The DOE and all other major federal departments have received mandates to implement heightened security across their systems and networks. In 2016, Duo multi-factor authentication was introduced at the lab to increase the security of devices and data on the SLAC network. Initially, this was required for those who had access to moderate-level data and to protect sensitive information. Over the years, the list of covered services has been expanded to include many SLAC and Stanford applications and more recently to include access to the desktop on SLAC endpoints.

Some SLAC people have more than one computing account. All of those accounts will need some form of multi-factor authentication, either Duo or a PIV (Personal Identity Verification) smartcard. 

Getting started with Duo two-step authentication.

Two-step authentication combines two independent kinds of credentials, usually consisting of something you know (e.g., a username and password), and something you possess - either the Duo smartphone app or a hardware security token. Verifying your identity using a second step (sometimes called a second factor) makes it greatly more difficult for anyone but you to use your credentials, even if they discover your password. 

General information about the Duo app, and pointers to specific help pages for various smartphones is available from Duo at https://guide.duo.com/. Note that not all options are available at SLAC, because of site-wide security policies.

Smartphones via the Duo App

The Duo smartphone app is the most convenient way to leverage Duo multifactor. We encourage users to select this method. Even if you do not have a very reliable Wi-Fi or a cell data connection at all times, the app has a passcode generator feature that will work when a push is not available. 

Download Duo Mobile app for iOS

Download Duo Mobile app for Android

The next section shows you how to set up the application for SLAC Duo.

YubiKey

If you are a SLAC affiliate and do not have a smartphone, or do not wish to use your personal phone for the Duo app, SLAC IT can provide you with a YubiKey. A YubiKey is a small device which is connected to the USB or USB-C port of the computer. 

Section "Obtaining a YubiKey" below explains how to get a YubiKey. 

Setting up Duo to work with your smartphone.

Setting up a device in Duo Self Service Portal

To enroll your smartphone in SLAC Duo, browse to any website that requires SLAC single sign-on. If you have already completed a Duo MFA in your browser and selected "Remember Me", you will want to use a private browser session or clear your cookies to ensure that the Duo multifactor page is loaded.

If you do not have an existing device for SLAC Duo, you will be presented with a series of pages introducing Duo and its importance to safe computing. You can review and continue through these pages.

If you already have one or more existing multi-factor devices:

Step 1) You can access the Duo Self-Service Portal by selecting "Other options" in the dialog, then selecting the "Manage Devices" option at the end of the list of your registered devices. You will be asked to verify your authentication with a strong MFA option before proceeding.

Step 2) You will be presented with a portal to manage your devices. Select the tile to add a new multifactor device:

 

In both cases, you will then be presented with a dialog to choose a multi-factor device to enroll, select Duo Mobile

 

You will then be prompted to send a link to your phone to get the Duo Mobile application. If you select "I have a tablet" you will get a dialog message instead of a text message to a phone.

Once you proceed, you will be given a QR code to complete the configuration of your account.

To complete the setup, you will be asked to respond to a push notification.

 

Setting up a device using the Legacy Duo Prompt (This interface is no longer supported by Duo)

To enroll your smartphone in SLAC Duo, head over to this site: https://twostep.slac.stanford.edu 

Make note of this URL, since it can also be used later to add additional devices, or to modify your settings. 

The first page provides some orienting information. Review this, and then click the big button.

Starting with the next page, you can just follow the prompts on the screen. Here’s what to expect, if you'd like a preview.

1. Provide the number of your smartphone.

Choose the “Mobile phone” option.

Then you’ll be prompted for your smart phone or device number, so Duo knows who it’s talking to.

You will need to confirm that the number is correct, and click the green Continue button.

2. Obtain the Duo smartphone app.

On the next screen select your phone type.

If you don't have a smartphone...

• • You can still receive SMS text messages with passcodes, though these are less secure than a Push. Select "Other (and cell phones)"
    • When you're done enrolling, be sure to see the section on "Accessing protected services", below, since it's not immediately obvious how to get the SMS codes sent.
  • Alternatively, if necessary, SLAC affiliates can request a YubiKey. See "Obtaining a security token" below.

 If you select a smartphone...

• • If you don’t already have it, you’ll be prompted to download the Duo smartphone app for iOS or Android.
  • If you have already installed the Duo app, Skip to step 4, since multiple accounts can exist on the same Duo app. No need to download the app again.

3. Scan the QR code or click the link.

The last step is “activating” the connection between your account and the Duo app. The easiest way to do this is to scan the barcode with the Duo app, as instructed.

(NOTE: The below is just a sample. You will have your own personally generated code from the app. If you need to reactivate it in Duo, contact IT Service Desk or call (650) 926-4357 to have it reactivated.)

You’ll get a notification on your smartphone app that you’ll need to acknowledge.

4. Optionally set up automated Duo Push

The next screen lets you optionally select an automated “push” of notifications, meaning you’ll only need to push a confirmation button the app whenever you’re challenged for your second-step authentication. It’s recommended, since it eliminates a few clicks (and the chore of reading small numbers and then typing them) from the login ritual.

In the “Default Device” dropdown menu, select your mobile OS instead the of the phone number. From the “When I log in” dropdown menu, select “Automatically send this device a Duo Push”, and click “Continue to Login” to receive the first Duo push on the application. 

Continue with "Accessing protected services", below.

Obtaining a YubiKey

If you don’t have a smartphone, or do not wish to use one, SLAC affiliates must request a YubiKey to use as the second authentication step.  

