Description

With two-factor authentication becoming a necessity for enterprise applications, Oakland University is taking the initiative to increase security by requiring two-factor authentication for administrative Banner. This document is meant to serve as a repository of solutions related to Oakland University's DUO implementation.

Who is Eligible?

Active Faculty or Staff

Tokens

Physical tokens provide a solution for an edge case where a user does not have a campus desk phone or mobile phone. The token provides a one time, six digit code that can be used as the second factor in the two factor sign in.

 

Types of Tokens

There are two types of tokens, event based and time based. Event based tokens change each login and Time Based tokens are on a 60 second continuous cycle. Event Based token type is preferred.

 

Token Registration process

1. Confirm with the user that using their mobile phone nor their desk phone is not an option.

2. Ask the user to complete the DUO Security Token Request form at forms.oakland.edu. They will have to login to fill out the form. Note: In cases where a student employee requires a token, the student's supervisor must fill out the token request form.

3. After the user fills out and submits the form, a footprints ticket will be created. All of the information on the form will be dumped into the ticket.
4. After the ticket is created update the ticket and assign the person's NetID is the contact and their alternate email is added as a CC.

5. Assign the ticket to the IT Service Alliance Team and use the quick description: DUO - Token Request Service Alliance Team - OR Retrieve a available token from the vault, grab a envelope, and complete the sign out form. (Note - white envelopes are in the DUO token drawer). For reference, the steps handled by ITSA upon assigning them to the ticket can be found here.

6. Check to make sure the user has an account. Take their NetID and place it in the center right search bar. If you run the search, and there is no account, you'll need to create one. Otherwise you can proceed.

7. Register a available token with that user. This can be done by logging into the Duo admin portal > "Users" > select the user > "Hardware Tokens" > "Add Hardware Token" . Pick the available token's ID that the ITSA team added to the ticket or (it can be found on the back of the token itself) to register the token with that user. When you are finished, click "Attach Hardware Token"

1. Use the Footprints quick description called DUO-Token Request Complete to inform the user they can pick up their token at the UTS Service Window (Dodge 220). The user will need to bring one form of university or government issued ID to prove identity.
   • This is assuming ITSA has handled their tasks.
   • Please ensure those tasks have been completed by checking the ticket for the token process.
2. Resolve the ticket.

 

Bypass Codes

Bypass codes are codes that can be used one time as the second step in the two-factor authentication. They are primarily used when a user forgets/looses their device that usually performs the second step. Before assigning a Bypass code to a user, confirm that this is a work stoppage issue and that they do not have any other way to authorize themselves and they do not have an OU office phone that can be enrolled. Bypass codes are only to be handed out as a temporary solution. They are only good for 12 hours and one time use only.

Make sure you are checking the "By Pass" section in DUO dashboard to make sure only the certain parties are using it correctly.

 

Assign Bypass Code

1. Confirm with the user that they are unable to use the Duo mobile app or telephone to receive a token code.

2. Duo admin portal > "Users" > select the user > "Bypass Codes" > "Add add Bypass Code" > "Generate Bypass Code". By default, the Bypass code expires in 60 minutes, as an OU policy, we are allowing the bypass code to expire in 12 hours (720 minutes). To change the default expiration time, click "Change options". One time only option is the ONLY acceptable usage quantity. At no point should you allow the Bypass code to be used more than once. For helpdesk admins, a default of 720 min and one time use is already assigned; therefore it's not necessary to change any settings. After clicking Generate Bypass Code a code will be created and no further steps are needed.

1. Print the code for the user, along with the ticket number, and seal it in an envelope. On the front of the white envelope add the users full name (last name first), write bypass code, and date in upper right hand corner.
2. Bring the packaged token to Dodge Hall 220 and set inside the box (alphabetical order last name first) labeled DUO Security. The box is located on the top shelf located next to the service window.
3. Inform the user that their Duo Bypass code can be picked up at the UTS service windows (Dodge 220). They must bring a form of university or government issued ID to verify themselves. Bypass code is only valid for 12 hours and one time use only. (A quick description is in the process of being created.)
4. Resolve ticket.

