Duo Multi-Factor Remote Access

Overview

To improve security of the systems OIT manages, we require multi-factor authentication when OIT system administrators and those who have other privileged access are connecting from off-campus to critical systems (including office desktops). This helps reduce the risk of a compromised administrator password being used to gain access to critical campus resources.

What is Duo? 

Duo is the same system used to protect your Direct Deposit, W-2, and W-4 information in MyCUInfo. Multi-factor remote access, however, will have the addition of a mobile app that quickly and easily confirms your identity for secure login. Check out how it works with this video from Duo.

How to enroll and use Duo

  1. Download the Duo mobile app from the Apple App Store or Google Play Store.
  2. Once installed, visit the Duo Two Factor Enrollment website to enroll. Be sure to enroll more than one device (e.g. a mobile phone and office or home phone).
  3. Connect to ucb-gateway using your RDP client or vpn.colorado.edu/oit-ops-desktop using Cisco AnyConnect Secure Mobility Client.
  4. Login and verify that you were prompted on your phone.  
    *Please note: If prompted to enter a second password, type push which will push to DUO.
  5. After initial set up, you can click Other options to change your preferences to send a text message, use a hardware key or YubiKey if necessary. 
Duo login

Troubleshooting

If you're having trouble logging in using Duo, especially if you have recently replaced your mobile device, you can log into the Duo Two Factor Enrollment website to view your settings, re-register the app, or add a new device.

  1. Go to the Duo Two Factor Enrollment website and log in with your IdentiKey and password.
  2. If Duo pushes an authentication request that doesn't show up in your app, click Cancel and you'll be able to select a different authentication method. 
  3. Select Call me to get a phone call to authenticate, or select Passcode to receive a text message to your mobile device. Note: Either method will authenticate, but OIT recommends the passcode option, as it is less likely that you will miss a text versus missing a phone call.
  4. Once authenticated, you will see a success notice. Select the option to return to the DUO device registration page.
  5. Instead of clicking Cancel and immediately authenticating, click My Settings and Devices on the left side of the window. You will be prompted to log in again. 
  6. Now you'll see current registered phone numbers, devices, and authentication preferences. Change any settings that you need to or click Add another device
  7. Select device type then click Continue to finish setup. 

FAQ

When was Duo implemented? 

Duo two factor authentication was implemented for both the Cisco VPN and Microsoft Remote Access Gateway on February 11, 2016.

Can I use the Android or iOS app for My CUInfo?

No, these resources are completely separate and OIT has different policies for each. 

Do I have to use Duo when working on campus?

The OIT custom VPN is configured to always require multi-factor authentication. The windows remote desktop gateway will allow you to connect without multi-factor authentication from the following OIT desktop networks: 172.21.39.0/26 

What are my authentication options?

DUO has a number of options available to authenticate including push alerts, text messages, YubiKeys and hardware tokens. When logging in, click Other Options to see all of your choices and pick which is best for you.

DUO Other options to log in
Is this as secure as my desktop? Can I access resources directly from the VPN rather than my desktop?

Desktop subnet and the Cisco VPN (vpn.colorado.edu/oit-ops-desktop) will terminate on the 172.21.39.0/26 subnet. The new subnet (172.21.39.0/26) can be viewed as an "extension" of the desktop network and is just as secure. So systems currently only accessible from the OIT Desktop subnet will also be opened up from the 172.21.39.0/26 subnet. 

What should I do if I cannot login?

Contact support for either the VPN or the RDP gateway as you currently do. 

What if I do not have an Android or iOS device?

You have the option to enter a phone number (e.g. your home phone number) just like you did for your direct deposit, W-2, or W-4.

What if I lose my device?

Initiate a remote wipe by logging into your Office 365 email, selecting options from the gear icon, and look for 'mobile devices' in the general settings.

If this is not possible or you have problems with the remote wipe, contact the OIT Office 365 Administrators for assistance.

Is it possible to add another device to my Duo account?

To add an additional device for DUO, you have to edit your settings before you send a push notification to your current device.

  • Log in via duo.colorado.edu
  • When you see the window that gives you an option to send a push notification, click on the Settings button in the upper right corner  
  • A settings menu will open. Select Add a new device.  
  • You'll have to perform two-factor authentication with your current device before you can add a new one, but the site will guide you.

You can add as many devices as you want, but we recommend visiting the Duo two factor enrollment website with a new/separate browser or with a private/incognito window to force authentication.