 1 megabyte (MB) of data if you were to authenticate 500 times in a given month. 

Why does the Duo Mobile App need to access my camera?

Duo Mobile only accesses your camera when scanning a QR code during activation. 

Why have I stopped receiving push notifications from Duo Mobile?

There are several reasons this could be happening. Please try the following to troubleshoot:

- Make sure your enroled device has a mobile network or Wi-Fi connection.

- Have the Duo Mobile App open when you authenticate.

Try these additional push troubleshooting steps:

iPhone: https://help.duo.com/s/article/2051

Android: https://help.duo.com/s/article/2050

If the above solutions don’t work, try using another authentication method, such as passcodes provided in the Duo Mobile App.

How can I authenticate if I am somewhere with no mobile signal or Wi-Fi access?

See this Duo knowledge base article for information on authenticating without mobile or internet service: https://help.duo.com/s/article/4449

Can Duo see my password?

No. Your password is only verified by UCD and never sent to Duo. Duo only provides the second factor, using your enroled device to verify it’s actually you who is logging in.

Does using Duo give up control of my device?

No. The Duo Mobile App has no access to change settings or remotely wipe your device. The visibility Duo Mobile requires is to verify the security of your device, such as OS version, device encryption status, screen lock, etc. This is used to help recommend security improvements to your device. You are always in control of whether or not you take action on these recommendations.

Duo Mobile has no more access or visibility into your phone than any other app. Duo Mobile cannot read your emails or track your location, it cannot see your browser history, and it requires your permission to send you notifications. 

Does "remember me" defeat the purpose of multi-factor authentication?

No. Even if an attacker knew your username and password, they would still have to access the same physical device and use the same browser to take advantage of "remember me." The probability of this is so low that it makes “remember me” a safe and convenient addition.

Even though I check the "remember me" box, I still get challenged for 2-step authentication when I log in?

The remembered device feature works by setting cookies on your browser. That means "remember me" only works on the exact device and same browser in which you checked the box -- you have to remember all browsers on all devices that you use to not get prompted for 2-step authentication.

You can also check your browser settings to see if it's blocking cookies. You can set an exception in your browser's security settings to allow third-party cookies from Duo Security.

Duo's cookies are only used to remember a device. The cookies and associated data are never used for advertising or marketing purposes.

Use the following formats to add exceptions for Duo-served cookies:

Internet Explorer: *.duosecurity.com

firefox https://duosecurity.com

Chrome: [*.]duosecurity.com

Note: Safari does not allow third-party exceptions.

I don’t have access to anything that would interest anyone. Do I still need to use Duo? 

Yes. You likely have access to more than you think, including information that can be of great value to attackers. If your account is compromised, it creates the opportunity to spread attacks elsewhere at UCD.

For instance, your email account could be used to spread phishing attacks to your contact list. Shared files to which you have access could be infected, so that other users who access those files could have their accounts compromised. Your account could be used to log into various University systems.

Doesn’t using Duo attract attackers, since having it suggests we possess something of value? 

No. Higher Education Institutions are known to be a target for cyber criminals, particularly universities where a significant amount of research is done. Universities house a great deal of sensitive data of value to cyber criminals and, by their nature, have an open-access, decentralised environment.

If I use Duo, will “big brother” be watching me? 

No. UCD's intent is to provide a safe and secure online environment.

Is there a cost associated when requesting a Hardware Token as my second factor device?

Requesting a MFA Hardware Token will incur a cost of €35 per token

What is a Hardware Token?

A hardware token is an electronic device that generates one-time passwords for logging into a computer system. A hardware token provides an extra layer of security called multi-factor authentication.

How to use the Hardware Token?

To authenticate using a hardware token, click the “Enter a Passcode” button. Press the button on your hardware token to generate a new passcode, type it into the space provided, and click “Log In” (or type the generated passcode in the Second Password field). Using the “Device:” drop-down menu to select your token is not necessary before entering the passcode.

My hardware token was lost or stolen. What do I do?  

Please contact the UCD IT Helpdesk immediately in order for the hardware token to be disabled on 01 7162700 or alternatively at the following email address -ithelpdesk@ucd.ie

Who should have a Duo MFA token?

