Duo - NetID Two-Factor Authentication

Table of Contents

Duo NetID Two-Factor Authentication

Duo NetID Two-Factor Authentication is required for all NetID accounts that access Texas A&M University computing resources. Duo provides an additional layer of security for your NetID account and Texas A&M computer systems. If you have any questions about Duo, contact Help Desk Central at helpdesk@tamu.edu or 979.845.8300.

Using Duo Two-Factor Authentication

Default authentication method

When you log into a resource that requires two-factor authentication, you will need to authenticate with Duo. In most cases, this will be an interstitial screen asking you to authenticate via one of the authentication methods you have set up through https://duo.tamu.edu/. The first time you need to authenticate with Duo on a specific device and web browser, you will be prompted to authenticate using the most secure method you have set up. However, you can select one of the other methods if you prefer. Once you authenticate using a specific method, that method will become the default method you will be asked to use in that browser on that particular device.

Default authentication method - Security Key

Trusting your browser

After you authenticate via Duo, you will be given a screen asking if you want to trust your browser. If you select Yes, trust this browser, you will not be asked to authenticate via Duo for 5 days. if you select No, do not trust browser, you will need to authenticate via Duo the next time you log into a system that requires Duo authentication.

Option to trust your browser

Selecting a different authentication method

If you need or want to change your default authentication method, you can do so at the Duo prompt by clicking the Other Options link in the authentication window. This link will not initially be visible if you are being prompted to authenticate with a Security Key. If you are prompted to authenticate with a security key and want to use a different method, click Cancel in the window instructing you to connect and authorize one now. You will then be able to click the Other Options link.

Other Duo authentication methods.

Other authentication options

If you click the Other Options link to authenticate with a method other than the one you are being prompted for, you will see a list of authentication methods. The specific list of methods displayed is dependent on the authentication methods you have configured at https://duo.tamu.edu. Some options that may be available include:

  • Touch ID - If you use a MacBook Pro, MacBook Air, or Magic Keyboard with a Touch ID button AND have a fingerprint enrolled in Touch ID AND have Touch ID configured as an authentication method within Duo, you can use Touch ID for Duo authentication.

    Touch ID prompt
     
  • Security Key - A YubiKey security key tied to your account.

    Security Key Prompt
     
  • Duo Mobile Push - A push notification to a mobile device with the Duo Mobile App installed.

    Duo Push Prompt
     
  • YubiKey passcode - A One-Time Passcode generated by a YubiKey tied to your account.

    YubiKey Passcode prompt
     
  • Duo Mobile passcode - A passcode generated by the Duo Mobile app on your smartphone.

    Duo Mobile passcode prompt
     
  • Hardware token passcode - A passcode generated by a Duo Hardware token.

    hardware token passcode prompt
     
  • SMS passcode - A passcode sent to your phone via SMS text message.

    SMS passcode prompt
     
  • Phone call approval - A phone call from Duo to the phone number you have listed for Duo authentication.

    Phone call authentication prompt
     
  • Bypass code - A code generated by Help Desk Central after a visual verification of identity.

    Bypass code prompt
     

General Questions

What is two-factor authentication? 

Two-factor authentication uses two independent means of evidence (factors) to verify the identity of a user. The objective of two-factor authentication, as a method of electronic computer authentication, is to decrease the probability that the requestor is not who he/she claims to be (i.e., providing false evidence of his/her identity.) Two-factor authentication is achieved by a combination of any two of the three "Somethings" below:

  • Something you know
    • Personal Identification Number (PIN)
    • Password
  • Something you have
    • Smartphone
    • Token
    • ID Badge / Smart card
  • Something you are
    • Fingerprint
    • Retinal Scan
    • Voice Pattern
    • Typing Cadence

Note that the use of a password in combination with a PIN, for example, is NOT considered two-factor authentication because both pieces of information involve a single factor - something you know.

Two-factor authentication has been in use for quite a long time. Any person who has used an ATM machine has used two-factor authentication - you had to provide something you had (a card) and something you know (a PIN) in order to complete the transaction.

Is Duo required for VPN?

Yes. Duo is required to connect to the Texas A&M Virtual Private Network (VPN).

What is the difference between two-factor and multi-factor authentication?

