Do I have to use MFA?
Yes. All employees will be required to utilize MFA in order to gain access to most systems on our campus networks and remotely. This policy and standard revision will be published as a requirement in the IT Password Protection Policy and its associated standard upon instantiation or shortly following. This is a requirement for all institutions within the University System of Georgia (USG). Therefore, in order to satisfy the ultimate goal of safeguarding all accounts and ultimately the safety of our data resources as an institution, GHC will be required to follow the same requirements like all other USG institutions. Most of the USG has already enrolled faculty and staff and are in the process of protecting student accounts with MFA.
What is MFA, exactly?
Essentially, MFA requires two or more forms of authorization when you login to a college system online. In email or other systems that implement MFA, you will enter your password as usual and be prompted for secondary form of authorization such as a notification on your personal phone, a text message to your personal phone, a phone call to your personal phone, a phone call to a desk phone, or through a code or button press on a hardware device. Once this is complete, you will be granted access to the system and will not have to re-enter either form of authorization while you using that system.
Do I have to use a smartphone?
No, there are other physical device such as your tablet, landline phone, hardware token, or security key to verify your identity. One can choose to receive a call to their cell or landline. One can choose to receive a code via SMS (text messaging). If allowed and/or purchased, a hardware token or security key can also satisfy this 2fa verification. However, it is highly recommended that employees utilize their personal smartphones to receive a free “push” notification and therefore a simple acknowledgement on your phone satisfies verification of a proper two-factor authentication. This requires the free Duo App to be installed and configured with your account. This is the quickest and least intrusive method. This is almost exclusively the #1 method being utilized at our sister institutions and across the US.
Is MFA (Duo) Flexible?
Two-Factor Authentication does not have a single mandatory means of use. Duo allows an individual to select from several options for a primary means of 2FA and a backup. You are free to choose the method that works best for you.
Is Duo Push the easiest option?
We strongly suggest that you try the ‘Duo Push Notification’ option first and give it a week. Based on feedback we received during pilot testing, users reported that this option was by far the least intrusive and easiest way to sign-in. The push notification typically appears instantly and the authentication process completes less than two or three seconds after pressing the “Accept” button.
What are my options if I often work from a single office?
Some staff and faculty members with significant administrative duties spend most of their time in an office, or teach mostly online from a GHC or home office, might choose to have a desk phone as the primary means of 2FA. You can elect to use push notifications or other options as a backup for when you are away from your office.
What does the Duo app cost?
Duo Mobile is a free download. It requires permission for push notifications and to use the camera (since taking a picture of a QR code is part of setup process). It uses very little data. According to Duo’s online documentation, 500 push notifications in a month (16 a day) would use 1 MB of data (one one-thousandth of a GB). (see https://help.duo.com/s/article/1005?language=en_US ).
What if I have no cell or wifi?
As long as you are using the Duo app, it can be used to generate a passcode if you do not have cell service or wifi connectivity.
Which applications will require 2FA access?
We will be rolling out this new process for how we gain access to our network accounts (email) and those systems utilizing Single Sign On (SSO), for linked access in early 2019. This first step will involve only employees to begin with and will only be utilized on these systems (network, eMail-O365, VPN, Intranet, sites.highlands.edu, Banner 9, D2L, OneUSG, Alma Primo, Maxient, Campus Logic, Adobe Creative Cloud Suite, Navigate, Zoom, Open Athens). Other systems will follow.
How often will I be prompted for 2FA?
We currently have the threshold set for 12 hours. This assumes you are accessing the network or one of the 2FA secured GHC systems from the same workstation and browser. Otherwise, authentication must be completed for other scenarios and basically once a day on all workstations. Many institutions are choosing to utilize a zero threshold time limit.
Where will I be prompted? Classrooms?
In order to satisfy the ultimate goal of safeguarding all accounts and ultimately the safety of our data resources as an institution, GHC will be required to follow the same requirements like all other USG institutions. Therefore, each account will need to verify their identity through this account access process each day on each different system and for each different web browser. No workstation can be trusted unfortunately. We currently have the threshold set for 10 hours, but many institutions are not allowing any grace period to remember verification on devices. It only takes a few minutes to gain access to a user’s workstation and we cannot differentiate between a laptop, a desktop behind locked doors, or a public workstation.
Classroom faculty workstations will also have to follow this same procedure each time a new workstation or browser is utilized. While this seems very inconvenient, these are the most vulnerable machines we have on our campuses, since they are in unlocked and unattended classrooms.
What are my options in a “worst-case” scenario where I have no way to use Duo?