No one is required to have a Duo MFA token, and most people will not want (or need) a token. Only in special cases (e.g. where no other option can be used for MFA) should a token be used. (Note: using a smart device, phone (mobile and/or landline) are the preferred verification methods. Also please note a Hardware Token is a consumable item with a time limited battery life of between 2 to 4 years.

I’m leaving the University. Do I have to return my Duo MFA token?

Yes. If you are leaving the University, you should return your Duo MFA token to your department for re-distribution and re-use.

I do not own a smartphone or smart device. What are my options?

Users will be required to choose one second factor authentication method from the following options:

Duo Mobile App on a Smart Device (IOS, Android or Windows), Call-back or SMS to a mobile phone, Call-back to a Landline or a hardware token. You can register your mobile device as a mobile to authenticate by using a “Phone Call” or by receiving a 7-digit passcode sent by “text message” options.

My mobile number is not an Irish number. Does this matter?

You can use the Duo Mobile App on any smartphone or smart device. When registering your device, you can select your country of choice from the drop-down list.

I am unable to download the Duo Mobile App on my Apple/Android device. What can I do?

In the case of Android Devices, the Duo Mobile App can only be downloaded on devices running Android 8 or greater.

For Apple devices (iPhone, iPad, iWatch etc.) the Duo Mobile App can only be downloaded on devices running IOS 12.0 or greater.

You can register your mobile device as a mobile to authenticate by using a “Phone Call” or by receiving a 7-digit passcode sent by “text message” options.

When I receive a phone call to authenticate, it states the pound key is to be pressed?

The pound key on our keypads is the # key

Does Duo Mobile work in China?

Duo Mobile does work in China.

Most of the following issues are related to enrollment, if you've already enrolled and travelled to China The Duo Mobile App will work. But there are some considerations you should be aware of, more information can be seen on the Duo Support site here:

Duo MFA in China - https://help.duo.com/s/article/2094?language=en_US

MFA Enrolment for Android Users when in China
Android Users should note that the Google Play Store is not available in China, and SMS messages containing links will be blocked. This can make enrollment when in China a challenge and prevent Android users from being able to download the Duo Mobile application. However, you can download the Duo Mobile APK directly here: http://dl.duosecurity.com/DuoMobile-latest.apk

MFA Enrolment for iOS Users when in China
There are no commonly known issues associated with using Duo Mobile and iOS in China.

Where can I get a copy of the Webinar presentation?

Download a PDF version of the presentation here.

The following videos were used during the presentation:

1) What is Two-Factor Authentication? (2FA)
https://www.youtube.com/watch?v=0mvCeNsTa1g&feature=youtu.be

2) Getting Started with Duo Security
https://www.youtube.com/watch?v=HDU35vn0SS0&feature=youtu.be

3) Authenticate with Duo Push on iPhone - Duo Security
https://www.youtube.com/watch?v=rv12VryxlcE&feature=youtu.be

I am already using DUO Mobile App from another institution.Can I use this also with my UCD account?

As you already have the Duo Mobile app installed and you are using it to access your account from another institution,you will see two accounts in the App after you enroll your device on your enrolment day for your UCD account.
One from your current institution and the other from UCD which would work independent of each other .
This would not interfere with a Push from UCD or vice versa when you use a Push from your current institution.

 

Project Information and Timelines

Phase 1 Proof of Concept August 2019 September 2019 (Complete)

Phase 2 IT Services Staff Pilot November 2019 to March 2020 (Complete)

Phase 3 Extended Pilot outside IT Services - May 2020 to August 2020 (Complete)

Phase 4 Full Deployment beginning January 2021. Schedule below:

College/Unit
Rollout Date
Academic Affairs 28/01/2021
College of Arts and Humanities 11/02/2021
College of Business 25/02/2021
College of Engineering and Architecture 11/03/2021
College of Health and Agricultural Sciences 25/03/2021
College of Sciences 08/04/2021
College of Sciences and Law 22/04/2021
Misc 06/05/2021