Duo Multifactor Authentication
Duo is a two-factor authentication provider used to provide an extra layer of security across the organizations services.
About
Duo is a multi-factor authentication service that is used to add a second layer of defense against unauthorized access to employees accounts.
It works by adding an additional login credential - above and beyond your username and password - to gain access to your account. Typically, this second credential will be available through something only you own, for example your cellphone. This stops others from gaining access to your account even if they have knowledge of your username and password.
What Services uses Duo?
Currently, the following services are protected by Duo:
- VPN Services via the FortiClient app.
- LiquidFiles Service. (https://transfer.georgeandbell.com)
- 1Password Password Manager (https://georgebellconsulting.1password.com)
- Logging onto any domain-tied device such as a laptop or workstation.
- Accessing your email account via Microsoft Office 365.
- Logging onto BookStack (this documentation site).
Enrolling In Duo
The following guide will walk you through completing Duo's enrollment process.
Instructions
Please browse and sign-in to your email account at https://portal.office.com to view your enrollment email. Click on the link within the email to start the Duo enrollment process.
If you do not have an Duo enrollment email, please contact IT Support who will ensure an enrollment email to sent to you.
The following page will appear. Press Start Setup to start the enrollment process.
Select Mobile Device.
Enter your mobile phone number.
Select the type of mobile device you own.
Follow the on-screen instructions to install the Duo Mobile app from your respective app store. Once the Duo Mobile app is successfully installed, select I have Duo Mobile installed.
Using the Duo Mobile app, scan the provided QR code. This will add your Duo account onto the Duo Mobile app. Once scanned successfully, the Continue button will be available. Press Continue.
Under When I log in, choose Automatically send this device a Duo Push. Select Continue to Login.
You’ve successfully setup the Duo service. To test, press Send Me a Push. You will receive a notification on your Mobile Device from the Duo Mobile app asking if you wish to Approve or Deny the login. Press Approve.
You've successfully enrolled in Duo.
Verified Duo Push
Verified Duo Push is an alternative way of completing a Duo Push Request that includes an additional security factor to better protect your account. It's used when a service is act risk of receiving a 2FA Fatigue attack.
What is a 2FA Fatigue Attack?
2FA Fatigue attacks are a social engineering strategy where attackers repeatedly push 2FA authentication requests to you phone. The goal is to annoy you into approving the Push Request, thus authenticating the attackers attempt, gaining access and compromising your account.
Implementation
Currently the following services have Verified Duo Push enabled and enforced:
- Microsoft 365 (web browser & app sign-ins)
Completing a Verified Duo Push Request
The following will walk you through performing a Duo Push Request when protected by Duo Verified Push.
- Logon to your service as you normally would with your username/password.
- Duo will prompt with a six-digit number.
- When the Duo Push Request appears on your mobile device, enter the six-digit number and select Verify.
- The Verified Duo Push Request will complete and you'll be successfully signed in.
Offline Access
Duo Offline Access enables you to continue to logon to your laptop when internet access is not available. It works by validating your identity via an ever-changing 6-digit code on your Duo Mobile app.
About
Duo Offline Access is a feature which allows you to login to your laptop when no internet connectivity is available.
It works by adding another account onto your Duo Mobile app which displays a rotating 6-digit code. When no internet access is available, your laptop will automatically use the Offline Access feature and ask you for the 6-digit code. Entering the code will allow you access to your laptop.
Please know that the Offline Access code is tied directly to your physical laptop. The code displayed on the Duo Mobile app will not work for signing into other laptops. If you laptop is replaced, the old Offline Access code account will need to be delete and a new one configured.
If you'd like to learn more on how to use Offline Access, please see Using Offline Access.
Using Offline Access
When internet access is not available, Duo will prompt asking for your Offline Access code instead of sending you a push notification.
If Duo is not functioning as expected while located in a hotel or public space, please turn off your WIFI and re-attempt logging in. You will be prompted for the Offline Access code.
When this occurs, please locate the 6-digit code within the Duo Mobile app on your phone.
Enter the code and press Log in.
You've successfully logged into your laptop.
Configuring Offline Access
The following instructions will walk you through setting up Offline Access on your laptop. Once completed, you will be able to complete Duo authentication requests even if the internet is not available.
Upon first signing into the laptop after Duo has been installed, Duo will ask you to complete setting up Offline Access.
This prompt will continue to appear each time you logon until Offline Access has been configured.
Ensure Duo Mobile Passcode is selected and select Activate.
A QR code will appear. Within the Duo Mobile app on your phone, press the + symbol in the top right-hand corner and point the camera at the displayed QR code on the screen.
On your phone, give the new Duo account a name and select Save computer name.
Select Take me to my offline code. To view your current Offline Access code.
Back on your laptop, select Enter Offline Code.
Enter the code shown on your Duo Mobile app and select Activate Offline Login.
The passcode generated by Offline Access is tied specifically to each laptop. If your laptop is replaced or re-imaged, you must re-activate Duo Offline Access.
You’ve successfully setup Offline Access for your laptop.
Reconfiguring Offline Access
Your Offline Access code can be reconfigured at anytime. This may be necessary if you:
- Get a new mobile device.
- Accidentally wiped the Duo Mobile app from your mobile device.
- Get a new or replacement laptop.
Instructions
Please follow the instructions below to reconfigure Offline Access.
1. To start this process, ensure you are fully signed out of your laptop.
2. Sign into your laptop. When the Duo prompt appears, do not approve/deny the request on your phone, rather select Replace/reconnect an offline device located in the bottom-left corner.
3. The screen will change (see below) asking that you complete the Duo Push Request to continue to the Offline Access enrollment process. Go ahead and now Approve the Duo Push Request.
4. The Duo Offline Access setup wizard will appear. Follow the Configuring Offline Access article to complete the setup process.
Troubleshooting
Unable to Access Duo Mobile
If you lost your phone or are unable to access Duo Mobile, please reach out to IT Support who will work with you to put in temporary measures to ensure you can continue to gain access to George & Bell services.
Unable to Enroll in Duo
If you receive the following error when clicking on the link provided within the Duo enrollment email, please reach out to IT Support. This occurs when your account is configured to bypass Duo's multi-factor authentication requests; commonly implemented when you're unable to use the Duo Mobile app.