 

Phones

Telephones can be used as the second step in the two factor authentication. For this method, users will receive an automated phone call from 248-370-4748 and asked to push 1 to login or push 9 to report fraud.

 

Modifying University Phone

If a user is using a University issued phone (desk phone) and the number needs to be modified in the user's account, they will submit a ticket for it to be changed.

1. Duo admin portal > "Users" > select the user > "Phones" > click the device . From here you can change a user's phone settings.

2. Before adding a Oakland University number, verify with "call manager" that the number belongs to that user. Anyone from the Network Team, Brad Zimmerman, or Dennis Bolton can perform phone number look up. If the number is wrong in call manager, please inform the user that the number is wrong in our phone system and we have to move the ticket to the network team for review / change. Add the network team to the ticket to review / change the number. Once the number is changed by the network team, change it in the DUO admin portal.

3. Ensure that the type of the phone is Landline.

4. Update and resolve ticket.

 

Adding/Modifying Personal Phone

Duo Documentation

Adding a personal phone as a authentication method could lead to a security breach so at no point will the security team add personal phone numbers for users. If a users wishes to use a personal phone number they must do it themselves.

1. Have the user sign into Banner normally but when prompted with the Duo authentication, click "Add a new device" .

2. The user will have to confirm identity by signing with another form of Duo authentication.

3. Users can then continue with the adding process by click "Mobile Phone" > then entering their number

 

If the user got a new cell phone and the number is the same:

1. Go to their profile and click on their cell phone to bring up the device settings page.
2. Under "Device Info" click the reactivate Duo Mobile link.
3. Click the "Generate Duo Mobile Activation Code" button.
4. Make sure both Install and Activation Instructions are checked and click the "Send Instructions via SMS" button.
5. This sends an activation link to their cell phone.
6. Once the user clicks on the link, they have a default of 24hrs to login to any DUO protected app and authenicate with either a push or Duo app passcode.
7. Update the ticket with instuctions from steps 5 and 6 or add the link to our DUO documentation. Note: Creating a quick description for this in the future would be great.

 

Handling a Fraud Report

The phone callback option allows the user to press 9 to report fraud. When fraud is reported, a fraudulent authentication report email will go to uts@oakland.edu assigned to the security team and logged as fraud in the DUO logs. In the DUO logs you can see the phone number used to report the fraud, the fraud email only reports the user, factor (phone call), date, customer, integration, and IP address. Footprints uses an escalation rule to add the security team to the fraudulent authentication email. If you find this email without assignees or a category, please put in a ticket to have the escalation rule fixed by the Footprints admins. To handle a fraud report:

1. For now, only Mark the ticket as active and assign the Contact Information to the user that reported the issue. If it is a shared account, add the account owner as a CC. The netid lookup tool can be used to find the account owner.

2. Respond to the ticket, let the user know we are reviewing and ask the user why they reported fraud. (A fraud alert quick message will be created soon)

3. If they don’t reply to the ticket within 2 business days, try requesting an status update in the ticket and calling the user. If you are unable connect with the user escalate to the Security Team.

4. If this was accidental fraud report, note in the ticket and resolve it.

5. If this appears to be a legitimate fraud report escalate the ticket as an account compromise proceed to step 6. Note: Analysis of the DUO logs might be required in some cases to figure out the issue.

6. If we need to change the desk phone number, use the DUO-InternalTransferNCS quick message and assigned the NCS Team. Change the number in DUO after the NCS team verifies the correct number, please follow the steps in the modifying a university phone section.

7. To escalate the ticket as an account compromise, open a new ticket and assign the category as Security with a level 2 category of Account Compromise. Add a message, include the NetID of the compromised user and the DUO fraud ticket number as a reference. The account compromised ticket is for UTS only, do not add the user as a CC. From here follow the Account Compromise documentation.