Submit the following information via a Service Desk ticket or call Service Desk at (650) 926-4357:

1. In the short description field enter “Two Step enrollment - token/YubiKey request”.  Please also provide your username.
2. The description field is optional. 
3. When the token is configured for you, you will be notified by Service Desk technician and instructed how to pick up your YubiKey. There is no “activation” step, your token is ready to use.  

Accessing protected services after enrolling in Duo.

SLAC web sites (Single Sign-On and ERP)

After entering your username and password, you will be presented with the Duo Universal Prompt. This interface is a website operated by Duo for you to interact with the Duo second factor system. If you have authenticated with Duo in the past, the web page will remember your selection of how you want to authenticate and will use the same method again. The images below show a typical Duo Push and YubiKey passcode dialog - other methods will have their own dialogs.

"Remember me" allows you to pass the Duo second factor for 30 days for the same device/browser (sets a cookie)

You can select "Other Options" to change your authentication method selection. On SLAC Single Sign-On, the Duo Self-service portal can also be accessed from the options list if you want to manage or add devices. See the section above "Setting up Duo to work with your smartphone."

SLAC macOS and Windows endpoints.

The image shown represents the Windows Duo Client user interface, the macOS interface is similar. For macOS details see Logging in with Duo on macOS

During Windows or macOS logons, after submitting your username and password, you will be presented with a dialog to choose a multifactor method.

If you’re using the Duo smartphone app, and you’ve selected the automatic “push” option, your phone will automatically present you with Duo challenge, requesting you to confirm your login. If you want to use an alternate method, click the button to cancel the automatic push. You can use the options "Duo AutoPush" in software center on managed Windows devices to enable or disable automatic push.

If you have multiple phones registered in SLAC Duo, you can use the Device dropdown to choose which one will be used by the rest of the interface - you do not have to choose the correct device if entering a passcode.

"Remember me" allows you to bypass the Duo second factor for the remainder of your logon session or 12 hours, whichever is shorter. This option only appears when logging in at the computer.

• You can send a Duo Push by pressing "Send Push".
• If you have a voice phone option configured (very rare and not considered secure), it can be accessed with "Call Me"
• If you select "Enter a passcode", you will be given a dialog box that will accept a passcode from any Duo Mobile app or YubiKey that you have registered.

 

Note: If you do not respond to a push or otherwise interact with the dialog, your login will eventually be cancelled. Some older versions of the Duo client will temporarily disable your machine when this happens.

FAQ: Duo for logging into desktop machines

Other protected services.

SSH Using two-step authentication with Linux services, and AnyConnect VPN Using two-step authentication with AnyConnect VPN

These services use a text-based dialog to request the second factor. Your applicable registered methods will be listed as options, or you can enter a passcode from a YubiKey or the Duo App instead of selecting an option.

Duo two-factor login for joeuser Enter a passcode or select one of the following options: Duo Push to XXX-XXX-1234 SMS passcodes to XXX-XXX-1234 Passcode or option (1-2):

Citrix Citrix at SLAC User Guide

Citrix retains the legacy web UI which is similar to the endpoint user interface at this time - This will change to the Universal web UI later in 2024. As with endpoint logons, after submitting your username and password, you will be presented with a dialog to choose a multifactor method. The passcode option will accept a code from the Duo Mobile app or a YubiKey.

Getting a Passcode from the Duo Mobile app.

On rare occasions, "push" may fail, either because of network problems or server problems. Similarly, you may find yourself in an area without Wi-Fi or cell coverage.  In such circumstances (or any other time) you may obtain a passcode directly from your Duo app. 

1. Open the Duo app on your smartphone.
2. Tap on the “Show” near the Passcode field for your SLAC account.
3. Note the 6-digit passcode and enter it into the passcode prompt for the service you are trying to access.

 The SLAC Duo FAQ document has other suggestions if you're having trouble receiving pushes.

 

Adding, changing, removing, or reactivating a device

Refer to the "Setting up Duo to work with your smartphone." or "Accessing protected services after enrolling in Duo." sections for information on how to access the Duo Self-service portal. This portal will show all of your registered devices and provide options to edit or reactivate as applicable.

 

Downloading (installing) or manually updating Duo agent for protecting SLAC endpoints

Windows

Important: once Duo agent is installed on the machine, every account that is trying to log in to this computer will receive Duo prompt unless the account is exempt from Duo challenge. Make sure all the accounts you use or might be using on this computer are enrolled in Duo. More details can be found in the Duo FAQ article. 

• Make sure the machine is plugged into power and connected to the network.
• Click the “Start" menu (the window icon in the bottom left corner of the desktop).

• Start to type “Software Center”. Click the "Software Center" tile when it pops up.

• Once in Software Center, select "Applications" on the left navigation column.
• Double click on Duo agent icon.

• Click "Install" button.

         

MacOS

Important: once Duo agent is installed on the machine, every account that is trying to log in to this computer will receive Duo prompt unless the account is exempt from Duo challenge. Make sure all the accounts you use or might be using on this computer are enrolled in Duo. More details can be found in the Duo FAQ article. 

The Mac: Self Service Knowledge Base article describes the process of installing software on Mac computers. Find Self Service icon either in your dock, or in the Applications folder of your SLAC managed Mac by looking for the icon below:

Once you logged in the Self Service, find the Duo agent icon and click Install button under it (if you already have it, the button will read Reinstall like on the screenshot below, no need to click the button in this case, just close the Self Service).

 

More help?

The IT Service Desk can assist if you have any problems with this process. Call (650) 926-4357, visit the lobby of Building 50, orenter a ServiceNow ticket.

In particular, the FAQ: Two-step authentication with Duo at SLAC has important additional information about managing your Duo devices and other topics.