The subtle difference is that while two-factor authentication uses exactly two factors to assert the identity of a user, multi-factor authentication uses two or more factors to assert identity. In essence, two-factor authentication is a subset of multi-factor authentication. An example of multi-factor authentication would be the requirement to insert a smart-card (something you have) into a smart-card reader, enter a PIN (something you know), and provide a valid fingerprint (something you are) provided via a biometric fingerprint reader. This example uses three factors to assert the identity of a user.

What is the Duo  solution? 

Two-factor authentication is a cloud-based second-factor authentication with no software to install and no server to set up. Duo has patented technology and drop-in integrations to enable IT customers to easily integrate Duo into an existing application login workflow. See Duo Security for more information. The Duo model primarily relies on smartphones to be the device in the user's possession. Most users will like the ease and convenience of using phones to verify their identity.

Who is required to use the service? 

All Texas A&M faculty, staff, students, and designated affiliates are required to use Duo.

What data is stored by Duo? 

The only data that Duo stores for a user is the subscriber's NetID (Duo does NOT know your NetID password) and information about your second factor, such as a phone number (if using a phone for the service) or the serial number of your hardware token (if not using a phone for the service).

What if I lose my phone? 

If your phone is lost or stolen, contact your service administrator immediately so they can disable the two-factor Authentication. Once your phone is found or replaced, you can reactivate Duo on the new phone using these directions. We recommend enrolling a backup device to avoid complications during scenarios such as this.

Remember: Duo will continue to protect your account even if your phone is lost and two-factor authentication is disabled on the phone. If you are unable to log into your account because of this, call Help Desk Central at (979) 845-8300 or visit them in the Computing Services Center, room CS00.

What if I get a new phone? 

If you have a new phone but your phone number has not changed, you will still be able to authenticate using the Call Me method. You can reactivate the Duo app on your new device by following these directions. If your phone number has changed, or if you otherwise cannot receive phone calls, you will need to contact Help Desk Central at (979) 845-8300 or at help.tamu.edu. You can also make an appointment to visit them in person at the Computing Services Complex, room CS00. 

Can I use two-factor authentication with third-party accounts, such as Google, Drop-Box, etc.?

Yes. If you're using a smartphone for the service, then the Duo App can integrate with some third-party accounts. See Duo's Third-Party Accounts page for more information.

When should I use the "Remember me for 5 days" feature?

We recommend never using the "Remember me for 5 days" feature on a shared computer. You may use it on computers for which you are the sole user as long as you take responsibility for the security of access to that machine.

Using two-factor with Your Phone

Do I need a smartphone to use Duo NetID Two-factor Authentication? 

A smartphone is the best choice since it provides the greatest level of security and allows you to use the Duo Mobile App. The app generates passcodes for logins and can receive push notifications for easy, one-tap authentication.

Having said that, a smartphone is not required to use the service.

I don't have a smartphone. Will I be able to use Duo on my regular cell phone? 

Yes, any cell phone will work, but it will not include the advantages of the app (passcodes, prompts, etc.) and may result in regular cell phone charges in order to call back and authenticate (depending on the user's phone service), as well as incur costs to the university.

Can I use a landline at my office instead of my personal phone?

Yes, you may use a landline instead of a mobile device. However,

  • You need to take into consideration the stationary nature of a landline. Even if you work almost exclusively at your desk in your office where the landline is located, you might on rare occasions need to have access to your Texas A&M protected services from home or from a remote location (such as an annual conference).
  • Use of a landline incurs a cost to the university.

 What if I prefer to not use my phone at all? Can I still use two-factor authentication? 

First, using Duo on your phone is perfectly safe, and a smartphone is the preferred device to use for a number of reasons (app being available, calling prompts, one less "thing" to carry around and keep track of, etc.) In other words, a phone (especially a smartphone) is the preferred method.

Having said that, a hardware token is available for use instead of a phone.

Can I use multiple phones, or am I restricted to one phone? 

You can set up Duo NetID Two-Factor Authentication on multiple mobile devices (phones, tablets, etc.).

Does it cost me anything to use the service via my phone? If so, will I be reimbursed by Texas A&M? 