8. Resolve the ticket once the account compromised ticket is resolved or the desk phone number is changed in DUO.

 

Checking/Adding a User account

1. Select the "Users" tab on the left hand side of the page.

2. Locate and select the "Add User Button".

3. Input the first part of their "@oakland.edu", in lower case, in the message box and select enter.

4. Enter in their first and last name in to the "Full name" message box.

5. Enter in their "@oakland.edu", from the ticket.

6. Select Save.

 

Ticket messages

First check the "Quick Description" in Footprints for a standardized response. If there is no applicable quick description use one of the respones below.

 

DUO - Bypass Code Request Completed

Your Duo Bypass Code is ready for pick-up. Bypass codes are good for one time use only and expire after 12 hours from time the code is generated. Please make sure you check the "Remember me for 12 hours" box during login. For more information please refer to: https://kb.oakland.edu/uts/DUO

Account credentials must be picked up at 220 Dodge Hall (service half-door). The individual for whom the account was created must pick up the account credentials, and the individual will be required to show a picture id. Office hours are 8AM to noon and 1-5PM, Monday-Friday.

We are resolving this ticket. Please contact us if you need additional assistance.

 

DUO Customer response

Thank you for contacting UTS. We are reviewing your request.

 

DUO Internal Transfer EA

After reviewing our logs it appears that you successfully authenticated using your NetID and DUO. We believe this may be related to the Banner application and are assigning the Enterprise Applications Team for further review.

 

DUO Internal Transfer NCS

Assigning the Network Team for further review. NCS team please verify the VOIP phone number is correct in our phone system and update accordingly. Please update the ticket with the results.

After we verify the number is correct in our phone system, we will update your DUO Security account.

 

DUO Internal Transfer TSS

After reviewing our logs it appears that you haven’t passed NetID authentication. We are assigning the Technical Support and Services Team for further review.

 

DUO - Change Mobile Number Request

We have reviewed your request. For security reasons we can not change a user’s mobile phone number. User preferences such as adding or modifying a mobile phone number can be managed by visiting the “My Settings and Devices” page during login.

Please follow the steps below to change / add your mobile phone number or refer to: https://kb.oakland.edu/uts/DUO

• Log into your Banner account as normal. Hit the link named, “Add a new Device”. Select the device in which you are wanting to add. In this case it would be a, “Mobile phone”. Enter in and confirm the phone number of the device you are adding. Select what type of phone it is. Options are: iPhone, Android, Windows Phone, or Other. If you don’t have the Duo Mobile app install, install it. Once installed, then:
  • Open Duo Mobile. Tap the “+” button. Scan the bar code. Or select the link to have your activation link emailed to you instead.

We are resolving this ticket. Please contact us if you need additional assistance.

 

Duo - Token Request Complete

Your Duo Token is ready. Account credentials must be picked up at 220 Dodge Hall (service half-door). The individual for whom the account was created must pick up the account credentials, and the individual will be required to show a picture ID. Office hours are 8AM to noon and 1-5PM, Monday-Friday. Please return the token once Banner access is no longer required. For information on how to use your Token please refer to: https://kb.oakland.edu/uts/DUO

We are resolving this ticket. Please contact us if you need additional assistance.

Updated on : 01/16/2020

 

DUO Status Website URL

In case of an outage, this status page will give you the current status of DUO's deployments. We are currently on the DUO1 deployment. This page will also give you information on past incidents.

https://status.duo.com/

 

FAQ

* Someone is asking to unlock their account after they locked it.

You don't need to unlock someones account. It will take one hour since their last failed login in attempt for DUO to automatically unlock it though the global configuration.

* If you see a ticket, like 74537, signing into Banner 9 Test I get the message from DUO: "Invalid username/password: Logon Denied"? .

It should be be a Banner ticket, not a DUO ticket.

Additional Support

• OU Technology Center
• 44 Oakland Center
• Rochester, MI 48309-4479
• (248) 370-4357
• Office Hours: M-F 8:00am - 5:00pm