Q. How do I setup Duo two-factor authentication on my account? A. Instructions are available here: https://inside.ewu.edu/2fa/ The first time that you login to InsideEWU with Duo two-factor authentication enabled, you will be prompted to register your device(s). You will only need to register once. Registering your office phone as an alternate method of authentication is recommended. Q. Do I have to use a mobile device? A. There are several methods that can be used, including a mobile device app, SMS text message, and voice phone call options. While using a mobile device is most convenient option and the one that most users prefer, you may request a hardware token instead. Replacements for lost or stolen tokens will be charged to the user's department. Q. Can I use Duo with my smartphone without downloading the mobile app? A. Yes, while the app is the more secure and recommended method, you can. If you do not want to download and use the Duo mobile app, you can specify this during the device enrollment process. You must choose "other" when selecting the smartphone's operating system. Please refer to the step-by-step setup guide in our knowledgebase. Q. What if I replace or upgrade my mobile device? What if I get a new phone number or don't have access to my old number? A. You can enroll additional phones or tablets at any time. However, to prevent the malicious registration of unauthorized devices, you will need to have access to at least one of your registered devices. If you do not have access to one of your registered devices, you must contact the Information Technology department to have your device registration reset. After reinstalling the Duo Mobile app, you can re-activate your account using the Manage Devices site. There, you can select the "Manage Devices" option and follow the prompts. The Duo Mobile app also now has a restore option, learn more about using it here. Q. Are International numbers supported for SMS and voice call options? A. No, only domestic US numbers are supported. Selected Mexican and Canadian carriers may work, but results will vary based on carrier and network. Please see the Adding a device with an international phone number to Duo 2FA knowledge base article for more information. Q. What should I do if I forget my mobile device at home? A. If, as recommended, you've added your office phone to your Duo account, just select the appropriate device and select the "Call Me" option during login. If you didn't, please contact, by phone, the IT Help Desk at 509-359-2247. Q. What devices are supported? A. iPhones and iPads running iOS 6.0 or later Android phones and tablets Windows mobile phones Cell Phones and Landlines Hardware tokens Q. What browsers are supported? A. Chrome Firefox Safari Microsoft Edge Opera Q. If I don't own a smart phone, how do I request a token? A. For more information about tokens, see this FAQ. To request a token, complete this form. Q. Do I need to install software on my laptop or home computer to use two-factor authentication? A. No, two-factor authentication is integrated directly into the the InsideEWU login page, so no additional software is required. Q. I am going to traveling, how can I continue to use two-factor authentication? A. Yes. If you are using a smartphone, you can simply use the Duo mobile app to generate a passcode each time authentication is required. Data service is not needed to generate passcodes through the Duo Mobile app. If you have a token, just bring it along with you while traveling. If you are not able to use your mobile device while traveling and don't have a token, other options are available. For more information, see this article on Traveling with Duo. Q. When logging in, how do each of the available options work? A. Duo Push When you click "Send Me a Push", Duo sends a login request to your phone or tablet (if you have Duo Mobile installed and activated on your iOS or Android device). Just review the request on your mobile device and tap "Approve" to log in. Passcode When you click "Enter a Passcode", you'll need to enter a code generated with the Duo Mobile app, sent via SMS, or provided by the Help Desk. Click "Text me new codes" to receive a one-time use code. Note, codes sent by SMS expire after 5 minutes. Call Me First make sure that you have selected the appropriate device. When you click "Call Me", you will receive a voicecall from Duo. Follow the voice prompts to authenticate or report fraudulent activity. Token If you have a token, insert into into your computer. At the Duo prompt, tap the metal button on your token.

