Multifactor Authentication (Duo)
Additional login security for certain digital services
Multifactor Authentication is a way to add additional security when accessing sites with critical data. It is a similar system to logging on to many other secure websites, such as online banking.
You will be challenged via a different device than your computer - such as your mobile phone - to confirm it is really you that is logging in before being granted access.
SCU has teamed up with Duo Security to provide the secondary authentication challenge. When enabled on a particular digital service, you will log in as usual with your SCU Username and password, but then will need to respond to a challenge. In just about every case, this will be to click a "Yes" button on your personal mobile phone, which has the Duo Mobile app installed on it.
Before you can access any digital service protected with Multifactor Authentication, you will need to register a device or two with Duo.
Note that not everyone at SCU will have access to multifactor authentication just yet. If you are configured to access one of the protected applications, only then will you will also be configured to have access to Duo.
Preparing for Multifactor Authentication
We’ve made it easy to set yourself up in Duo, by providing a Tile in the MySCU portal.
1. Log into the MySCU Portal and click on the tile Setup Multifactor Authentication.
Not everyone is licensed for Multifactor Authentication. If you do not see this Tile in your MySCU Portal, you may not have any applications that require Multifactor Authentication yet. If you believe this to be an error, contact the Technology Help Desk for assistance.
2. If you have not yet registered for Multifactor Authentication, you will be prompted to do so with the following screen. (If you hare already set up, see the section Managing your Registered Multifactor Devices below)
3. Install the Duo Security app on your device. Mobile phones are the recommended device, but tablets and Apple Watches are also supported. Links are provided for the App Store (for iOS) and Google Play (for Android).
4. After installing on your mobile device, return to the Setup Multifactor Authentication screen and click "Step 2: Set yourself up in Duo" to register yourself with Duo. This link is uniquely generated for you and has a time limit. If you click and it has expired, no problem - just go back to the MySCU Portal and click on the Setup Multifactor Authentication tile again to generate a new one.
The next screen you see is generated out of Duo Security, and will walk you through the process of linking your mobile device and Duo Security together.
5. When asked what device to set up, the best option is to go with the recommended option of a Mobile Phone.
Mobile phones are the most versatile device. They can be used with most of the different types of challenges Duo can use to confirm your identity, such as Duo Push (via the Duo Mobile app), passcodes, and callbacks. When selecting a Mobile phone, Duo will send you a text or call the phone to confirm it is yours during the setup process.
Duo will display a barcode on the screen that you scan using the Duo Mobile app on your phone, which will connect the app and your account. For this reason, it is best to use a PC to set up Duo, to allow you to scan the screen with your app.
6. Strongly consider registering a second device, so you can still access systems if your primary device is unavailable (such as your mobile phone being out of battery). You will need to return to MySCU and click the Setup Multifactor Authentication Tile. See the section Managing your Registered Multifactor Devices below for more information.
Using Multifactor Authentication
When you try to access a secure SCU digital service, you will first be prompted to enter your SCU Username and password into MySCU as normal. Before you can proceed further, a Challenge Screen will appear.
You can choose to be challenged by any of the options you have previously configured. If you have more than one device configured, select the one you want to use in the top dropdown bar before selecting an authentication method.
For just about every situation, the best challenge choice is a Duo Push. Select “Send Me a Push”, and the Duo Security app on your phone will open and ask if you should allow this logon.
Tap APPROVE on your phone, and the login will proceed automatically.
If you ever receive this screen unexpectedly, click DENY. Unless you click APPROVE, whoever is trying to log in as you will not be able to. This may indicate a security issue, and you should change your SCU Username's password as soon as possible!
If your selected device has been configured with a phone number, you can elect to receive a call. You will confirm the logon via the phone’s keypad in response to the voice prompt.
This option is not recommended as your primary challenge due to the cost it will incur SCU, but it is useful as a backup mechanism to, say, call a landline in case your mobile phone is out of charge.
There are several types of passcodes that can be entered to gain access. They are listed below.
- The Technology Help Desk may issue you a Bypass Code. This is a single-use code that will get you authenticated to Duo in an emergency, such as if you have lost your phone. You will need to prove your identity to the Help Desk in the same way as requesting a forgotten password change. Call the Technology Help Desk on 408 554 5700.
- From inside the Duo Mobile app, you can generate a single-use passcode by tapping on the Key icon. This code is useful for times when your phone might not have an Internet connection.
- You can have 10 single-use passcodes sent to you over SMS. The codes must be used in the order sent - Duo will give you a hint by providing the first digit of the code it expects you to use next. You can have 10 new codes sent to you from the Challenge Screen when you select the Passcode option.
Managing your Registered Multifactor Devices
You can add, modify or delete your devices in Duo via a Tile in the MySCU portal.
We recommend having at least one alternative device. This will let you still get in even if you have left your mobile phone at home, or it runs out of battery. For most people, setting your office phone as a Landline is a good option as a backup, but avoid using a Landline as your primary method as SCU incurs a financial cost for each phone call.
1. Log into the MySCU Portal and click on the Tile Setup Multifactor Authentication.
Not everyone is licensed for Multifactor Authentication. If you do not see this Tile in your MySCU Portal, you may not have access to any applications that require Multifactor Authentication. If you believe this to be an error, contact the Technology Help Desk for assistance.
2. If you are already registered for Multifactor Authentication, you will be challenged to prove who you are using a multifactor device - see the section on Using Multifactor Authentication above - and then presented with the My Settings and Devices screen. This is where you can change your device settings, delete old devices, and add new ones. (If you are not yet registered, you will see the initial setup screen; see the section on Preparing for Multifactor Authentication above.)
