Duo Two-Factor Authentication - Original - March 8 2021

Step One: Login to Passport York
Go to Manage My Services and log in to Passport York

Step Two: Welcome Screen

To go through the setup process, please click Setup. Otherwise, click on Setup Later. You have up-to 14 business days to setup a device before login is permitted.

Click Start setup to begin setup your device.

Step Three: Choose Your Authentication Device Type

Select Mobile phone and click Continue.

Step Four: Type Your Phone Number

Select your Country from the drop-down list and type your phone number.

In the illustration below, we chose Canada

Use the number of your smartphone that you'll have with you when you're logging in to a Duo-protected service. Double-check that you entered it correctly, check the box, and click Continue.

Step Five: Choose Platform
Choose your device's operating system and click Continue.

Step Six: Install Duo Mobile

Duo Mobile is an app that runs on your smartphone and helps you authenticate quickly and easily.

On your smartphone, search for Duo Mobile in the Apps store (iPhone) or Google Play Store (Android). Follow the platform-specific instructions on the screen to install Duo Mobile.

After installing the app, return to the setup window and click I have Duo Mobile installed.

Step Seven: Activate Duo Mobile

Activating the app links it to your account so you can use it for authentication.

On iPhone and Android devices, activate Duo Mobile by scanning the barcode with the app's built-in barcode scanner. Follow the platform specific instructions for your device:

The "Continue" button is clickable after you scan the barcode successfully.

Otherwise, click on Back to Login.

Step 8: Congratulations!

Your device is ready to approve Duo push authentication requests.

Click Send me a Push to give it a try. All you need to do is tap Approve on the Duo login request received at your phone.

If you have been assigned a Duo hardware token, click Enter a Passcode, press the green button on your Duo token, enter the passcode and click Log In.

If you need assistance or experience login problems after 2FA is activated, please contact askit@yorku.ca or your local IT support group.

Step One: Login to Passport York
Go to Manage My Services and log in to Passport York

Step Two: Welcome Screen

To go through the setup process, please click Setup. Otherwise, click on Setup Later. You have up-to 14 business days to setup a device before login is permitted.

Click Start setup to begin setup your device.

Step Three: Choose Your Authentication Device Type

Select Tablet and click Continue.

Step Four: Choose Platform

Choose your device's operating system and click Continue.

Step Five: Install Duo Mobile

Duo Mobile is an app that runs on your smartphone and helps you authenticate quickly and easily.

On your smartphone, search for Duo Mobile in the Apps store (iPhone) or Google Play Store (Android). Follow the platform-specific instructions on the screen to install Duo Mobile.

After installing the app, return to the setup window and click I have Duo Mobile installed.

Step Six: Activate Duo Mobile

Activating the app links it to your account so you can use it for authentication.

On iPhone and Android devices, activate Duo Mobile by scanning the barcode with the app's built-in barcode scanner. Follow the platform specific instructions for your device:

The "Continue" button is clickable after you scan the barcode successfully.

Click on Continue to Login

Step Seven: Enter a Passcode

Click Enter a Passcode

On your device, open the Duo Mobile App and tap on the York University to generate a one-time passcode. Then enter the passcode on your screen and click Log In.

Duo Mobile Passcodes are one-time codes and can be generated without an internet connection or cellular service.

If you need assistance or experience login problems after 2FA is activated, please contact askit@yorku.ca or your local IT support group.

Step One: Login to Passport York
Go to Manage My Services and log in to Passport York

Step Two: Welcome Screen

To go through the setup process, please click Setup. Otherwise, click on Setup Later. You have up-to 14 business days to setup a device before login is permitted.

Click Start setup to begin setup your device.

Step 3: Enter a Passcode

Click Enter a Passcode.

On your Duo hardware token, press on the green button.

Enter the passcode and click Log In.

If you need assistance or experience login problems after 2FA is activated, please contact askit@yorku.ca or your local IT support group.

In order to use a security key with Duo, make sure you have the following:

• A supported browser (Chrome 70, Firefox 60, Safari 13 or later), or Microsoft Edge 79 or later. Support for authentication is limited to web applications that show Duo's inline browser prompt.
• An available USB port.
• A supported USB security key. WebAuthn/FIDO2 security keys from Yubico or Feitian are good options. U2F-only security keys (like the Yubikey NEO-n) can't be used with Firefox.

Step One: Login to Passport York
Go to Manage My Services and log in to Passport York

Step Two: Welcome Screen

To go through the setup process, please click Setup. Otherwise, click on Setup Later. You have up-to 14 business days to setup a device before login is permitted.

