The DOE and all other major federal departments received a mandate to implement heightened security across their systems and networks. In 2016, Duo multi-factor authentication was introduced at the lab to increase the security of devices and data on the SLAC network. Initially, this was required for those who had access to moderate-level data and to protect sensitive information. Over the years, it has been expanded to SLAC and Stanford applications such as Stanford Access, PeopleSoft, Outlook Web Access, remote access to the SLAC network via VPN or Citrix, and the list keeps expanding.

Following industry best practices and adherence to the heightened security requirements outlined in the recent Executive Order, Duo multi-factor authentication will now be required on all Windows, MacOS and Linux endpoints. The rollout starts in March 2022 with Mission Support directorates, and by the end of 2022 calendar year will be rolled out to all remaining centrally managed computers. 

Some SLAC people have more than one computing account. All of those accounts will need some form of multi-factor authentication, either Duo or PIV / PIV-I. 

Getting started with two-step authentication

Two-step authentication combines two independent kinds of credentials:  something you know (e.g., a username and password), and something you possess - either a smartphone app or a security token. Verifying your identity using a second step (sometimes called a second factor) prevents anyone but you from logging in, even if they know your password. 

Smartphones via the Duo App

The Duo smartphone app is the most secure approach, and by far the most convenient. We encourage users to select this method. Even if you have not very reliable WiFi or a cell data connection, the app has a passcode generator feature that will work. 

Download Duo Mobile app for iOS

Download Duo Mobile app for Android

Section 2 below shows you how to set up the application.

Security Tokens

If you do not have a smartphone, or do not wish to use one, SLAC Computing can provide you with a security token.  This is a small device which displays an ever-changing numeric code.  The device will be uniquely identified to you and your account.  You’ll need to keep it within reach whenever you wish to access your account.  There is no charge for the token, however if you lose your token or require a replacement, a $25 charge will apply.

Yubikey

It's a small device which is connected to the USB or USB-C port of the computer. More information about Yubikeys and how to request them can be found in this Knowledge Base article.

Section 3 below explains how to get a token, and what to do with it. 

A word about international travel

The best solution for international travelers is the Duo app on your smartphone.  Even if you don't have WiFi or a cell data connection, the app has a passcode generator feature that will work (see below).   Use of a security token is also a possibility, but it is less secure than the app, and is not encouraged for any smartphone owners.  

Setting up Duo to work with your smartphone

To enroll your smartphone in SLAC Duo, head over to this site: https://twostep.slac.stanford.edu 

Make note of this URL, since it can be used later to add additional devices, or to modify your settings. 

The first page provides some orienting information. Review this, and then click the big button.

Starting with the next page, you can just follow the prompts on the screen. Here’s what to expect, if you'd like a preview.

1. Provide the number of your smartphone

Choose the “Mobile phone” option (note that Security Key is for Service Desk technicians use only)

Then you’ll be prompted for your smart phone or device number, so Duo knows who it’s talking to.

You will need to confirm that the number is correct, and click the green Continue button.

2. Obtain the Duo smartphone app

On the next screen select your phone type.

If you don't have a smartphone...

• • You can still receive SMS text messages with passcodes. Select "Other (and cell phones)"
  • When you're done enrolling, be sure to see the section on "Accessing protected services", below, since it's not immediately obvious how to get the SMS codes sent.
  • Alternatively, if necessary, you can request a "security token" or a “yubikey”. See section 3 below, "Obtaining a security token".

 If you select a smartphone...

• • If you don’t already have it, you’ll be prompted to download the Duo smartphone app for iOS or Android.
  • If you access the Stanford Axess HR system, you may have already installed the Duo app. If so, Duo will recognize your phone number. Skip to step 4 if so, since multiple accounts can exist on the same Duo app. No need to download the app again.

3. Scan the QR code, or click the link

The last step is “activating” the connection between your account and the Duo app. The easiest way to do this is to scan the barcode with the Duo app, as instructed.

(NOTE: The below is just a sample. You will have your own personally generated code from the app. If you need to reactivate it in DUO, contact IT Service Desk or call (650) 926-4357 to have it reactivated.)

You’ll get a notification on your smartphone app that you’ll need to acknowledge.

4. Optionally set up automated Duo Push

The next screen lets you optionally select an automated “push” of notifications, meaning you’ll only need to push a confirmation button the the app whenever you’re challenged for your second-step authentication. It’s recommended, since it eliminates a few clicks (and the chore of reading small numbers and then typing them) from the login ritual.

In the “Default Device” dropdown menu, select your mobile OS instead the of the phone number. From the “When I log in” dropdown menu, select “Automatically send this device a Duo Push”, and click “Continue to Login” to receive the first Duo push on the application. 

