Summary
Two-factor authentication is available for active faculty, staff and students at Single Sign-on, and is required for a variety of systems including Human Capital Management (HCM), Financials (FIN) and Virtual Private Network (VPN) system log-ins.
Two-factor authentication enhances the security of your account by using a secondary device to verify your identity. This prevents anyone but you from accessing your account, even if they know your password.
Body
Two-factor authentication is available for active faculty, staff and students at Single Sign-on, and is required for a variety of systems including Human Capital Management (HCM), Financials (FIN) and Virtual Private Network (VPN) system log-ins.
Two-factor authentication enhances the security of your account by using a secondary device to verify your identity. This prevents anyone but you from accessing your account, even if they know your password.
Access the Service
Self enrollment is available via multiple methods. Information Security recommends all users enroll the following two devices:
- Smartphone using the mobile application for iOS or Android
- Desk phone (landline) using the voice call method
IMPORTANT UTech Information Security recommends you use your desk phone as a backup in the case that a mobile phone is lost, stolen or damaged.
However, CWRU Duo lets you link multiple devices to your account, and you may use any combination of compatible devices to secure it.
Applications That Support DUO
You can use the table below to see if an application uses a Duo authentication method you have set up, or if you may need to use an additional method for specific applications.
If an application you use does not support an authentication method you have set up, you will need to set up a supported device for authentication. Visit the Enroll an Authentication Device section below for instructions on enrolling the new device.
Applications that Support Duo
Authentication Method |
DuoPush |
PassCode |
Duo Token |
Phone Call |
SMS |
YubiKey |
Gmail / GSuite |
X |
X |
X |
X |
X |
X |
MyApps |
X |
X |
X |
|
|
X |
Qualtrics |
X |
X |
X |
|
|
X |
VPN |
X |
X |
X |
X |
X |
|
HCM |
X |
X |
X |
X |
X |
X |
SIS |
X |
X |
X |
X |
X |
X |
Enroll an Authentication Device in DUO Security
CWRU Duo supports a range of electronic devices including:
- iOS smartphones and tablets
- Android smartphones and tablets
- Basic cell phones with and without text message/SMS capabilities
- Landlines
- Duo tokens and other hardware tokens
- Security keys (e.g. FIDO2, WebAuthn, YubiKey)
The table below illustrates what authentication methods are supported by which device. This may help you decide which devices you want to enroll in Duo.
Devices and Authentication Methods
Device |
DuoPush |
Passcode |
Voice Call |
SMS |
U2F |
Smartphone |
X |
X |
X |
X |
|
Basic Cell Phone |
|
|
X |
X |
|
Landline |
|
|
X |
|
|
Tablet |
X |
X |
|
|
|
Duo Token |
|
X |
|
|
|
YubiKey |
|
|
|
|
X |
Common Issues/Questions
What is two-factor authentication?
- Two-factor authentication provides added security by prompting you to enter a unique code at sign in, in addition to your password. The unique code, generated by your phone, is used only once. You can prompt the code from a device of your choosing (typically your smartphone). Using the Duo Mobile smartphone app (for iOS, Android) is the simplest and preferred method for obtaining the second-factor codes, but tokens and other methods are available.
Why do I need to use Duo?
- Theft of Credentials is Common!
- A user can be tricked into giving away their Network ID and passphrases through a malicious email or phishing or other online scams (View phishing examples here).
- Many people reuse passwords or passphrases on other websites (Amazon; LinkedIn). If compromised, attackers often publish or sell the passphrases (infosecurity-magazine.com/news/linkedin-breach-weak-passwords).
- A user shares their Network ID and/or password (in violation of CWRU policy) with someone else.
- A user logs in from an infected computer where attackers continue to run and record keystrokes of the users' passwords and/or passphrases (Keylogger).
How do I use Duo for Webmail, HCM, MyApps, and other websites?
- Authenticating with Duo for websites is virtually the same across the website, the only difference being how you authenticate. Learn how to authenticate to a website with your supported device on Duo’s website.
Note: These external links are unaffiliated with CWRU. If they are not working, please notify us at security@case.edu
- Duo Push iOS
- Duo Push Android
- Duo Passcodes iOS
- Duo Passcodes Android
- Duo Phone Calls and SMS
- Duo Token
- YubiKey
Why is the enrollment page telling me I logged in?