Duo has multiple options to meet your needs whether you are traveling domestically or internationally. In most situations, the Duo app for your smartphone should be all you need. Duo Option Description Connection Required? Duo Push A pop-up notification on your smartphone Yes, WiFi or cellular (2KB per push) Duo App Pass Code A code generated by the Duo app on your smartphone or tablet No Text/SMS A text message sent to your cell phone Yes, cellular Call A phone call Yes, landline or cellular Token A hardware token No Touch ID (Mac only) Biometric login No Our recommendation is to always enroll more than one device or option, in case your primary device is not available (lost, stolen, dead battery, etc.)  To enroll additional devices, visit our Duo FAQ. Log in using a passcode generated by the Duo Mobile app installed and activated on your Android or iOS device. Open Duo Mobile and locate your organization's account in the accounts list, and tap it to generate a six-digit passcode. Enter that passcode into the space provided and click or tap Verify to log in to the application.  Travel to Embargoed Countries Individuals who are traveling internationally should check with the Director of Risk Management regarding potential export control issues associated with traveling with different types of multi-factor authentication technologies in accordance with EWU Policy 201-10 (Export Control). According to federal export control regulations, the Duo app and hardware tokens may not be transported or sent to embargoed nations identified by the U.S. State Department. The following nations are on the embargoed list as of January 2020: Crimea Region of Ukraine Cuba Iran North Korea Sudan Syria If you are traveling to any of those countries, delete or uninstall the Duo app from any devices you will take with you and do not take Duo hardware tokens with you. You can use other Duo options, such as a phone call or passcodes via text message, while traveling in embargoed countries.

Q.What are two-factor authentication tokens? A. Sometimes referred to as usb security keys, a token, when the button is pressed, automatically enters a 6-digit passcode at the Duo two-factor authentication prompt. A variety of tokens are shown here: Q. Can I use a token as my primary two-factor authentication method? A. Yes, but if one or both of the following circumstances are true: You have a physical disability that makes using other methods burdensome You do not own or have access to a university-owned mobile device Tokens are only provided to faculty or staff.  We recommend Yubikeys, which can be purchased through Amazon. Q. Are there limitations on using a token? A. Yes, there are some limitations to tokens. First, you must be using a device with a compatible USB port and the USB port must not be disabled (some kiosks and computer labs disable USB ports for security reasons). At this time, only USB A tokens are available. Second, you must use a supported browser. Google Chrome and Opera support tokens natively. Firefox now supports tokens, but support must be enabled in the browser on any computer you want to use your token. To do so, follow these step by step directions: Type "about:config" (without quotes) into the Firefox address bar and press Enter Search for “u2f” Double-click on security.webauth.u2f to enable U2F (or right-click and select Toggle) For assistance with this process, contact your IT Pro or the IT Help Desk. Q. How do I obtain a token? A. One token per person is provided by IT. Complete this form: https://support.ewu.edu/support/catalog/items/111 Q. My token is lost, damaged, or stolen. What do I do? A. Report damaged, stolen, or lost tokens immediately to the Information Technology department so the token can be disabled. Departments and/or Individuals are responsible for any replacement charges. Q. I am a departing employee, what do I do with my token? A. Much like other university property, you are required to return your two-factor token.

