General

Two-Step (Multifactor) Authentication in SLAC: User Guide - Duo/YubiKey

Introduction

In response to escalating cybersecurity threats and Memorandum M-22-09, issued on January 26, 2022, phishing-resistant multi-factor authentication (MFA) is now required for login on all SLAC-owned Windows, macOS, and Linux endpoints, as well as most applications used at SLAC.

Multi-factor authentication (MFA) significantly strengthens account security by requiring additional verification beyond traditional username and password credentials. However, the effectiveness of MFA hinges on its resilience against sophisticated phishing schemes. Despite providing an additional layer of protection, many MFA methods remain vulnerable to advanced phishing attacks that exploit user trust and interaction. SLAC has chosen YubiKeys as a phishing-resistant MFA solution, offering unparalleled security and usability compared to traditional methods like SMS or authentication apps. Some SLAC personnel have more than one computing account, all of which will need some form of MFA, either Duo, YubiKey, or a PIV (Personal Identity Verification) smart card.

Getting Started with Two-Step Authentication

Two-step authentication combines two independent kinds of credentials, usually consisting of something you know (e.g., a username and password) and something you possess, such as the Duo smartphone app or a hardware security token. Verifying your identity using a second step (sometimes called a second factor) makes it significantly more difficult for anyone but you to use your credentials, even if they discover your password.

SLAC uses Duo for two-step authentication, which supports many common second factor methods - including YubiKeys as one-time password devices (OTP) and FIDO2/Webauthn devices, and the Duo Mobile app for push notifications and OTP. General information about the Duo app and pointers to specific help pages for various smartphones are available from Duo at Duo Guide. Note that not all second factor options provided by Duo are available at SLAC due to site-wide security policies and vulnerability to phishing.

YubiKeys

Overview

The YubiKey is a small device connected to your computer's USB/USB-C port. YubiKeys make two-factor authentication (2FA) as simple as possible. Many apps, online services, and computers enforce 2FA every time a user wants to connect. Instead of a code being texted to you or generated by an authenticator app, you press a button on your YubiKey, and you're logged in.

You can find more information about YubiKeys at SLAC in this knowledge base article Two-factor authentication with YubiKey.

Benefits

YubiKeys offer a robust second-factor authentication solution that is phishing-resistant, bolstering the existing username and password credentials with an additional layer of security. We encourage users to select this method.

  • Convenience. Unlike SMS, email, and authentication apps that require manually entering or copying and pasting a code, YubiKey simplifies the process. You just press a button on the device connected to your computer to authenticate.
  • Enhanced Security with Longer Codes. Traditional 2FA methods typically send a six-digit code, which is manageable for users to enter. YubiKey, however, doesn't require manual code entry, allowing it to use much longer and more secure codes.
  • Easy Migration. If you get a new computer, simply unplug your YubiKey from the old device and plug it into the new one. You'll retain access to all your apps as before. Additionally, a single YubiKey can be used to log into multiple computers.
  • Strong Resistance to Hacking. Email and SMS are relatively easy for hackers to compromise. However, it's exceedingly difficult—nearly impossible with current technology—to replicate the codes generated by a unique hardware device like a YubiKey.

Obtaining a YubiKey

Custodians of SLAC-owned computers can request a YubiKey in the IT marketplace YubiKey request

Smartphones via the Duo App

Duo provides a mobile application for popular mobile platforms to leverage push notifications. These are a convenient multifactor method as most people already have a mobile device that they use every day. Push notifications may be supplemented by a short code that you must transfer from the login page to your mobile app to verify the push as a protection against the push notification being phished.

Even if you do not have a very reliable Wi-Fi or a cell data connection at all times to receive a push notification, the app has a passcode generator feature that will work when a push is not available. 

Download Duo Mobile app for iOS

Download Duo Mobile app for Android

Second Factor Device Compatibility

Some devices cannot be used in some situations due to limitations of the protocol used for connecting. The table below shows which factors can be used in which situations

  YubiKey FIDO2/Webauthn YubiKey OTP Duo Mobile PIV (Used instead of Duo)
SLAC Web SSO Yes (*) Yes Yes (*) No
VPN No Yes Yes No

Windows/MacOS Endpoint Logon

No Yes Yes Yes

Citrix

No Yes Yes No

SSH

No Yes Yes No (Unless using Kerberos/PIV)

(*) Can also be used for Stanford Web SSO with separate registration

Setting up a Second Factor Device in Duo

To set up your YubiKey for FIDO2/Webauthn or Duo Mobile app in SLAC Duo, browse to any website that requires SLAC single sign-on, for example SLAC Today or SLAC Microsoft 365. If you are adding a new device and have previously selected "Remember Me" in your browser, then you will need to clear your cookies for the DUO site or start in incognito mode to be sure that you are presented with the Duo UI

To set up your YubiKey for OTP, browse to the YubiKey Self-Service page. This page requires SLAC single sign-on to access, so if this is your first device, you will need to follow the instructions to register your YubiKey as a FIDO2/Webauthn device before continuing to OTP setup. 

