Duo Documentation for DTS

Tags DUO security

Description

Access to the Oakland University Duo Management portal is provided to select Distributed Technology Staff for the purposes of providing end user support.

Who is Eligible?

Active Faculty or Staff

Requesting Access

Access to the Duo Management portal may be requested by submitting a ticket to UTS.

 

Accessing the Duo Management Console

  • Navigate to duo.com and select "Admin Login" in the upper right corner.

  • Enter your OU email address when prompted anc click "Continue"
  • Select "Continue to Identity Provider".
  • You will then be directed to OU's Single Sign On (SSO) page
  • Authenticate using your NetID credentials
  • You may then authenticate using Duo Push (preferred) or any of the other available Duo options

 

Common Admin Actions

There are a number of common tasks that a Duo admin will find themselves attending to. Below are two of the most common along with links to Duo's own documentation regarding these actions. Below that are links to other common admin actions.

 

Delete User Devices

If a user gets a new phone with a new phone number, or a if a user's phone is lost or stolen, the device must be removed from Duo. The stops below detail how to do this.

  • Enter the NetID of the the user in question in the search bar in the top left corner of the admin panel.
  • Scroll down to the "phones" section.
  • Click the trash can icon on the right side of the entry of the phone you want to remove.
  • If you are sure this is the device you want to remove, press remove.

  • See this link for more information on how to remove devices from Duo.

 

Phones

Telephones can be used as the second step in the two factor authentication. For this method, users will receive an automated phone call from 248-370-4748 and asked to push 1 to login or push 9 to report fraud.

 

Modifying University Phone

If a user is using a University issued phone (desk phone) and the number needs to be modified in the user's account, instruct them to submit a ticket to uts@oakland.edu . It is important for UTS to handle office phone moves as other phone records need to simaltounsly need to be updated to maintain e911 compliance

 

Adding/Modifying Personal Phone

Duo Documentation

Adding a personal phone as a authentication method could lead to a security breach so at no point will DUO Administrators add personal phone numbers for users. If a users wishes to use a personal phone number they must do it themselves.

  1. Have the user sign into Banner normally but when prompted with the Duo authentication, click "Add a new device" .

  2. The user will have to confirm identity by signing with another form of Duo authentication.

  3. Users can then continue with the adding process by click "Mobile Phone" > then entering their number

addDevice.png enterPhone.png

If the user got a new cell phone and the number is the same:

  1. Go to their profile and click on their cell phone to bring up the device settings page.
  2. Under "Device Info" click the reactivate Duo Mobile link.
  3. Click the "Generate Duo Mobile Activation Code" button.
  4. Make sure both Install and Activation Instructions are checked and click the "Send Instructions via SMS" button.
  5. This sends an activation link to their cell phone.
  6. Once the user clicks on the link, they have a default of 24hrs to login to any DUO protected app and authenicate with either a push or Duo app passcode.
  7. Update the ticket with instuctions from steps 5 and 6 or add the link to our DUO documentation. Note: Creating a quick description for this in the future would be great.

 

Reactivating User Phones

When a user purchases a new cell phone, they will need to reactivate Duo on this device. To assist with this, you will send them a reactivation code through the Duo management console. Here is how to do so:

  • Enter the NetID of the the user in question in the search bar in the top left corner of the admin panel.
  • Scroll down to the "phones" section.
  • Click on the phone number of the device the user is attempting to reactivate.
  • Under the section "Device Info", click the "Reactivate Duo Mobile" link.
  • Press the "Generate Duo Mobile Activation Code" button
  • Only the Activation Instructions need to be selected, if the user already has the DUO app installed you can un-check the Installation Instructions (Recommended). From past experience, the user may get confused if the Installation Instructions are sent with the Activation Instructions. Press the "Send Instructions by SMS" button. Once the user clicks on the Activation Instructions link, the device will automatically become activated.

  • See this link for more information on how to activate and reactivate a device in the Duo management console.