Q. How do I get started? A. Instructions are available here: https://inside.ewu.edu/2fa/ Q. What is two-factor authentication? A. two-factor authentication adds an extra layer of security on your account by requiring you to have something you know (username and password) and something you have (e.g., cell phone or hardware token). When applications and services require two-factor, it will prevent anyone but you from accessing using your account, even if someone else knows your password. Two-factor requires a unique security code each time your account is accessed on an untrusted device, application or web browser. EWU has licensed Duo for two-factor authentication. Q. Why is EWU requiring this for employees? A. Unfortunately, account compromises and malicious attacks have become more numerous and frequent at EWU. Passwords alone no longer provide a sufficient degree of safety. If your EWU account is "hacked", criminals will have access to your personal information and everything in your Office 365 Account, your Banner account, and all the online services of InsideEWU. Most credential breaches can be stopped by two-factor authentication. In addition, compliance and regulatory concerns are compelling us to implement two-factor authentication. Q. Who else uses two-factor authentication? A. The use of two-factor authentication is quickly becoming the norm for most universities and colleges. In addition, federal and state governments have mandated two-factor authentication use for years. Regionally, schools like the University of Idaho, Washington State University, and Central Washington University already require it or soon will. The state of Washington requires two-factor authentication for most of their agency systems and all remote access. Nationally, schools like Notre Dame, Penn State, the University of Nebraska, Michigan State and the University of Minnesota, and many others already require it. The Department of Education is considering requiring two-factor authentication for schools to continue receiving federal financial aid. Q. What are the benefits of using two-factor? A. The main benefit of using two-factor Authentication is a significant increase in protection of your account. If you receive a security code or push notification when you are not trying to log in to your account, you’ll immediately know that someone else is attempting to do so. If this does happen, you should change your password and contact the EWU Information Technology department! Two-factor adds an extra barrier between your personal information and the bad guys. Two-factor can help keep attackers from accessing your email, documents, payroll, personal information, or research data. Two-factor reduces the risk of hackers using your EWU account to perform harmful activities. Two-factor helps protect EWU's systems Q. I don't have anything confidential in my account, why should I care about two-factor authentication? A. Most attackers are interested in using your username and password to break into the secure internal network so that they can look for vulnerabilities on the thousands of sensitive internal systems on campus. Alternately, attackers will login to a user’s email account and send out hundreds or thousands of phishing messages to other faculty, staff and students in an attempt to compromise their computers and get access to sensitive information. Another very common tactic is for hackers to alter your direct deposit information so your paycheck or, if you are student, financial aid is deposited in their account instead. Q. What services will be affected by implementing two-factor authentication? A. Duo protects services that you log in through InsideEWU, including Office 365, Google Workspace, Canvas, Banner and Eaglenet. Duo protection has also been added to select services like VPN. Q. Can I also enable 2-Step Verification for Office 365? A. No, they are not compatible services. Q. Can I also enable 2-Step Verification for Google Workspace? A. Yes. Enabling 2-Step verification for Google Workspace will provide additional protection for services like Google Drive, Docs, YouTube, etc. Q. Do I have to use a mobile device? A. There are several methods that can be used, including a mobile device app, SMS text message, and voice phone call options. While using a mobile device is most convenient option and the one that most users prefer, faculty, staff, and students may request a hardware token instead. Replacement costs for lost or stolen tokens are the responsibility of the student or department. Q. Can I use Duo without downloading the DUO mobile app? A. Yes, you can. If you do not want to download and use the DUO mobile app on your smartphone, you can specify this during the device enrollment process. You must choose "other" when selecting the smartphone's operating system. Q. Does EWU gain control of my personally-owned mobile device once I enable Duo? A. No! By installing Duo on your mobile device, you do not provide EWU with any additional ability to access your device or monitor your personal activity.  Q. Does installing or using Duo with my personally-owned mobile device comply with state ethics laws? A. Yes! No university or state-owned information is stored in Duo. Q. Are there record retention requirements if I install or use Duo with my personally-owned mobile device? A. No! All records and logs are stored in the Duo service, not your mobile device. This is one of the reasons that the service is so secure. "If you use Duo Mobile, there is no data stored on your smartphone or tablet. Period. We use Duo Mobile because it’s simple and secure, and one of the reasons for this is it creates no records on your personal device. If you receive phone callbacks, there is no data on your phone and you can delete the metadata from your phone’s history of recent incoming calls because it’s transitory and the administrative purpose is fulfilled as soon as you’ve completed the call. In each case, the result is the same: no data related to 2FA on your device that’s subject to disclosure." Q. Who is eligible at EWU to use two-factor authentication? A. All faculty, staff, and students. Q. I have more questions. How can I learn more about two-factor authentication? A. Please check our two-factor site at https://inside.ewu.edu/2fa/ or check out these additional articles in our knowledgebase: Duo Remember Me for 7 Days  Two-factor Authentication Token Frequently Asked Questions Traveling with Duo Duo Two-factor Authentication Frequently Asked Questions Two-factor Authentication Frequently Asked Questions If you have additional questions that are not answered in these articles, please contact the IT Help Desk (509.359.2247), helpdesk@ewu.edu.

Duo's "Trust this browser" feature makes signing in fast and convenient while still keeping your information safe. How Does "Trust this browser" work? It's a setting that gets saved in your browser's cookies. This means that if you check the "Trust this browser" box, and use the same computer and browser, you won't have to verify your identity with Duo for the time shown.  How do I use "Trust this browser" feature? After you've successfully authenticated using your 2nd factor, check the "Trust this browser" box: Note: If you use a different computer or browser, or clear your cache and cookies, you will need to verify your identity with Duo. Never use the feature on public or shared devices. Common Issues For the "Trust this browser" feature to work, the browser's security settings must allow third-party cookies coming from Duo Security. Safari: Go to Safari > Preferences. Click the Privacy tab. Disable the Block all cookies option. Safari 13.1 and later: You must also disable the Prevent cross-site tracking option. Edge: Click More in the upper right of the toolbar Click Settings Scroll down and click on View Advanced Settings Scroll down to Cookies and ensure it is set to Don’t block cookies Restart Microsoft Edge To add an exception for Duo-served cookies, update your browser settings (generally found under Privacy or Security settings) and use the following format, depending on which browser you're using: Internet Explorer: *.duosecurity.com Firefox: https://duosecurity.com Chrome and Opera: [*.]duosecurity.com

