Authenticating 101
Two-factor authentication provides added security by prompting you to enter a unique code at sign in, in addition to your password. The unique code, generated by your phone, is used only once. You can prompt the code from a device of your choosing (typically your smartphone). Using the Duo Mobile smartphone app (for iOS, Android) is the simplest and preferred method for obtaining the second-factor codes, but tokens and other methods are available.
- Theft of Credentials is Common!
- A user can be tricked into giving away their Network ID and passphrases through a malicious email or phishing or other online scams (View phishing examples here).
- Many people reuse passwords or passphrases on other websites (Amazon; LinkedIn). If compromised, attackers often publish or sell the passphrases (infosecurity-magazine.com/news/linkedin-breach-weak-passwords).
- A user shares their Network ID and/or password (in violation of CWRU policy) with someone else.
- A user logs in from an infected computer where attackers continue to run and record keystrokes of the users' passwords and/or passphrases (Keylogger).
Authenticating with Duo for websites is virtually the same across the website, the only difference being how you authenticate. Learn how to authenticate to a website with your supported device on Duo’s website.
Note: These external links are unaffiliated with CWRU. If they are not working, please notify us at security@case.edu
You can see which sites work with which CWRU website in this table. As security protections and policies advance, this table is subject to change. If you do not see a particular website CWRU uses listed here, you can ask at help@case.edu.
Troubleshooting
If you have already logged in with Duo on your browser session (for example, to access your email, HCM, or MyApps), the enrollment app will see that you are logged in and redirect you to a success message. This behavior, verifying that your Duo authentication method is working properly, is normal for this app, and is vital for many users to understand that they have successfully used Duo.
- If you logged in to an application that uses Duo (such as webmail, HCM, MyApps, etc), and you selected the Remember Me for 120 Hours option, the enrollment app will only be able to log you in.
- In order to Add a new device (or change a device), open an Incognito browser session in either Google Chrome or Firefox and proceed to the enrollment page. Do not select Remember Me for 120 Hours when signing in.
- To open an Incognito session in Chrome, open Chrome and use the keyboard shortcut Ctrl + Shift + N.
- To open an incognito/private session in Firefox, open Firefox and use the keyboard shortcut Ctrl + Shift + P.
-
You may have trouble receiving push requests if there are network issues between your phone and Duo. Many phones have trouble determining whether to use the WiFi or cellular data channel when checking for push requests.[1]
-
Try turning your phone on airplane mode for a few seconds, then turning off airplane mode.
-
Try turning off WiFi on your phone and requesting the code using cellular data.
-
Check the time and date on your phone and make sure they are correct. If the date and time on your phone are manually set, try changing your device's configuration to sync date and time automatically with the network.
-
iOS users can run a troubleshooting tool from within Duo Mobile version 3.32.0 or later. To run the tool:
-
Open the Duo Mobile app on your iOS device and tap the Edit button in the top left of the accounts list screen, then tap the name of the account for you aren't receiving push requests.
-
Next, tap the Get Started button in the "Missing Notifications?" section of the the "Account Details" screen.
-
Duo Mobile performs the test. If any step fails, you'll receive further troubleshooting suggestions. After taking the suggested actions, tap *Run test again* to retry.
-
Your Duo token can get out of sync if it is pressed too many times in a row and the codes aren’t used for login.[1] If your Duo token is out of sync, call the Helpdesk at 216-368-4357 to have them resync your token.
Duo Tokens and YubiKeys
- Duo tokens and YubiKeys are terms used interchangeably around campus, but this is incorrect as they are fundamentally different devices. Duo tokens are hardware devices that are from Duo (and provided to you by the university) that generate one-time use passcodes. There is no need to plug a Duo token in a computer to use it, and there is no need to hold it close to your computer or phone to generate a passcode.
- YubiKeys (also called security keys, FIDO keys, or universal two-factor (U2F) keys) are devices that you purchase that must be plugged into the device you are authenticating on. Usually, you must also press down on a gold part of the YubiKey to complete authentication. They can also be held close to the device so it can be scanned, as in the case of a cell phone. There are no passcodes generated with YubiKeys.
Device Name | What it looks like | Alternative Names | Authentication Method | How to Obtain |
---|---|---|---|---|
Duo Token | Token, hardware token | Passcode (6 random numbers) | Call the Helpdesk and request one; pick up at CARE Center in Lower Level KSL | |
YubiKey | Security key, FIDO key, Universal Two-Factor key (U2F) | Plug into computer and touch blinking metal contact point; For NFC, hold close to cell phone or tablet | Purchase on your own from a trusted vendor |
All CWRU employees and students can request their first Duo token for free by contacting the Helpdesk. The Helpdesk will assign you a Duo token and enroll it under your account. Once a token has been assigned to you, you can pick it up from the [U]Tech CARE Center in the Kelvin Smith Library. You can then use the Duo token to generate secure passcodes.
- If you are no longer using your case.edu email or will not have access to your case.edu email, simply return the Duo token to the [U]Tech CARE Center in the Lower Level of Kelvin Smith Library.
- If you will have continued access to your case.edu (as a student or alumni), you can continue using your Duo token, or you can enroll a new device that you own, such as a smartphone, tablet, basic cellphone, landline, or YubiKey. If you are enrolling a new device and do not wish to have your token, you can return the Duo token to the [U]Tech CARE Center in the Lower Level of Kelvin Smith Library.