Text messages and voice calls are sent only when you request them, and are billed by your carrier in the same way as other text messages or calls would. Texas A&M will not reimburse you for these charges. If the charges when using Duo exceed a level that you're comfortable with, consider switching to a hardware token rather than a cell phone for the service.

Can I change to a different phone with a different number after I have the service? 

Yes, you can change to a different phone with a different number. You will need to reactivate Duo on the new device, and if it's a different type of device (for example, if you're going from Android to iPhone), then you will need to make sure that you select the new phone type before reactivating.

What does the Duo App access on my phone? 

The app requests access to the camera to scan the QR code during the activation process. It does not access your other apps or other data on your phone; it uses some base functionality of the phone and a certificate that identifies your phone to ensure accurate identification.

I'm often in a location where I have poor cell coverage. How can I use the service? 

In cases where cell coverage is not available, or a smart phone is not allowed, you will need to use a Duo Hardware Token to generate a one-time passcode. Duo Hardware Tokens can be purchased at http://itselfservice.tamu.edu/ and picked up at Help Desk Central in the Computing Services Center, Room CS00.

Yubikey Tokens

What is a token? 

A physical device that can usually fit on a key ring, which generates a security code for use with networks or software applications.

Who must have a Yubikey token? 

No one is REQUIRED to have a Yubikey token. In fact, most people will not have a Yubikey token because using a phone is the easiest way to use the service when accessing web applications.

For system administrators who need to log into servers regularly, the Yubikey token is beneficial since it only requires a single touch to complete the second factor authentication step.

How do Yubikey tokens work? 

A security token generates a different series of letters or digits each time it's used, which have to be entered as part of the authentication process to prove that you have it. This, in addition to a traditional username and password, adds a second factor of security.

With a Yubikey token, the device is inserted into a USB drive on the computer. The user touches a gold contact to generate a code, which is automatically transmitted to complete the second factor authentication step.

How are Yubikey tokens distributed?

Yubikey tokens are purchased through the Texas A&M Software Center. The customer picks up the token at Help Desk Central.

How are YubiKey tokens paid for?

Students, faculty, and staff can purchase a personal YubiKey at https://software.tamu.edu/. Payment for this type of purchase must be made from personal funds and not from a Texas A&M University account.

Departments can purchase YubiKeys for their employees via the software catalog at https://itselfservice.tamu.edu/. These purchases must be paid for using a TAMU account.

Accessibility

Are there any accessible options available? 

Some accessibility problems can be addressed by the phone itself; however, if someone has an accessibility problem that cannot be resolved by using the service with a phone, then there are accessibility options available. Please contact Help Desk Central for more information.

What do I enter for a mobile phone that's not a smartphone when I'm enrolling for the service? 

Whenever you're using a cell phone that's not a smartphone, select "Other" as type.

Troubleshooting

I'm trying to log into Duo two-factor authentication on my phone, but it tells me I can't. What should I do? 

If this is the first time you've used the service on this particular phone, then make sure the enrollment process has been completed and then try again.

If you've used the service on this phone before and cannot login, then make sure that phone is not locked. If it is unlocked, then you may need to restart the mobile device and try again.

Make sure you're using the correct mobile device. If you're using a new device (even if you have the same phone number), then reactivate Duo Mobile for the new device. (If you're changing types of phone, such as going from an Android to an iPhone, then select the new type of phone before reactivating.)

If the service is still not working, contact Help Desk Central.

I'm using a hardware token, and it's not working. What should I do? 

If you are using a hardware token and it's not working, then try to re-sync the token. Call Help Desk Central for assistance with that process.

Why have I have stopped receiving push notifications on Duo Mobile? 

If you have stopped receiving push notifications, check your network connection. It may help to place your phone in and out of airplane mode. If there is not a network problem, then request a re-activation of the service from Help Desk Central.

 

If you have any further questions, email helpdesk@tamu.edu or call us at (979) 845-8300.

Was this helpful?
0 reviews
Print Article

Details

Article ID: 364
Created
Thu 5/2/24 9:56 AM
Modified
Mon 6/24/24 3:36 PM

Related Services / Offerings (1)

Duo Multi Factor Authentication
The "Duo Multi Factor Authentication" Service offering allows incidents for managing and troubleshooting Duo MFA as well as requests for help setting up Duo MDA.