What happens when your phone is in airplane mode or doesn't have service and you realize you need your second factor to access your important apps? With Duo's one time passcode generation in Duo Mobile you can login anywhere, anytime, no phone service required. Follow these steps: 1. On the second factor authentication screen, click Use Duo Mobile Passcode. 2. Open the Duo Mobile app on your tablet or smartphone. 3. In the Duo Mobile app, tap the Show button and a six-digit passcode will be shown. 4. Enter this code in the two-step authentication screen and click Veify.  

Using the Duo Mobile app with your smart phone is the recommended method for Two-Factor Authentication (2FA). If you don't have a smart phone, a Security Key like the YubiKey, can serve as your 2nd factor.  To use a YubiKey with Duo, you must have the following: A supported modern browser (current versions of Chrome, Firefox, Safari, or Microsoft Edge) An available USB port that is the same type as your YubiKey (USB-A or USB-C) Your YubiKey Enrolling your YubiKey On a computer, open a browser and navigate to https://inside.ewu.edu/2fa/ Click on Manage > under Manage Device(s) Enter your Username and SSO password, when prompted.  If you are prompted to enter a bypass code, contact the Help Desk at 509.359.2247. Your identity will be verified and a bypass code will be issued. Enter the provided bypass code in the prompt.  Click on Add a device. Select Security key. Insert your Security key / Yubikey and click Continue. If using a Windows computer, a Windows Security prompt will appear, Click Ok to proceed.  Another Windows Security prompt will apear, instructing you to touch your Security key / Yubikey. Gentle tap on the button.  You will receive a message that the Security key / Yubikey has been added.  You will now see the Security key / Yubikey listed under your managed devices in the Duo Portal.  For instructions on authenticating with your YubiKey, please see:  https://support.ewu.edu/support/solutions/articles/10000059665-how-to-use-your-yubikey-for-duo-2fa

Important: If you have not enrolled your YubiKey in Duo yet, please follow these instructions first: https://support.ewu.edu/support/solutions/articles/10000059594-how-to-enroll-a-yubikey-for-duo-2fa Authenticating with your YubiKey The next time you log in to Single Sign-On (SSO) application like Canvas or EagleNET, you can simply press/touch your YubiKey's gold-colored contact to log in when prompted to "Verify you identity". The experience shown below is in Chrome (recommended).  If you cancel your browser's prompt to use the Yubikey or it times out as shown below, you can choose "Other options" to use another one of your 2nd factor methos.

In order to use Touch ID with Duo, make sure you have the following: A MacBook Pro, MacBook Air, or Apple Magic Keyboard with a Touch ID button. A fingerprint enrolled in Touch ID (see how to do this at the Apple Support site). Chrome 70 or later. Safari and other browsers on macOS are not supported. Read the Touch ID information and click Continue. Chrome prompts you to verify your identity on duosecurity.com. Place your finger on the Touch ID button in the Touch Bar to complete Touch ID enrollment. When you receive confirmation that you added Touch ID as a verification method click Continue. You can now log in to Duo-protected applications that show the Duo prompt in a web browser using your fingerprint sensor. If you have more than one MacBook with which you'd like to approve Duo login requests using Touch ID, you'll need to add each of them separately as a new Touch ID device in Duo. To do this, the IT Help Desk must have enabled self-service device management.

Important: To use Touch ID as your Duo 2nd factor, you must: Enroll your Touch ID by following these steps:  https://support.ewu.edu/support/solutions/articles/10000059718-how-to-enroll-touch-id-for-duo-2fa Use a Mac that supports Touch ID Use a current version of Chrome Web Browser Authenticating with your Touch ID 1.  If Touch ID isn't your default option, choose "Other options" at the Duo Prompt. 2. Click the Use fingerprint sensor option 3. When prompted, place your finger on your Touch ID 4. If successful, you'll be logged in