Multi-Factor Remote Access

Last Updated: 11/21/2018

Overview

To improve security of the systems OIT manages, we now require multi-factor authentication when OIT system administrators and those who have other privileged access are connecting from off-campus to critical systems (including office desktops). This will help reduce the risk of a compromised administrator password being used to gain access to critical campus resources.

Implementation

Duo multi-factor authentication was implemented for both the Cisco VPN and Microsoft Remote Access Gateway on February 11, 2016. Duo is the same system used to protect your Direct Deposit, W-2, and W-4 information in MyCUInfo. Multi-factor remote access, however, will have the addition of a mobile app that quickly and easily confirms your identity for secure login. Check out how it works with this video from Duo.

How to get it

  1. Download the Duo mobile app from the Apple App Store or Google Play Store.
  2. Once installed, visit the Duo Two Factor Enrollment website to enroll. Be sure to enroll more than one device (e.g., a mobile phone and office or home phone).
  3. Connect to ucb-gateway using your RDP client or vpn.colorado.edu/oit-ops-desktop using Cisco AnyConnect Secure Mobility Client.
  4. Login and verify that you were prompted on your phone.

    *Please note: If prompted to enter a second password, type push which will push to DUO.
Can I use the Android or iOS app for My CUInfo?

No, these resources are completely separate and OIT has different policies for each. 

Do I have to use Duo when working at my desk?

The OIT custom VPN is configured to always require multi-factor authentication. The windows remote desktop gateway will allow you to connect without multi-factor authentication from the following OIT desktop networks: 172.21.39.0/26 

Is this as secure as my desktop? Can I access resources directly from the VPN rather than my desktop?

Desktop subnet and the Cisco VPN (vpn.colorado.edu/oit-ops-desktop) will terminate on the 172.21.39.0/26 subnet. The new subnet (172.21.39.0/26) can be viewed as an "extension" of the desktop network and is just as secure. So systems currently only accessible from the OIT Desktop subnet will also be opened up from the 172.21.39.0/26 subnet. 

What should I do if I cannot login?

Contact support for either the VPN or the RDP gateway as you currently do. 

What if I do not have an Android or iOS device?

You have the option to enter a phone number (e.g. your home phone number) just like you did for your direct deposit, W-2, or W-4.

What if I lose my device?

Initiate a remote wipe by logging into your Office 365 email, selecting options from the gear icon, and look for 'mobile devices' in the general settings.

If this is not possible or you have problems with the remote wipe, contact the OIT Office 365 Administrators for assistance.