Setting up your First Device in Duo Self Service Portal (Webauthn/Duo Mobile)

If you do not have an existing device for SLAC Duo, you will be presented with a series of pages introducing Duo and its importance to safe computing. You can review and continue through these pages. When these are complete, you will be asked to choose which type of second-factor device to enroll (Skip the next section)

Setting up an Additional Device in Duo Self Service Portal (Webauthn/Duo Mobile)

Step 1) You can access the Duo Self-Service Portal by selecting "Other options" in the dialog if Duo has already remembered a second factor preference for you. Select the "Manage Devices" option that appears at the end of the list of your registered devices. You will be asked to verify your authentication with a strong MFA option before proceeding.

Step 2) You will be presented with a portal to manage your devices. Select the tile to add a new multifactor device:

Setting up a YubiKey for FIDO2/Webauthn in Duo Self Service Portal

Note: You can also configure a SLAC YubiKey for FIDO2/Webauthn in Stanford's Duo at Stanford's Duo Central portal. This portal is similar to SLAC Duo, so you can follow the same instructions after selecting "Add a device"

After navigation through Duo to the UI to add a device, you will then be presented with a dialog to choose a multi-factor device to enroll, select "Security Key"

Complete the steps to set up FIDO2/Webauthn. The exact sequence will vary by browser, but you will see dialogs asking you to allow Duo to see information about your YubiKey and you will be requested to touch your YubiKey to complete the registration.

Setting up Duo Mobile in Duo Self Service Portal

Note: You can also configure your Duo Mobile App in Stanford's Duo at Stanford's Duo Central portal. This portal is similar to SLAC Duo, so you can follow the same instructions after selecting "Add a device"

After navigation through Duo to the UI to add a device, you will then be presented with a dialog to choose a multi-factor device to enroll, select "Duo Mobile"

You will then be prompted to send a link to your phone to download the Duo Mobile application. If you select "I have a tablet," you will receive a dialog message instead of a text message to a phone.

Once you proceed, you will be given a QR code to complete your account configuration.

To complete the setup, you will be asked to respond to a push notification.

Setting up YubiKey OTP in SLAC YubiKey Self Service

Due to technical limitations, Duo does not provide a UI for managing YubiKeys as OTP Devices, so managing SLAC-issued YubiKeys for OTP hardware tokens uses an alternate UI. YubiKey Self-Service page.

You will be asked to authenticate through WebSSO, so you may need to follow the steps to register your YubiKey for FIDO2/Webauthn (above) before you can access this page.

The main page allows you see and manage any YubiKeys that are already registered to your account. You can click either the button "Register a new YubiKey" or select "Register" from the menu to add a new YubiKey

 

On the "Register" page, you can either

  • Locate and enter the YubiKey serial number from the case of the YubiKey (Illustration provided) and click "Register YubiKey"
  • Tap the YubiKey to generate an OTP and the application will find your serial number from the OTP code

 

Accessing Protected Services after Enrolling in Duo.

SLAC Web Sites (Single Sign-On)

After entering your username and password, you will be presented with the Duo Universal Prompt. This interface is a website operated by Duo for you to interact with the Duo second factor system. If you have authenticated with Duo in the past, the web page will remember your selection of how you want to authenticate and will use the same method again. The images below show a typical Duo Push and YubiKey passcode dialog - other methods will have their own dialogs.

"Remember me" allows you to pass the Duo second factor for 30 days for the same device/browser (sets a cookie)

You can select "Other Options" to change your authentication method selection or access the Duo self-service portal as shown below.

  • "Security Key" selects a FIDO2/Webauthn device (YubiKey in Webauthn mode)
  • "Duo Push" will send a Push notification to a configured device
  • "YubiKey Passcode" will allow you to enter a code from any configured YubiKey by tapping the device
  • "Duo Mobile Passcode" will allow you to enter a code from a configured Duo Mobile app
  • "Hardware Token", "Text message passcode", and "Bypass code" are only used in special cases
  • "Manage devices" will access the Duo Self-service portal if you want to manage or add devices. See the section above "Setting up a Second Factor Device in Duo" for details. You can also re-activate a mobile device from this interface. Note that YubiKey devices cannot be configured as OTP devices (YubiKey passcode) from the Duo Self-Service portal

SLAC MacOS and Windows Endpoints.

The image shown represents the Windows Duo Client user interface, the macOS interface is similar. For macOS details see Logging in with Duo on macOS

During Windows or macOS logons, after submitting your username and password, you will be presented with a dialog to choose a multifactor method.

If you’re using the Duo smartphone app, and you’ve selected the automatic “push” option, your phone will automatically present you with Duo challenge, requesting you to confirm your login. If you want to use an alternate method, click the button to cancel the automatic push. You can use the options "Duo AutoPush" in software center on managed Windows devices to enable or disable automatic push.

If you have multiple phones registered in SLAC Duo, you can use the Device dropdown to choose which one will be used by the rest of the interface - you do not have to choose the correct device if entering a passcode.