Options available on this front screen are to set the default behavior when you log in if you have more than one device selected, or add additional devices by clicking Add another device.
Device Options will allow you to rename, modify or delete devices you have previously configured. A key use of this button is to re-link the Duo Mobile app after upgrading your phone, for example.
When adding a device, there are pre-set categories you can choose. These are:
- Mobile phone
Mobile phones are the most versatile device. They are able to be used with Duo Push (via the Duo Mobile app), passcodes, and callbacks. Duo will send you a text or call the phone to confirm it is yours during the setup process. Duo will then display a barcode on the screen that you can scan using the Duo Mobile app to connect the app and your account.
Pro Tip: If you have a new phone but are keeping the same phone number, you only need to link to the new device's Duo Mobile app. Select the phone's Device Options and tap on Reactivate Duo Mobile, instead of adding the new phone as a completely new device.
A Tablet can be selected. It will not be able to receive calls or SMS passcodes, but will be able to use the Duo Mobile app.
Duo will display a barcode on the screen that you can scan using the Duo Mobile app.
Pro Tip: if you want to use your phone but only want to use the Duo Mobile app - and do not want to supply your phone number - just set it up as a Tablet. This is fully supported.
An option that will only be able to authenticate by receiving a confirmation phone call.
You will receive a call during setup to confirm it is your device. This option is not recommended due to the cost it will incur SCU every time you log in, but is suitable for a backup authentication method in case you cannot access your mobile phone.
- U2F Token
A U2F (Universal Two Factor) Token is a hardware token that can be inserted into a USB port. These tokens are for special use cases only at this time.
You can give each of your devices a short, memorable name when configuring it by clicking the Device Options button.
Can I see someone set this up?
We have created a video of the process of setting up Multifactor Authentication. You can find them on the How-To Videos webpages.
I don't have a smartphone, how do I use Duo?
The most convenient and easy way to authenticate is by tapping the query that pops up in the Duo Security mobile application. However, the app is currently only available for Apple devices (iPhone, iPad, Apple Watch), Android devices (phone, tablet), and Windows phones.
If you have a different phone - such as a Blackberry or a feature phone - you will not be able to take advantage of the Duo Mobile app.
There are two options available for people in this situation - use SMS passcodes, or receive a phone call confirmation. Receiving a phone call is not recommended (except as a backup-of-last resort) as it costs the University 20 times as much as using the SMS option.
This is the best option if your phone can receive SMS codes (such as feature phones). Enrol your device as a Mobile Phone, and when asked what type of phone it is, choose "Other".
Later, when you are logging in to a digital service and are challenged to authenticate, you can use or request a batch of SMS codes. Start from the Duo Challenge screen that appears on your computer when you are trying to access a protected digital service, that looks like the screen below. Click on the button that says
If you have passcodes, you can enter one to gain access now. Duo will tell you which one it expects next by giving the first digit (e.g., "Your next SMS passcode starts with 1"). Each SMS passcode can only be used once. Enter the passcode in the box and click "Log in" to complete authentication.
To receive 10 new passcodes, first click on "Enter a passcode" from the Challenge screen. Note the blue banner that appears at the bottom of the screen. Click on the box in the banner that says "Text me new codes". Your phone will be sent 10 SMS codes (each 7 digits long), to be used in order the next 10 times you are challenged by Duo. SMS codes do not expire.
Receive a Phone Call
If you have no mobile phone at all, or it cannot receive SMS, then register your device as a mobile (as above), or a landline. From the Duo Challenge screen that appears on your computer when you are trying to access a protected digital service, click the button Duo will call you on your registered phone number, and seek confirmation to allow you to log in.
This option is significantly more expensive than using Duo Mobile (free) or using SMS codes (20 times less than Call Me). Because of the cost incurred to the university, using Call Me should only be considered as an option of last resort.
I have a new phone, what do I do?
Duo associates you with your device in a few different ways. When you get a new phone, you will need to update Duo to know about your new device, and to forget about your old device.
Start by logging into the MySCU Portal and click on the Tile Setup Multifactor Authentication to access the My Devices and Settings screen.
If you cannot log in because you do not have access to any Duo-registered device, contact the Technology Help Desk for a Bypass Passcode to enable you to log in one time.
Once in My Devices and Settings, select the Device Options button next to the device you need to modify.
New handset, keeping the same phone number
If you are keeping the same phone number on your device, you do not need to edit the phone number to continue to receive SMS (passcodes) or Call Me authentication methods.
You will need to download the Duo Mobile app to the new handset. Ignore any offers from the app to restore old settings or recover backups - SCU do not use these functions.
On your PC screen, tap the Device Options button and then tap on Reactivate Duo Mobile.
Duo will display a barcode on the screen that you scan using the Duo Mobile app on your phone, which will connect the app and your account. Tap on the New Account symbol (the key symbol with a + next to it) in the app to start the camera scanner, and in a few seconds your new device and Duo will be linked.
Disposed (or gave away) the handset
It is important to disassociate your account from any device you no longer have in your possession. Simply tap the Device Options button next to the device you no longer use, and then tap on the red Trashcan icon.
You do not have to do anything to the handset after removing the device from Duo in this way, and no information is stored on the handset.
Make sure you add a new device to Duo so you still have some way of authenticating. If you have no use for Duo anymore, please let us know to remove your account entirely by contacting the Technical Help Desk.