Continue with "Accessing protected services", below.

Obtaining a security token or Yubikey

If you don’t have a smartphone, or do not wish to use one, you must request a physical security token or a Yubikey to use as the second authentication step.  

Submit the following information via a Service Desk ticket or call Service Desk at (650) 926-4357:

1. In the short description field enter “Two Step enrollment - token/yubikey request”.  Please also provide your user name.
2. The description field is optional. 
3. When the token is configured for you, you will be notified by Service Desk technician and instructed how to pick up your token or Yubikey. There is no “activation” step, your token is ready to use.  

Accessing protected services

When you log into two-step protected services, such as Outlook Web Access for web mail, after providing your username and password, one of two things will happen.

Please note that the following example shows the Duo prompts for a browser-based web application, like webmail. The format of the prompts and the options provided may vary by host type and account type.  For example, if you are using SSH to reach a Unix host, the host will display your options via characters in a terminal screen. Web applications are problem the place where you'll most frequently encounter a Duo two-step authentication prompt.  See Section 5, below, for other possibilities. 

If you're using the Duo smartphone app...

• If you’re using the Duo smartphone app, and you’ve selected the automatic “push” option, your phone will automatically present you with a dialog box, requesting you to confirm your login. If you didn’t select automatic push, the host will prompt you to send a notification to your smartphone:

• On your computer screen, you'll see the "Authenticating..." progress box. On your smartphone, just click “confirm” in the Duo pop-up window (the actual format varies by smartphone type). You’ll then gain access to the host. If you do not accept or reject the push notification on your smartphone within a certain amount of time, another dialog box will appear. Just try again.

If you're using a security token...

• If you are a token user, press the button on the token, and then note the passcode displayed on the token. Enter that code into the "Duo Security" dialog passcode box. The code is time-limited, and will expire quickly. If this happens, simply get another passcode from the token. 

Using two-step authentication with other services

The way Duo prompts you to verify your identity is unique for several applications.  The links below take you to help documents for some specific applications.

• Using two-step authentication with AnyConnect VPN
• Using two-step authentication with Linux services 
• FAQ: Duo for logging into desktop machines

If "Push" fails, or if you have no WiFi or cell coverage: Passcode

On rare occasions, "push" may fail, either because of network problems or server problems. Similarly, you may find yourself in an area without WiFi or cell coverage.  In this case, your phone won't be able to communicate with the Duo servers.  Do not despair!  The Duo app does not need cell network or WiFi access to function. In such circumstances (or any other time) you may obtain a passcode directly from your Duo app. 

1. open the Duo app on your smartphone.
2. tap on the “Show” near the Passcode field for your SLAC account.
3. note the 6 digit passcode, and enter it into the passcode prompt for the service you are trying to access.

 

In this mode, the Duo app behaves just like a physical token. 

The SLAC Duo FAQ document has other suggestions if you're having trouble receiving pushes.

 

Adding / removing a device, or changing a setting

Refer to the Duo Settings section of the Duo FAQ Knowledge Base article for instructions on adding new device, removing the old device, and changing Duo automatic push settings.

Downloading (installing) or manually updating Duo agent

Windows

Important: once Duo agent is installed on the machine, every account that is trying to log in to this computer will receive Duo prompt unless the account is exempt from Duo challenge. Make sure all the accounts you use or might be using on this computer are enrolled in Duo. More details can be found in the Duo FAQ article. 

• Make sure the machine is plugged into power and connected to the network.
• Click the “Start" menu (the window icon in the bottom left corner of the desktop).

• Start to type “Software Center”. Click the "Software Center" tile when it pops up.

• Once in Software Center, select "Applications" on the left navigation column.
• Double click on Duo agent icon.

• Click "Install" button.

         

MacOS

Important: once Duo agent is installed on the machine, every account that is trying to log in to this computer will receive Duo prompt unless the account is exempt from Duo challenge. Make sure all the accounts you use or might be using on this computer are enrolled in Duo. More details can be found in the Duo FAQ article. 

The Mac: Self Service Knowledge Base article describes the process of installing software on Mac computers. Find Self Service icon either in your dock, or in the Applications folder of your SLAC managed Mac by looking for the icon below:

Once you logged in the Self Service, find the Duo agent icon and click Install button under it (if you already have it, the button will read Reinstall like on the screenshot below, no need to click the button in this case, just close the Self Service).

 

More help?

The IT Service Desk can assist if you have any problems with this process. Call (650) 926-4357, visit the lobby of Building 50, or enter a ServiceNow ticket.

In particular, the FAQ: Two-step authentication with Duo at SLAC has important additional information about managing your Duo devices and other topics.