"Remember me" allows you to bypass the Duo second factor for the remainder of your logon session or 12 hours, whichever is shorter. This option only appears when logging in at the computer.

  • You can send a Duo Push by pressing "Send Push".
  • If you have a voice phone option configured (very rare and not considered secure), it can be accessed with "Call Me"
  • If you select "Enter a passcode", you will be given a dialog box that will accept a passcode from any Duo Mobile app or YubiKey that you have registered.

 

Screenshot of the Duo screen on you smartphone app

Note: If you do not respond to a push or otherwise interact with the dialog, your login will eventually be cancelled. Some older versions of the Duo client will temporarily disable your machine when this happens.

FAQ: Duo for logging into desktop machines

Other Protected Services.

SSH Using two-step authentication with Linux services, and AnyConnect VPN Using two-step authentication with AnyConnect VPN

These services use a text-based dialog to request the second factor. Your applicable registered methods will be listed as options, or you can enter a passcode from a YubiKey or the Duo App instead of selecting an option.

Duo two-factor login for joeuser

Enter a passcode or select one of the following options:

  1. Duo Push to XXX-XXX-1234
  2. SMS passcodes to XXX-XXX-1234

Passcode or option (1-2):

Citrix Citrix at SLAC User Guide

Citrix retains the legacy web UI which is similar to the endpoint user interface at this time - This will change to the Universal web UI later in 2024. As with endpoint logons, after submitting your username and password, you will be presented with a dialog to choose a multifactor method. The passcode option will accept a code from the Duo Mobile app or a YubiKey.

Screenshot of the Duo screen on you smartphone app

Getting a Passcode from the Duo Mobile app.

On rare occasions, "push" may fail, either because of network problems or server problems. Similarly, you may find yourself in an area without Wi-Fi or cell coverage.  In such circumstances (or any other time) you may obtain a passcode directly from your Duo app. 

  1. Open the Duo app on your smartphone.
  2. Tap on the “Show” near the Passcode field for your SLAC account.
  3. Note the 6-digit passcode and enter it into the passcode prompt for the service you are trying to access.

Screenshot of the Duo screen in you smartphone showing Account Screenshot of the Duo screen in you smartphone showing Account

 The SLAC Duo FAQ document has other suggestions if you're having trouble receiving pushes.

 

Adding, Changing, Removing, or Reactivating a Device

Refer to the "Setting up a Second Factor Device in Duo" sections for information on accessing the Duo Self Service portal or the SLAC YubiKey Self-Service portal. These portals will also show all your registered devices and provide options to edit or reactivate as applicable.

Duo Self Service (YubiKey FIDO2/Webauthn or Duo Mobile)

Most devices will only have the option to change the "Friendly name" or delete the device from your account. For Duo Mobile, you also have the option to reactivate the device if you have moved your number to a new phone.

SLAC YubiKey Self-Service (YubiKey OTP)

From the home page, you can select to manage existing YubiKeys. You have the option to remove the YubiKey (Can also be done in Duo Self Service) or to map the same key to other accounts that you own that are also known to Duo. To add/remove another account, change the appropriate checkbox(es) and click "Update"

 

Downloading (installing) or Manually Updating Duo Agent for Protecting SLAC Endpoints

Windows

Important: once Duo agent is installed on the machine, every account that is trying to log in to this computer will receive Duo prompt unless the account is exempt from Duo challenge. Make sure all the accounts you use or might be using on this computer are enrolled in Duo. More details can be found in the Duo FAQ article

  • Make sure the machine is plugged into power and connected to the network.
  • Click the “Start" menu (the window icon in the bottom left corner of the desktop).
  • Start to type “Software Center”. Click the "Software Center" tile when it pops up.

Screenshot of the Software Center

  • Once in Software Center, select "Applications" on the left navigation column.
  • Double click on Duo agent icon.

screenshot of the Duo agent icon

  • Click "Install" button.

         

MacOS

Important: once Duo agent is installed on the machine, every account that is trying to log in to this computer will receive Duo prompt unless the account is exempt from Duo challenge. Make sure all the accounts you use or might be using on this computer are enrolled in Duo. More details can be found in the Duo FAQ article

The Mac: Self Service Knowledge Base article describes the process of installing software on Mac computers. Find Self Service icon either in your dock, or in the Applications folder of your SLAC managed Mac by looking for the icon below:

Once you logged in the Self Service, find the Duo agent icon and click Install button under it (if you already have it, the button will read Reinstall like on the screenshot below, no need to click the button in this case, just close the Self Service).

screenshot of the Duo logon Reinstall

 

More Help?

The IT Service Desk can assist if you have any problems with this process. Call (650) 926-4357, visit the lobby of Building 50, orsubmit a ServiceNow ticket.

  • KB0010230 - FAQ: Two-step authentication with Duo at SLAC
  • KB0010831 - Two-Factor Authentication with YubiKey 
  • KB0010426 - FAQ: Duo for logging into desktop machines
  • KB0010509 - Logging in With DUO On macOS
  • KB0010228 - Using two-step authentication with Linux services