Duo logo

Duo MFA Enrollment & Usage Guide

TABLE OF CONTENTS

INTRODUCTION

What is Multi-factor Authentication (MFA)?

Multi-factor Authentication, or “MFA” for short, is a process that protects an account by using different “factors” or types of authentication in an account login process. The common factors are “something you know” (i.e. an account password), “something you have” (i.e. a device like a cell phone), and “something you are” (i.e. a fingerprint).

Your NetID password is the first factor when logging into an application or service. However, passwords are often deficient for a variety of reasons. So by introducing a second authentication factor, we are able to help you protect your account and University resources at the same time. When logging into an MFA enabled service, you must have your additional factor available to you.

Currently, only select campus applications and services require MFA. However, in the future many more, particularly those that house sensitive data, will also require it.

What is Duo?

Duo is the cloud based service currently being used to facilitate the “something you have” factor in our MFA process.

Before you can use Duo you will need to register at least one device with the Duo service. The Duo enrollment process establishes an account with Duo and links your NetID to one or more physical devices that you will use as your additional factor of authentication.

Duo Authentication Methods

Duo supports a number of methods for an additional factor of authentication:

1. Smartphone or tablet [1] running the Duo Mobile app. If you have a smartphone or tablet, it is highly recommended you enroll the device and install the Duo Mobile app. This is the most common and convenient way to validate your additional factor. The app allows you to receive a “push” notification to your device and does not incur any text messaging charges. Alternatively, you can obtain a 6-digit passcode from the Duo Mobile app to enter.
2. A “non-smart” cellular phone. A cellular phone that cannot run the Duo Mobile app but is able to receive SMS text messages may be used. Duo will send a 6-digit passcode. (Text messaging fees may apply depending on your service contract.)
3. A landline telephone. Duo can call a landline to provide a 6-digit passcode.

Note: Montclair State University will never share the information entered in the device enrollment process, including cell phone and landline number(s), with other internal or external services.

(return to top of page)

ENROLLMENT USING THE DUO SELF-SERVICE WEB PORTAL

Enrollment is performed through a self-service web portal and typically takes a few minutes.

Note: You must be pre-approved to use the self-service portal at this time. If you are attempting to access a service requiring Duo MFA, and cannot enroll using the self-service portal, please contact the IT Service Desk, x7971, opt.1 or itservicedesk@montclair.edu for assistance.

Through the self-service web portal you can set up multiple smartphones and landline numbers and then choose which one to use by default.

Note: It is strongly recommended that after enrolling a primary device, such as your smartphone, that you also enroll a secondary device such as your work desk phone or home phone. This will provide you with an alternative method for validation and access to your Duo settings in the event your primary device is lost, damaged, or replaced. See Appendix A for more information.

Important: If you will be using a smartphone or tablet, it is recommended that you install the Duo Mobile app prior to enrolling the device(s) with the Duo self-service web portal. This will make the enrollment process easier.

The Duo app can be installed from the App Store for Apple iOS devices or the Google Play Store for Android devices. Search for “Duo Mobile” in the store. The vendor is Duo Security, Inc. and the app logo is green with white letters. Below is what the app looks like in the Apple App Store, for example:

After installing the Duo mobile app on your smartphone, access any Montclair State University service, for example NEST or Workday to start the setup process.

You will be presented with the single-sign on login page and asked to enter your MSU NetID and password and press “Login”.

You will be logged into the Duo cloud service and shown a welcome screen before proceeding:

The first step is to select the type of device you want to add to your Duo profile. You can add multiple devices, including more than one of the same type, but you have to add them one at a time. We recommend starting with your primary mobile phone. The following screens illustrate this:

Note: that MSU currently does not support the “U2F” or “Yubikey” options, so they can be ignored.

Enter your mobile phone number, area code included (ex: 9737151234) – you do not need to include parentheses or dashes. Click the small checkbox to confirm, and then click Continue.

Select the type of phone that you are registering, either iPhone, Android, Windows, or Other and hit Continue. (Note: Windows mobile phones are no longer being produced or supported by Microsoft. This device type will likely be removed in future versions of the DUO registration portal)

*At this point, if you are using a smartphone or tablet and have NOT already installed the Duo Mobile app, please see the Appendix B for instructions on how to download the app during the registration process.

After the Duo mobile app is installed on your smartphone, click “I have Duo Mobile Installed”.

You are almost finished! You now need to link the Duo Mobile app on your smartphone to your Duo cloud account. This is done by launching the Duo Mobile app on your phone, tapping the “+” button, and then using your phone’s camera to scan the QR barcode that is presented in your web browser. (Do not scan the QR barcode shown in this document!)

After activating the Duo Mobile app on your smartphone, under My Settings & Devices, select “Ask me to choose an authentication method” for “When I log in”.