Click Start setup to begin setup your device.

Step 3: Choose Your Authentication Device Type

Select Security Key and click Continue

Make sure that you are not blocking pop-up windows for the enrollment site before continuing

Step 4: Insert and tap your security key

Depending on your security key, you will need to tap, insert, or press a button on your device to proceed.

When enrolling your security key, you'll be prompted to tap to enroll your security key (possibly more than once). You may also be asked if you want to allow Duo to access information about your security key (click Allow or Proceed as applicable).
You will see whether the security key identification was successful or not.

Step 5: Security Key registered

Click on Continue to Login

Step 6: Authenticate

Click Use Security Key

The illustration below was done on a windows system

Touch you security key to authenticate.

If you need assistance or experience login problems after 2FA is activated, please contact askit@yorku.ca or your local IT support group.

2FA is required for all active student, staff, faculty and sponsored affiliates accounts. Once 2FA is activated for your account, you have up-to 14 business days to setup your device. After that period, you will be required to setup a device before login is permitted.

List of Supported Devices

Only applications that support Microsoft's Modern Authentication libraries are able to prompt for Duo two-factor authentication. This is a Microsoft -- not Duo -- limitation.

Mobile applications that support Modern Authentication libraries are as follows:

• The native Mail app on iOS 11.x+
• Microsoft Outlook app on iOS version 10.x and greater
• Microsoft Outlook app on Android

Note: If your smartphone mail app keeps prompting you for your email password, please read "Issues with email on my smartphone" under the "General Issues and Troubleshooting" tab

What about my privacy with the Duo mobile app?

The DUO Mobile application will also ask you whether you wish to share Application usage information with the creator of the DUO product. This is optional to allow or deny.

For additional information, please see Duo's Privacy Information

https://help.duo.com/s/article/4683?language=en_US

Step 1. Go to Manage My Services and log in to Passport York

Step 2. In the Duo Prompt, Click on My Settings and Devices to access the Self-Service Portal, then Click Send Me a Push to authenticate and access the Duo portal.

Step 3. Approve the pending Push request on your smartphone.

Step 4. Under Default Device - "When I log in" section, click on the drop down menu, select "Automatically send this device a Duo Push" and click Save.

The next time you authenticate to Passport York, Duo will automatically send you a Push request to your Default mobile device.

Setup a New Device

Step 1. Go to Manage My Services and log in to Passport York

Step 2. If you have the "Remember me for 30 days" check, click Cancel.

Otherwise, click on Add a new device

Step 3. Proceed with your 2nd factor authentication by clicking Send Me a Push or Enter a Passcode.

Step 4. Choose the new device you want to add. In this example, we'll add another phone.

Step 5. Select your phone type and click Continue.

Step 6. Install the Duo Mobile app on your new phone and click I have Duo Mobile installed.

Step 7. Scan the barcode with the app's built-in barcode scanner.

Step 8. The "Continue" button is clickable after you scan the barcode successfully.

Step 9. The new phone is added and listed with your other devices. You can click Add another device to start the setup process again.

Yes. You can use the same 2FA device for multiple York accounts.

Duo Mobile App

Proceed with the enrollment of your first account by following the Get Started With Duo 2FA steps and register your device. When enrolling your other accounts with the same phone number, you will be ask to contact the administrator.

Please contact askit@yorku.ca or local IT support to associate your phone number with your other accounts.

Duo Hardware Token

To register your hardware token to your various York accounts, please contact askit@yorku.ca or your local IT support group.

If you still have your old device, please read through:

Step 4. Click on Device Options³ next to the device you want changed.

 

 

 

If you've clicked on the "Remember Me" setting and you are still being asked to authenticate, head over to the "General Issues and Troubleshooting" tab >  "The Remember Me setting is not working or the box is grayed out. How do I fix it?"

York University has elected to use the more secure Duo 2FA authentication methods.

	Duo Push (Preferred method) Install the Duo Security Mobile app on your smartphone to receive push notifications. Once this is installed, and you attempt to login to Passport York applications and O365, you’ll receive a push notification on your smartphone. Open the notification, and you’ll see a green checkmark and a red x. Simply tap the green checkmark to gain access. Using the Duo app also adds an extra physical layer of security to any smartphone with a passcode enabled. Concerned about data usage? Duo Push uses very little data. 500 pushes to your device will use 1 MB of data in total. This is roughly equivalent to loading one webpage on your smartphone.
	Passcodes Use the Duo Security mobile app to generate temporary passcodes. This option does not require WiFi or data, so this is a great option if you’re traveling or if you have limited or no cell/internet service. Open your Duo mobile app, tap the key icon, and it will reveal a passcode. Log into the application, choose the enter a passcode option, enter the code, and you’re in!
	Duo Hardware Token The Duo hardware token will generate temporary passcodes.

