Duo Multi-Factor Authentication for SSO FAQ
Summary
Pima College adopted multi-factor authentication (MFA) in December 2022.
Since that time, all staff, faculty, and student workers who log in to Web-based systems that require a sign-in using the College’s SSO platform will be required to use MFA to authenticate, or verify, their identity. Below are answers to questions you may have about this change.
Questions
What is SSO?
SSO is an acronym for Single Sign-On. When you to log in to Web-based systems that require authentication through the College’s SSO platform, you see the screen illustrated here.
Since the adoption of Duo MFA, after you use this login page, the next thing you will see is the Duo request for verification.
To see what the new login process with Duo MFA looks like, watch this short video.
What is MFA?
MFA adds a second layer of authentication that helps faculty and staff protect themselves and the College against cybercrime. MFA uses multiple factors—something you know, such as your user ID and password—and something you have, such as your smartphone—to increase your account’s security. MFA prevents others who know your password from logging into your account, because only you have the additional factor.
You’ve probably already used MFA verification with your bank, personal email, or online shopping accounts. One popular form of MFA requires, after you log in with your password, that you enter a code sent to you via text message or email.
Learn more about MFA with a brief video overview and get details at the US cybersecurity agency.
How is Duo MFA different?
Pima has adopted a more secure form of multi-factor authentication called Duo MFA. With this system, when you use a browser to log into a College system with your username and password, you’ll see an “Additional verification needed” message. You provide the additional verification using the Duo Mobile app on your smartphone or tablet. You can watch the process in this short video.
Is MFA adding an extra step to my login process?
Yes, so your login process will now take a moment or two longer.
Do I need to have my smartphone with me to log in?
Yes. Because it is your second factor, you must have your smartphone with you when you log in.
If I forget to bring my phone, how can I log in without it?
If you forget or misplace your phone, you cannot log in until you have contacted and worked with the Service Desk.
Do I have to use Duo MFA and take this extra step EVERY time I log in?
That depends. The timeout period for MFA is 20 hours, so you can expect to use Duo Mobile once a day when logging in through SSO. If you click or tap the Yes, trust browser button during the login process, you should be able to close the browser within that 20-hour period and then reopen it on the same device and log in without having to take the additional Duo step. However, if you log in with a different device or using a different browser, you must use MFA again.
Why is this change necessary?
There are three reasons for the College to adopt this system:
- Because the College disburses federal student aid, we must comply with a federal law called the Gramm-Leach-Bliley Act. GLBA requires the College to use certain information privacy protections and safeguards. MFA is one of those safeguards.
- The College carries an insurance policy that assists us against cybersecurity threats. To remain in force, that policy requires the College to use an MFA system.
- MFA is considered a best practice for computer network security. The College must use MFA to protect the institution and ensure the confidentiality, security, and integrity of information about faculty, staff, students, and parents.
Who is being affected by this change?
Faculty, staff, and student workers who have active accounts will use the Duo MFA to access non-public College web pages or applications. In addition, people and companies who have contracts with the College that require them to access College computer systems will be required to use Duo MFA.
Is this change permanent?
Yes, the College will use Duo MFA for the foreseeable future.
Am I Required to Use Duo?
Yes, Duo MFA is required for all faculty, staff, and student workers.
Will I need the Duo Mobile app on my phone?
Yes. Using the Duo Mobile smartphone app is the recommended method for responding to a request for verification. Therefore, you will need your phone with you when you log in. Employees who use a college-provided smartphone or tablet and those who are receiving stipends for using their personal smartphone must install and use the Duo mobile app.
Is the Duo Mobile app free?
Yes, the Duo Mobile app is free for faculty, staff, and student workers to download and install. You should know that authentication uses a small amount of Internet data traffic to function (a few kilobytes per login).
What devices can use the Duo Mobile app?
Your smartphone, whether it is an iPhone or runs on Android, is supported to use the Duo Mobile app. Android tablets and iPads are also supported if they have a cellular data connection or WiFi connection.
I don’t have a smartphone. Are there other options for Duo MFA?
If you don’t have a smartphone or tablet, your second factor can be a text message or voice call to your basic cellphone, or even a voice call to your landline phone. If you don’t have any of those, you can request a hardware token (or fob) from IT. Your supervisor must approve your request for a hardware token.
I just don't want a work-related app on my personal smartphone. The fob sounds good, but does it have any drawbacks?
- In general, the hardware token (fob) is more troublesome to use than the Duo Mobile app: when you log in and see the request for verification, you have only a few moments to find the token, push its button to generate a new passcode, and then enter the digits correctly.
- A main drawback is that tokens get out of sync: if the button is pressed too many times in a row and the generated passcodes aren’t used for login, the token loses its synchronization with the Duo server. If the token is out of sync, you can’t log in. When that happens, you must contact and work with the service desk.
- Tokens are easy to lose because they are small and used only once a day (unlike your smartphone). Many people solve that problem by adding the token to a keychain or keeping it in a purse or backpack, but in those spots, the button can easily be pressed by accident, leading to the token getting out of sync.
- Young children love to press a button and watch the numbers change, repeatedly. But their fun leads to the token getting out of sync.
Duo Mobile on my phone seems like an invasion of my privacy. Do I have to use it?
Duo Mobile actually enhances your online privacy as well as the security of College computer systems, so your account data is significantly better protected from exposure to cybercriminals. The only data of yours available to the College’s IT Duo Administrators is:
- The type of device you use
- The software version of your device
- Your phone number, if you provide it when you enroll yourself in Duo MFA.
Duo Administrators use that data only for purposes of administering the Duo service. The Duo Mobile app on your phone does not share any other information with the College. More information regarding the privacy of the Duo Mobile app is available from Duo.
While using the app on your personal phone is not required, it is highly recommended. Duo Mobile is the most secure—and fastest—way to authenticate during login.
When I use Duo to log in to the Pima VPN, I opt to receive a code via text message (SMS) on my phone. Why can’t I just keep doing that?
If you have a smartphone, you should download, install, and use the Duo app. Using the app to validate a code is more secure than a text message.
What action do I have to take?
If you were not using Duo before December 23rd, 2022, you must self-enroll. If you fail to enroll by December 23rd, you will be unable to access email or myPima until you do so. See the Duo MFA Enrollment Quick Start Guide for a step-by-step guide to the self-enrollment procedure.
How can I use Duo MFA while traveling internationally?
When traveling outside of the United States, you may have an internet connection for your laptop, but not have a cell signal on your basic cellphone or smartphone. In this situation, you have two options:
- The Duo Mobile app on your smartphone, which you can use even without cell service
- A hardware token, also known as a fob
If you have fob, use it as you normally would.
If you have a smartphone but no cell signal, the easiest option is to use the Duo Mobile app you have already installed and enrolled. You can use the Duo Mobile app to generate a passcode, just like the fob does, as described below.
- When the login page prompts you to enter the three-digit verification code, select Other options., and then in the list of options, select Duo Mobile Passcode.
- In the Duo Mobile app on your phone, tap Show, which displays a six-digit passcode.
- In the Enter your passcode page, enter the six-digit passcode from the Duo Mobile app and then select Verify.
Duo Mobile app passcodes are valid until they are used or refreshed.
More Questions?
If you have questions this article did not answer, create an IT Support ticket or contact the Service Desk at 520-206-4900.