If you are in a classroom and need access in order to provide instruction, but your primary and secondary methods of 2FA are not functioning properly, you can use the classroom desk phone to call our IT help desk for a bypass code.
Why is Duo asking for access to my camera?
One of the methods for enrolling your account in Duo 2FA utilizes your phone’s camera to finalize registration of your device to setup your Duo account. During setup, you may be prompted to allow access to your camera for this process. After enrollment is complete, you can disable access to the camera under your phone’s settings section.
How do I change a method, update a setting, or add a new phone or backup device?
First, read one of the appropriate “How To’s (Enroll, Login, Add Device)” under the “How To’s” section of the right navbar and then click on the top link of the navbar just under “Getting Started” – Enrollment / Add Device / Update Duo Settings“. This link, on the Employee Portal – Intranet, requires employee credentials and if accessing off campus, a VPN session.
Why am I seeing security warnings?
What if I encounter cellular connectivity issues?
How will Duo work at the Marietta site?
What if I have an old smartphone or “flip-phone”?
If you do not have access to apps on your phone, you can choose to receive texts, phone calls, use a desk phone, or use a hardware token or U2F security key for Duo.
What if I don’t want to use my personally-owned device for this?
Can I use a hardware token?
You can use a hardware token or U2F security key with Duo. Please note that U2F security keys may offered limited compatibility with specific devices or applications and are unsupported by Internet Explorer and Mozilla Firefox as of February 2019.
A physical device can also satisfy this 2fa verification. Those are available for retail purchase.
- a supported Universal 2nd Factor (U2F) security key. (Note: security keys may offered limited compatibility with specific devices or applications and are not supported by Internet Explorer and Mozilla Firefox as of February 2019.)
- Yubico YubiKey Security Key, Neo, 4, 4C, 4 Nano, 5, 5C, 5 Nano, or 5C Nano
- Google Titan USB Security Key, Bluetooth Security Key
- HyperFIDO Mini
- Feitian ePass NFC
- HyperFIDO Mini – U2F Security Key
- You can self-enroll with a U2F security key anytime using the Duo enrollment portal.
- Duo also lets you link multiple devices to your account, so you can use your mobile phone and a landline, a landline and a hardware token/ U2F security key, two different mobile devices, etc., depending on all of the methods employed by the institution.
Employees who are unable to use a personally owned device or choose not to use a personally owned device for MFA, a limited number will be available for check-out once a completed MFA Hardware Token Request form has been submitted to IT. We would like to encourage everyone to please consider all other options first so that these devices will be available for employees that have no other choice.
- a supported hardware token. (Duo Authenticator). If an individual is unwilling to utilize their own personal device, cannot legitimately use their desk phone because of their job requirements, will not purchase an affordable hardware key of their own, or has a documented disability of some nature, then a hardware token request form can be completed requesting the use of a GHC provided hardware token. This form must also be signed by the supervisor and submitted to IT at the time of the account conversion request. These are first come/first serve on a limited basis.
What do I do when my phone is lost/forgotten/or stolen?
You can do a few things to prepare in case your device is lost, stolen or forgotten. You may want to set up multiple devices or phone numbers to work with Duo so you are prepared in case your primary device can’t be used. The Device menu lets you switch between phones or devices.
When you replace a device or phone, if your phone number remains the same, you can choose to receive a phone call instead of a app notification until you re-setup a preferred method of notification (Instructions).
If your phone number changes after losing a device and a secondary phone or device option is not available, contact the IT Help Desk for assistance accessing your account and getting a link to re-set up Duo if needed.
How do I use 2FA while traveling?
There are several factors to be noted when traveling. As long as you have service as normal, you can authenticate as you always do. Otherwise, there are a few possible scenarios available:
- If no cell service or wifi connectivity, you can use the app to generate a passcode.
- If hardware tokens are allowed and you have one registered, you can use the token to generate a passcode.
- A “bypass” code can be generated via special approvals prior to a trip to be utilized (See IT for possibilities).
What kinds of data does Duo track?
Duo only tracks sign-in information related to university systems that use single sign on (SSO). Duo tracks the information other campus web applications do when you sign in at the university, including: your CampusID, browser version and IP address.
In addition, the Duo mobile app reports the model of the device on which the app is installed or the phone number if a mobile number is registered. No other information about the device or user is tracked or exchanged.
Who do I contact for assistance?
Contact IT via firstname.lastname@example.org to create a ticket. Tickets can be handled by any IT staff member on any campus, thus is usually the fastest path to resolution. If you feel your situation is more of an emergency situation with the technology, call 706-295-6775.
Note: FAQs developed in part by IT and Steve Stuglin – President Faculty Senate