- If you have already logged in with Duo on your browser session (for example, to access your email, HCM, or MyApps), the enrollment app will see that you are logged in and redirect you to a success message. This behavior, verifying that your Duo authentication method is working properly, is normal for this app, and is vital for many users to understand that they have successfully used Duo.
Why can't I get to the Add a New Device page?
- If you logged in to an application that uses Duo (such as webmail, HCM, MyApps, etc), and you selected the Remember Me for 120 Hours option, the enrollment app will only be able to log you in.
- In order to Add a new device (or change a device), open an Incognito browser session in either Google Chrome or Firefox and proceed to the enrollment page. Do not select Remember Me for 120 Hours when signing in.
- To open an Incognito session in Chrome, open Chrome and use the keyboard shortcut Ctrl + Shift + N.
- To open an incognito/private session in Firefox, open Firefox and use the keyboard shortcut Ctrl + Shift + P.
I have stopped receiving Push notifications on Duo mobile.
- You may have trouble receiving push requests if there are network issues between your phone and Duo. Many phones have trouble determining whether to use the WiFi or cellular data channel when checking for push requests.[1]
-
Try turning your phone on airplane mode for a few seconds, then turning off airplane mode.
-
Try turning off WiFi on your phone and requesting the code using cellular data.
-
Check the time and date on your phone and make sure they are correct. If the date and time on your phone are manually set, try changing your device's configuration to sync date and time automatically with the network.
-
iOS users can run a troubleshooting tool from within Duo Mobile version 3.32.0 or later. To run the tool:
-
Open the Duo Mobile app on your iOS device and tap the Edit button in the top left of the accounts list screen, then tap the name of the account for you aren't receiving push requests.
-
Next, tap the Get Started button in the "Missing Notifications?" section of the the "Account Details" screen.
-
Duo Mobile performs the test. If any step fails, you'll receive further troubleshooting suggestions. After taking the suggested actions, tap *Run test again* to retry.
My Duo token is not working anymore.
- Your Duo token can get out of sync if it is pressed too many times in a row and the codes aren’t used for login.[1] If your Duo token is out of sync, call the UTech Service Desk at 216-368-HELP(4357) or through this page to have them resync your token.
Is there a difference between a Duo token and a Yubikey?
- Duo tokens and YubiKeys are terms used interchangeably around campus, but this is incorrect as they are fundamentally different devices. Duo tokens are hardware devices that are from Duo (and provided to you by the university) that generate one-time use passcodes. There is no need to plug a Duo token in a computer to use it, and there is no need to hold it close to your computer or phone to generate a passcode.
- YubiKeys (also called security keys, FIDO keys, or universal two-factor (U2F) keys) are devices that you purchase that must be plugged into the device you are authenticating on. Usually, you must also press down on a gold part of the YubiKey to complete authentication. They can also be held close to the device so it can be scanned, as in the case of a cell phone. There are no passcodes generated with YubiKeys.
Device Name |
Authentication Method |
How to Obtain |
Duo Token |
Passcode (6 random numbers) |
Contact the UTech Service Desk and request one; pick up at CARE Center in Lower Level KSL |
YubiKey |
Plug into computer and touch blinking metal contact point; For NFC, hold close to cell phone or tablet |
Purchase on your own from a trusted vendor |
Duo Token:
YubiKey
How do I get a Duo token?
- All CWRU employees and students can request their first Duo token for free by contacting the UTech Service Desk. The UTech Service Desk will assign you a Duo token and enroll it under your account. Once a token has been assigned to you, you can pick it up from the [U]Tech CARE Center in the Kelvin Smith Library. You can then use the Duo token to generate secure passcodes.
What should I do with my Duo token when I leave the University?
- If you are no longer using your case.edu email or will not have access to your case.edu email, simply return the Duo token to the [U]Tech CARE Center in the Lower Level of Kelvin Smith Library.
- If you will have continued access to your case.edu (as a student or alumni), you can continue using your Duo token, or you can enroll a new device that you own, such as a smartphone, tablet, basic cellphone, landline, or YubiKey. If you are enrolling a new device and do not wish to have your token, you can return the Duo token to the [U]Tech CARE Center in the Lower Level of Kelvin Smith Library.