Reference: https://infosec.yorku.ca/elected-authentication-methods/

A Duo hardware token is small fob that generates passcodes for Duo access. Each hardware token is tied to one user. The passcodes generated by that token can only be used by that user.

How do I get a 2FA hardware token?

Tokens for Students

Duo hardware tokens are available to students at a minimum cost. You can order your tokens at the YorkU Bookstore. Note: Token shipping and delivery may take 2-4 weeks, and your 2FA activation period will be extended to ensure you are not required to set up 2FA prior to having the token.

Tokens for Staff/Faculty

Staff and Faculty members who prefer to use a duo hardware token, can request their first token for free by ordering it at the YorkU Bookstore. Note: Token shipping and delivery may take 2-4 weeks, and your 2FA activation period will be extended to ensure you are not required to set up 2FA prior to having the token.

I lost my hardware token. Now what?

If you are a Staff and Faculty member, you can request for a replacement hardware token by contacting Client Services at askit@yorku.ca

Please access My Settings and Devices to remove the lost device.

If you are unable to access My Settings and Devices, contact askit@yorku.ca or your local IT support group to have the lost device disabled, and to have an alternate device added.

A higher degree of assurance is offered by any 2FA protection than a static password alone provides. Within the realm of 2FA options, some methods have a higher degree of protection than others. The security level threshold acceptable for a given 2FA protected application will vary with the risk posed by that application. As such, for applications that require a sufficiently high assurance level, less secure 2FA options will not be allowed.

York University has elected to use the more secure Duo 2FA authentication methods.

Reference: https://infosec.yorku.ca/which-second-factor-is-the-most-secure/

Overview

The Duo 2FA solution offers a number of convenient and easy-to-use features and options to suit the range of uses and needs of the entire York community. The following is a summary of the available methods.

Duo Mobile App - "Push" Authentication

This is the preferred method as it is both highly secure as well as being most convenient for those with a smartphone. Once set up, validating your logins is a simple one-touch action. To use it, install the Duo Mobile app from the Apple or Google app store. It is available at no charge for Android 8.0+ and iOS 12.0+. (If you do not see the app, your device may not meet minimum system requirements) Requires an active data or cellular data connection to work.

Duo Mobile App - "Passcode" Authentication

This uses the same app as the "push" method, but instead of the one-touch validation, you make use of the passcode provided by the app. The advantage of this method is that it will work even without an active data or cellular connection.

Duo Hardware Token

A Duo hardware token is small fob that generates passcodes for Duo access. This works similarly to the Duo Mobile passcode option above, but without the need for a smartphone; although you do need to keep your token handy, usually on your keychain. It is available via the York Bookstore. For staff and faculty, please note the coupon code provided on the Bookstore page to obtain one at no charge.

Passcode via Text Message

If the Duo Mobile app is not compatible with your phone and the hardware token is not suitable, you can enable passcodes via text message via request to askit@yorku.ca. When validating, you will receive a passcode that you can use; this requires cellular service availability.

Validation by Phone Call/Landline

If you do not have or do not wish to use a smartphone or cellphone, and a hardware token is not suitable, you can enable phone call validation via request to askit@yorku.ca. When validating, you will receive a call to the registered phone number you provide, and you will need to confirm using phone keypad. This method will work with any cellphone or landline phone.

Second-factor criteria comparison & Assurance levels

Reference: https://infosec.yorku.ca/2fa-auth-methods/

Some native and third-party mail apps do not support Modern Authentication. Please install the Microsoft Outlook app on your Android device.

iOS users:

The preferred method is to use the Microsoft Outlook app.

The built-in mail app included with your iPhone or iPad works with Duo 2FA, as long as your iOS version is 11 or better. If your device meets the Duo requirement and you are constantly being prompted to enter your Outlook password, you need to delete and re-add your Outlook account as shown below.

Step 1. Go to Settings > Passwords & Accounts > [Select your YorkU Outlook account] > Delete Account

Settings > Passwords & Accounts > [Select your                              Confirm Deletion of the Account
 YorkU Outlook account] > Delete Account

Step 2. Re-add your YorkU Outlook account. Settings > Passwords & Accounts > Add Account > Exchange

Step 3. Enter your full YorkU email address e.g duomfa@yorku.ca. For the Description, you can type in YorkU. Click Next.