Your setup is now complete! Clicking Finish Enrollment will log you out of the Duo cloud service and display the self-service portal logout/success page:

(return to top of page)

USING DUO

Once you have enrolled one or more devices, you may login to any MSU application or service requiring Duo MFA. The login screens will vary by service, however, during the login process you will usually be directed to a page that requires you to select one of your enrolled devices to complete the authentication process:

Successfully completing one of the authentication methods will allow you to login to the application or service.

When using Duo as a second factor for authentication to access Workday via your laptop or desktop there is a “Remember me for 12 hours” checkbox at the bottom of the Duo screen. (Note this feature is not available when accessing Workday from the app on your phone.)

When this option is selected, users will not be required to initiate Duo again for the next 12 hours provided you use the same device and browser within the 12 hour period. If you use a different device and/or browser, you will need to check the box again to enable this 12 hour grace period for the new device/browser. After the 12 hours have passed, you will be prompted to initiate Duo again.

Please be aware that clearing your browser cache and history will clear your choice and you will have to check the checkbox again the next time you access Duo. Please also note, if you selected a default choice of notification type, the box will appear with a red “x”. You must hit Cancel in the Duo screen or wait for the Duo “push” notification to expire before you are able to check the box.

(return to top of page)

APPENDIX A: REGISTERING ADDITIONAL DEVICES

It is strongly recommended that after enrolling a primary device, such as your smartphone, that you also enroll a secondary device such as your work desk phone or home phone. This will provide you with an alternative method for validation and access to your Duo settings in the event your primary devices is lost, damaged, or replaced.

Important: Since you have already registered one device in Duo, you will need to use that device to verify your identity with Duo before you can modify that device’s settings or add/remove any other devices.

First, log back into the self-service portal with your NetID and password at:

Duo MFA Enrollment

Note: that this time when you click “Begin Enrollment” you will be presented with the Duo login screen. Click on the “Add a new device” link on the left hand menu:

Before allowing you to add a new device, Duo will prompt you to verify your identity by using the mobile device that you previously registered. (Note: that you may need to scroll down on this screen to see the “Send Me a Push” option):

Choose and complete the preferred method.
You will then see the same “What type of device are you adding” screen from when you added your primary device and you can choose to add another mobile phone, tablet, or landline.


* Repeat these steps to add additional devices to your Duo account.

(return to top of page)

APPENDIX B: INSTALLING DUO MOBILE APP FOR iOS OR ANDROID PHONES

These instructions are for installing the Duo Mobile app for your particular brand of device during the initial enrollment process. (It is recommended that you install the Duo Mobile app on your phone prior to enrolling your first device since it makes the enrollment process a bit easier.)

iPhone/iOS
Follow the on screen instructions to Launch the App Store, search for “Duo Mobile”

Click Install in the App Store to install Duo Mobile. Then click Open.

* Please return to page 5 (“After the Duo mobile app is installed on your phone”) to continue with the setup process.

Android
Follow the on screen instructions to Launch the Google Play Store, search for “Duo Mobile”.

Once finished installing Duo Mobile, click I have Duo Mobile installed on the enrollment page to proceed.

* Please return to page 5 (“After the Duo mobile app is installed on your phone”) to continue with the setup process.

(return to top of page)

APPENDIX C:RE-ACTIVATING A NEW PHONE (Same Number)

These instructions are for reactivating Duo Mobile on a new device with the same phone number. (It is recommended that you install the Duo Mobile app on your new phone prior to re-activating your device since it makes the activation process a bit easier.)

First, log back into the self-service portal with your NetID and password at:

Duo MFA Enrollment

Note: that this time when you click “Begin Enrollment” you will be presented with the Duo login screen. Click on the “My Settings & Devices” link on the left hand menu:

Before allowing you to change your device settings, Duo will prompt you to verify your identity by using the mobile device that you previously registered. (Note that you may need to scroll down on this screen to see the “Send Me a Push” option):

If you do not have Duo Mobile installed now would be the time to install it. Instructions on how to install it are found above in Appendix B. If you already have it installed please continue:

Open the Duo Mobile App on your new device.

You should see Montclair State University and a pass-code.

Click “Enter a Pass-code” option in the MFA Portal

Enter the pass-code and Click Login.

You should see your device and phone number on the screen. To reactivate duo mobile click on Device Options

(return to top of page)

APPENDIX D:USING DUO WHEN TRAVELING INTERNATIONALLY

When traveling internationally you can still connect to Montclair State University applications or vpn using DUO as long as you ensure the following:

  • You are in possession of the DUO registered device.
  • You have access to the local WiFi.
  • Your DUO Mobile app on your device is up to date.
  • You use DUO Push notifications. They do not require an international calling plan.