General

SLAC Duo two-step authentication user guide

The DOE and all other major federal departments received mandates to implement heightened security across their systems and networks. In 2016, Duo multi-factor authentication was introduced at the lab to increase the security of devices and data on the SLAC network. Initially, this was required for those who had access to moderate-level data and to protect sensitive information. Over the years, the list of covered services has been expanded to include many SLAC and Stanford applications and more recently to include access to the desktop on SLAC endpoints.

Some SLAC people have more than one computing account. All of those accounts will need some form of multi-factor authentication, either Duo or a PIV (Personal Identity Verification) smartcard. 

Getting started with two-step authentication

Two-step authentication combines two independent kinds of credentials, usually consisting of something you know (e.g., a username and password), and something you possess - either a smartphone app or a security token. Verifying your identity using a second step (sometimes called a second factor) makes it greatly more difficult for anyone but you to use your credentials, even if they discover your password. 

Smartphones via the Duo App

The Duo smartphone app is the most convenient way to leverage DUO multifactor. We encourage users to select this method. Even if you do not have a very reliable WiFi or a cell data connection at all times, the app has a passcode generator feature that will work when a push is not available. 

Download Duo Mobile app for iOS

Download Duo Mobile app for Android

Section 2 below shows you how to set up the application.

YubiKey

If you are a SLAC affiliate and do not have a smartphone, or do not wish to use one, SLAC Computing can provide you with a YubiKey.

It's a small device which is connected to the USB or USB-C port of the computer. More information about YubiKeys and how to request them can be found in this Knowledge Base article.

Section 3 below explains how to get a token, and what to do with it. 

Setting up Duo to work with your smartphone

To enroll your smartphone in SLAC Duo, head over to this site: https://twostep.slac.stanford.edu 

Make note of this URL, since it can also be used later to add additional devices, or to modify your settings. 

The first page provides some orienting information. Review this, and then click the big button.

Starting with the next page, you can just follow the prompts on the screen. Here’s what to expect, if you'd like a preview.

  1. Provide the number of your smartphone

Choose the “Mobile phone” option (note that Security Key is for Service Desk technicians use only)

Then you’ll be prompted for your smart phone or device number, so Duo knows who it’s talking to.

You will need to confirm that the number is correct, and click the green Continue button.

  1. Obtain the Duo smartphone app

On the next screen select your phone type.

If you don't have a smartphone...

    • You can still receive SMS text messages with passcodes, though these are less secure than a Push. Select "Other (and cell phones)"
      • When you're done enrolling, be sure to see the section on "Accessing protected services", below, since it's not immediately obvious how to get the SMS codes sent.
    • Alternatively, if necessary, you can request a “yubikey”. See section 3 below, "Obtaining a security token".

 If you select a smartphone...

    • If you don’t already have it, you’ll be prompted to download the Duo smartphone app for iOS or Android.
    • If you access the Stanford Axess HR system, you may have already installed the Duo app. If so, Duo will recognize your phone number. Skip to step 4 if so, since multiple accounts can exist on the same Duo app. No need to download the app again.

  1. Scan the QR code, or click the link

The last step is “activating” the connection between your account and the Duo app. The easiest way to do this is to scan the barcode with the Duo app, as instructed.

(NOTE: The below is just a sample. You will have your own personally generated code from the app. If you need to reactivate it in DUO, contact IT Service Desk or call (650) 926-4357 to have it reactivated.)

You’ll get a notification on your smartphone app that you’ll need to acknowledge.

  1. Optionally set up automated Duo Push

The next screen lets you optionally select an automated “push” of notifications, meaning you’ll only need to push a confirmation button the the app whenever you’re challenged for your second-step authentication. It’s recommended, since it eliminates a few clicks (and the chore of reading small numbers and then typing them) from the login ritual.

In the “Default Device” dropdown menu, select your mobile OS instead the of the phone number. From the “When I log in” dropdown menu, select “Automatically send this device a Duo Push”, and click “Continue to Login” to receive the first Duo push on the application. 

Continue with "Accessing protected services", below.

Obtaining a YubiKey

If you don’t have a smartphone, or do not wish to use one, SLAC affiliates must request a YubiKey to use as the second authentication step.  

Submit the following information via a Service Desk ticket or call Service Desk at (650) 926-4357:

  1. In the short description field enter “Two Step enrollment - token/yubikey request”.  Please also provide your user name.
  2. The description field is optional. 
  3. When the token is configured for you, you will be notified by Service Desk technician and instructed how to pick up your YubiKey. There is no “activation” step, your token is ready to use.  