Step 4. Click Sign In and enter your Passport York password. Then click Sign In

Step 5. Assuming that your iPhone/iPad has a passcode, you can click Save Password and validate the Duo request on your phone.

Step 6. Microsoft may prompt you for a permission request. Click Accept and select your desired Exchange attributes.

Your YorkU Outlook account has been successfully re-added.

Step 7 (Optional). If you have more than one email accounts configured on your iPhone or iPad and wish to set the YorkU Outlook account to be the default, go to Settings > Mail > Default Account. Choose YorkU.

If you try to launch the Microsoft Quick Assist and you receive the "Oops Looks Like Something Went Wrong" message, your Microsoft 365 Work or School Profile may not be properly configured. The steps below may help you fix the issue.

Step 1. Click on the start up menu¹, go to Settings² and Accounts³

Step 2. Go to Access work⁴ or school and sign-out of your York profile

Step 3. Launch one of the Microsoft Office Suite programs. In this example, I have chosen Word. Go to File, Office Account⁵ and Sign out⁶.

Step 4. Close Word and launch it again. If you are prompted to sign in, stop. If Word automatically signs you in, Repeat Step 3 until you are prompted to sign in.

Step 5. When you are prompted to sign-in, login with your PY account.

Step 6. The checkbox "Allow my organization to manage my device" is checked by default. You can uncheck the box. Click OK.

iPhone: iOS 12.0+

Android: Android 8.0+

The "Remember Me" setting must be applied to each browser you use and on each computer you use. DO NOT apply this setting on public or shared devices. If you choose this setting, but log in later with a different browser you will have to set it again for that browser during authentication. If you are certain you chose it to remember you on both the computer and the browser you are using, then it might be a setting on the browser that is not saving your choice. If the Remember Me box is grayed out, scroll down to "Grayed out box."

Browser Settings

Chrome

1. While in Chrome click on the 3 vertical dots in the top-right corner of the browser () and choose “Settings” in the drop down menu.
2. Scroll to the bottom of the settings page and click “Advanced.” This will add more options to the bottom of the page.
3. The next section is “Privacy and security.” Scroll through that section until you find “Content settings” (it may be the next-to-last option) and click on it.
4. From here you will click in “Cookies” (it should be the first option) and make sure:
   1. "Allow sites to save and read cookie data (recommended)" is turned ON.
   2. “Keep local data only until you quit your browser” is turned OFF.
   3. "Block third-party cookies" is turned OFF.
5. If you are still having trouble after doing steps 1-4; on "Cookies" page under "Allow" at the bottom, click the "Add" button and add [*.]duosecurity.com.
6. Changes you make here are immediate, so there is no option to save. You can close the settings tab/window whenever you are finished.

Firefox

1. While in Firefox click on the 3 horizontal lines in the top-right corner of the browser () and choose “Preferences” from the drop down menu.
2. On the left-hand side, choose the “Privacy & Security” option.
3. In the “History” section make sure you either uncheck the "Clear history when Firefox closes" option, OR click the Settings button just to the right of that option and uncheck "Cookies" from the list of things that get cleared.
4. In the "Cookies & Site Data" section make sure "Accept cookies and site data from websites (recommended)" is selected and "Keep until" is set to "They expire."
   1.  If you still have trouble after doing steps 1-4, you can also click the Exceptions button to the right of this option and add https://duosecurity.com to the exceptions list.
5. Changes you make here are immediate, so there is no option to save. You can close the preferences tab/window whenever you are finished.

Safari

NOTE: If you are using Safari 12 for macOS 10.12 or later, please use a different browser, for example Google Chrome. Safari 12 for macOS 10.12 does not allow setting exceptions for third- party cookies. iOS WKWebView limits the ability to issue and read browser cookies. This is intentionally designed by Apple, and Remembered Devices will not work. For Safari version 11.x and lower,

1. Go to Safari > Preferences.
2. Click the Privacy tab.
3. Disable the Block all cookies option.
4. Safari 13.1 and later: You must also disable the Prevent cross-site tracking option.

Grayed Out box

If you have set Duo to send you a push notification automatically, the "Remember me for 30 days" checkbox may be grayed out.

If you want to reactivate this feature:

1. Cancel the push by clicking the blue Cancel button in the lower right corner of the window.
2. Check the box "Remember me for 30 days" and click "Send Me a Push" to authenticate.