IT Connect

Information technology tools and resources at the UW

Frequently asked questions

Two-factor authentication and Duo

What is authentication?

Authentication is a process by which a person or computer proves they are who they claim to be. An example is a person signing in to a web site by providing their UW NetID and password.

What is two-factor authentication?

Two-factor authentication adds a second layer of security to certain services when signing in with your UW NetID.

Normally, you verify your identity with a single factor, a password, which is something you know. Verifying your identity using a second factor like a smartphone or security token, which is something you have, prevents anyone but you from signing in, even if they know your password.

How is two-factor authentication being used at the UW?

At the UW, two-factor authentication is used to secure applications that have sensitive institutional data to reduce the risk that this data will get compromised. Guidelines governing the use of technical controls to ensure the security of UW data come from UW Administrative Policy statements including APS 2.4.

We use a service called Duo to perform two-factor authentication. This service can use a smartphone app, a phone call, or a hardware token as a second factor to authenticate you. Most people use Duo via the smartphone app, Duo Mobile, which runs on a variety of smartphones and tablets and is simple to use.

Who is required to use Duo two-factor authentication?

Many systems with sensitive data require 2FA, including UW administrative systems, Hyak, and Workday. If you use an Entrust hardware token for two-factor authentication now, you will be required to migrate from Entrust to Duo over summer 2017.

Who is eligible for two-factor authentication?

All employees, and students in approved programs, are eligible to use two-factor authentication. Employee eligibility includes current faculty, staff, student employees, affiliate employees, and retirees, as well as employees who have recently terminated employment.

Why do I need two-factor authentication?

It has become increasingly easy to compromise passwords. They can often be stolen, guessed, or hacked, and you may not even realize your password has been compromised. With two-factor authentication protected services, a compromised password won’t mean a compromised account.

Installing and using Duo

Is the Duo Mobile smartphone and tablet app free?

Yes.

How long does it take to enroll and register a device for two-factor authentication?

The enrollment process should take no longer than 5 to 10 minutes for first-time users. If you are planning on using the free Duo Mobile application, we suggest you install that on your smartphone or tablet now so that enrollment will be simpler.

How long will my authentication last?

A single sign-on session for access to web-based applications is designed to last 8-12 hours. However, individual applications can be configured independently and you may have to sign in to some applications more often than others. If you quit your browser, you will be required to sign in again.

What do I need to use Duo authentication?

To use Duo two-factor authentication you will need either a smartphone or tablet that can run the Duo Mobile application or a phone capable of receiving a voice call.

Signing in to a web application protected by Duo requires a modern web browser with JavaScript enabled. The browser must be a recent version of Google Chrome, Mozilla Firefox, Safari, Edge, Opera or Internet Explorer (IE). For IE, version 8 or later is required.

To use the preferred Duo Push method of authentication, a smartphone or tablet with the Duo Mobile app installed is required. The most recent versions of most mobile operating systems are supported; for more information on older versions, see the Duo Mobile documentation. If you do not have a device capable of installing the Duo Mobile application, you can enroll a phone number that can receive a voice call to authenticate you.

If you are not able to use any phone-based authentication method, Duo also supports hardware tokens which, instead of relying on a phone, require you to possess a physical token. Learn more about hardware tokens.

How do I get the Duo Mobile app on my phone?

Android: Launch the Play Store app and search for “Duo Mobile”. Choose the Duo Mobile app from Duo Security, Inc., (not Google Duo). Download and install the application.

iOS: Launch the App Store app and search for “Duo Mobile”. Choose the Duo Mobile app from Duo Security, Inc. (not Google Duo.) Download and install the application.

Other smartphone platforms: Search for “Duo Mobile” from Duo Security, Inc. in your device’s application store.

Why does Duo Mobile ask for permission to use my camera?

Duo Mobile only​ needs permission to use your camera when you set up your smartphone or tablet. It only uses your camera to scan the Quick Response (QR) code used for activation. After activation, Duo Mobile doesn’t access your camera. You can remove this permission and Duo Mobile will work fine.

What is a “passcode”?

A passcode is a code that can be generated from the Duo Mobile app or a hardware token. You may also get a ‘bypass code’ from the UW-IT Service Center that will be a passcode you can use to sign in to the Duo authentication prompt. To sign in with a passcode, simply type the passcode you were given from the device or the UW-IT Service Center into the ‘Enter a passcode’ prompt when you need to sign in with Duo.

How do I generate a passcode using the Duo Mobile application?

A passcode can be generated on the Duo Mobile application by pressing the ‘key’ symbol next to ‘University of Washington’ inside the Duo Mobile application. You should then be shown a set of numbers which can be used to sign in at the Duo authentication prompt. You can generate a passcode with the Duo Mobile application even if your phone is not connected to the internet and generating a passcode with the app doesn’t utilize any data or minutes on your cell phone plan.

Can more than one person enroll the same landline?

Yes, more than one person can set up and use the same landline. The first person to do so can follow the instructions to set up a landline. The steps are a bit different for the next person to set up the same landline. Namely, when they enter the phone number for the landline, they’ll have to confirm they can receive a callback during the set up process. If they can, then it will be added. This is true for anyone else who tries to enroll the same landline.

Use of personal devices

Can I use my own personal smartphone, tablet, or mobile phone for 2FA?

Yes, definitely. The University values personal choice and recognizes the convenience of using a personal device for 2FA.

Can employees use a personal device for 2FA, even for conducting University business?

Yes, again. Employees can use a personal device for 2FA, even for University business. A personal device enables safe and convenient two-factor authentication to systems used to conduct University business. From a cost and risk perspective, it’s often more effective than other 2FA options (such as landlines and hardware tokens). “Bring your own device” (BYOD) is a common operational model that acknowledges trends in society toward use of personal devices for user authentication.

Does use of my personal device for 2FA result in any data or other records stored on my device that are subject to disclosure as “public records”?

If you use Duo Mobile, there is no data stored on your smartphone or tablet. Period. We recommend use of Duo Mobile because it’s simple and secure, and one of the reasons for this is it creates no records on your personal device.

If  you receive phone callbacks, there is no data on your phone and you can delete the metadata from your phone’s history of recent incoming calls because it’s transitory and the administrative purpose is fulfilled as soon as you’ve completed the call.

In each case, the result is the same: no data related to 2FA on your device that’s subject to disclosure.

Do I need to take any special precautions regarding security of my smartphone, tablet, or mobile phone?

Yes. Using a personal device for 2FA comes with the obligation to take reasonable precaution to protect it. Such precautions normally include the use of a password or a PIN to unlock the phone, as well as maintaining current versions of your phone’s operating system and Duo Mobile.

Hardware tokens

What kind of hardware token will the UW provide to me if I can’t use any of the other 2FA options?

If it isn’t feasible for you to use one of the standard 2FA options, UW-IT will provide a hardware OTP (One-Time Password) token for your use. These tokens generate a passcode at the press of a button, and you enter that passcode into the sign-on screen after entering your UW NetID and password. If you have used an Entrust token from our previous 2FA vendor, you are familiar with OTP tokens.

Hardware OTP tokens are not available via self-service and there are significant costs to the University for purchasing and manually provisioning them. To learn more, refer to hardware tokens.

What is a U2F token?

A U2F (Universal 2nd Factor) token is a cryptographic hardware token that plugs into your computer’s USB port and supports the U2F authentication protocol. The U2F protocol requires a supported web browser, so it can only be used for 2FA to web applications. U2F tokens have excellent usability and provide the highest security.

UW-IT does not provide U2F tokens, but if you already own one for use on other Internet sites, you can set up your U2F device to work with Duo at the UW.