  • If a user would like to reactivate their device without assistance from the help desk, please direct them to this link and to the section regarding device reactivation.

 

Reordering User Devices

If a user has more than one device registered to Duo, their order determines which receives precedence when the user authenticates. Below are the steps on how to change the order of a user's devices.

  • Enter the NetID of the the user in question in the search bar in the top left corner of the admin panel.
  • Scroll down to the "phones" section.
  • Drag and drop the phones in the desired order.

  • See this link for more information on how to reorder user devices.

 

Unlocking and Changing User Status

At times a user may be locked out of their Duo account. This will happen after 10 consecutive failed authentication attempts. The users status will automatically revert to active after 10 minutes and no action is required by an admin. It is recommended to tell the user to wait the ten minutes. In some cases the user may be disabled by an admin due to a security concern. In this case, the users account will show disabled instead of locked out. Please direct disabled users to create a ticket with the UTS security team. Do not activate a disabled user without consulting the UTS security team. If a users account needs to be unlocked by an admin, the steps below detail how to do so:

  • Enter the NetID of the the user in question in the search bar in the top left corner of the admin panel.
  • Scroll down to the "status" section if needed (it is near the top)
  • Change the user status to "active" to unlock the account.

  • See this link for more information on managing user status.

 

Viewing Authentication Logs

In order to determine why a user is unable to authenticate with Duo, you may have to look at the authentication logs in the management console. Here is how to access these logs.

  • Enter the NetID of the user in question in the search bar in the top left corner of the admin panel.
  • Select the user by clicking on them
  • Scroll down until you see the "Recent Activity" section, this will display logs associated for the user's most recent activity.

  • See this link for more information on viewing authentication logs.

 

DUO Status Website URL

In case of an outage, this status page will give you the current status of DUO's deployments. We are currently on the DUO1 deployment. This page will also give you information on past incidents.

https://status.duo.com/

 

Tokens

Physical tokens provide a solution for an edge case where a user does not have a campus desk phone or mobile phone. The token provides a one time, six digit code that can be used as the second factor in the two factor sign in.

 

Distributing Individual User Tokens

UTS is responsible for the distribution of hardware tokens. If a user requests a token, respond to the ticket and direct them to Duo Security Token Request, found here

 

Using Tokens for Single Use Authentication

There may be rare occasions a faculty member is unable to authenticate with Duo and needs to sign in immediately teach a course. In these urgent scenarios, CSITS is authorized to provided a temporary token as a single use means of authentication.

To issue a temporary token complete these steps:

  1. Locate an available token provided by UTS and add it to the faculty's Duo account.

    • Duo admin portal > "Users" > select the user by entering NetID > "Hardware Tokens" > "Add Hardware Token".

    • Enter the selected token's ID (located on the back of token below the barcode) to associate the token with that user.
    • Click "Attach Hardware Token"

      • Attach_Hardware_Token.png

  2. Verify the identity of the professor using photo ID such as GrizzID or Driver's License (either by traveling the classroom or using online meeting).
  3. Helps the faculty member login by providing the logon code from the token and ensuring they select "Remember me" or "Trust this Device" option.
  4. Advise the professor to either enroll a device in Duo or submit a Duo token request (if applicable to the situation)
  5. Upon returning from the classroom remove it from the faculty's Duo account, by following the above navigation and selecting the trashcan icon next to the token, so that it is available for reuse.

Note: At all times during this process the Duo token is in the possession of the CSITS member.

 

Resyncing Hardware Tokens

At times, a Duo hardware token may stop working. In this case, it may need to be resynced. This link contains a guide on how to resync hardware tokens.

NOTE: This process is only for event based tokens, and does not apply to time based tokens (e.g. the resync option will not be available in Duo). If a time based token based tops working it will need to be replaced using the Duo Token Request Form.

Additional Support

  • OU Technology Center
  • 44 Oakland Center
  • Rochester, MI 48309-4479
  • (248) 370-4357
  • Office Hours: M-F 8:00am - 5:00pm
Print Article