Accessing protected services

When you log into two-step protected services, such as Outlook Web Access for web mail, after providing your username and password, one of two things will happen.

Please note that the following example shows the Duo prompts for a browser-based web application, like webmail. The format of the prompts and the options provided may vary by host type and account type. You may not see these dialogs if you have accessed the resource in the past and allowed DUO to remember your device.

Web applications are likely the place where you'll most frequently encounter a Duo two-step authentication prompt. Other MFA prompts will require similar interactions but have different user interface. For example, if you are using SSH to reach a Unix host, the host will display your options via characters in a terminal screen. See "Using two-step authentication with other services" below, for other possibilities. 

If you're using the Duo smartphone app...

  • If you’re using the Duo smartphone app, and you’ve selected the automatic “push” option, your phone will automatically present you with a dialog box, requesting you to confirm your login. If you didn’t select automatic push, the host will prompt you to send a notification to your smartphone:

  • On your computer screen, you'll see the "Authenticating..." progress box. On your smartphone, just click “confirm” in the Duo pop-up window (the actual format varies by smartphone type). You’ll then gain access to the host. If you do not accept or reject the push notification on your smartphone within a certain amount of time, another dialog box will appear. Just try again.

If you're using a YubiKey or a passcode generated by the DUO app instead of push...

  • Select the field for 'Entering a Passcode' and then note the passcode displayed in the DUO app under your account or tap on your YubiKey. The code in the DUO application is time-limited and will expire quickly. If this happens, simply enter the new code that appears. 

    See: If "Push" fails, or if you have no WiFi or cell coverage: Passcode" below for more detail

Using two-step authentication with other services

The way Duo prompts you to verify your identity is unique for several applications.  The links below take you to help documents for some specific applications.

If "Push" fails, or if you have no WiFi or cell coverage: Passcode

On rare occasions, "push" may fail, either because of network problems or server problems. Similarly, you may find yourself in an area without WiFi or cell coverage.  In this case, your phone won't be able to communicate with the Duo servers.  Do not despair!  The Duo app does not need cell network or WiFi access to function. In such circumstances (or any other time) you may obtain a passcode directly from your Duo app. 

  1. open the Duo app on your smartphone.
  2. tap on the “Show” near the Passcode field for your SLAC account.
  3. note the 6 digit passcode, and enter it into the passcode prompt for the service you are trying to access.

 The SLAC Duo FAQ document has other suggestions if you're having trouble receiving pushes.

 

Adding / removing a device, or changing a setting

Refer to the Duo Settings section of the Duo FAQ Knowledge Base article for instructions on adding new device, removing the old device, and changing Duo automatic push settings.

Downloading (installing) or manually updating Duo agent for protecting SLAC endpoints

Windows

Important: once Duo agent is installed on the machine, every account that is trying to log in to this computer will receive Duo prompt unless the account is exempt from Duo challenge. Make sure all the accounts you use or might be using on this computer are enrolled in Duo. More details can be found in the Duo FAQ article

  • Make sure the machine is plugged into power and connected to the network.
  • Click the “Start" menu (the window icon in the bottom left corner of the desktop).
  • Start to type “Software Center”. Click the "Software Center" tile when it pops up.

  • Once in Software Center, select "Applications" on the left navigation column.
  • Double click on Duo agent icon.

  • Click "Install" button.

         

MacOS

Important: once Duo agent is installed on the machine, every account that is trying to log in to this computer will receive Duo prompt unless the account is exempt from Duo challenge. Make sure all the accounts you use or might be using on this computer are enrolled in Duo. More details can be found in the Duo FAQ article

The Mac: Self Service Knowledge Base article describes the process of installing software on Mac computers. Find Self Service icon either in your dock, or in the Applications folder of your SLAC managed Mac by looking for the icon below:

Once you logged in the Self Service, find the Duo agent icon and click Install button under it (if you already have it, the button will read Reinstall like on the screenshot below, no need to click the button in this case, just close the Self Service).

 

More help?

The IT Service Desk can assist if you have any problems with this process. Call (650) 926-4357, visit the lobby of Building 50, or enter a ServiceNow ticket.

In particular, the FAQ: Two-step authentication with Duo at SLAC has important additional information about managing your Duo devices and other topics.