Bottom Line Up Front

• This article aims to clarify key terms and concepts related to MFA and cybersecurity, emphasizing the importance of using the correct terminology for clearer and more effective communication.

Definitions

2FA (two-factor authentication) or MFA (multi-factor authentication): an additional layer of authentication beyond a username/password. 2FA implies something you know (password) and something you have with you (like Duo Mobile on your smartphone) to prevent somebody from simply “knowing” your password and accessing your data. When Duo’s 2FA is enabled, you still enter your username and password; Duo does not replace your username and password. It is simply an added layer of security on top of your existing credentials. MFA and 2FA are commonly used interchangeably. Check out this video for more information.

Duo Admin Panel: the login-protected interface where Duo administrators (ie Technology Services staff) can manage users, devices, integrations, roles, logs, billing information, and so on. 

Duo Central: resource to quickly view and manage devices attached to your Duo accounthttps://csd509j.login.duosecurity.com/

Duo Prompt: this lets users choose how to verify their identity each time they log in (e.g. “Duo Push” or “Call”) to a web-based application. The Duo Prompt allows for inline enrollment and authentication.

Passcode: these can be generated either via the Duo Mobile app, SMS (text message), or a user’s hardware token.

Platform: a user’s authentication device type (iPhone, Android, landline phone, etc).

Push Notification (Duo Push): this is an out-of-band authentication request that is sent to the Duo Mobile App on an enrolled device. Push notifications include information like user location, the IP address, and the application that the user is trying to access.

Self-service portal: if the self-service portal has been enabled in the Duo Admin Panel, that means that a user can add additional devices, or update their authentication method settings, right from the Duo Prompt. Available to all paying editions of Duo.

Bypass Code: a temporary passcode created by an Duo administrator for a specific user. These are generally used as “backup codes,” so that users who are having problems with their mobile devices (e.g., mobile service is disrupted, the device is lost or stolen, etc.) can still access their Duo-protected systems. Bypass codes expire after being used the allowed number of times, or after an administrator-defined amount of time.

OTP Hardware Tokens: One Time Password (OTP) hardware tokens are small, physical devices that generate a unique password that will only be valid temporarily.  Unlike other authentication methods, OTP hardware tokens cannot be enrolled by the user and must be assigned through the Duo Admin Panel. Example hardware token:
 

Hardware Token Distribution

For staff members who are unable to use a smartphone, tablet, or biometric authentication required for Duo's multi-factor authentication (MFA), the district has a supply of OTP hardware tokens that can be provided instead. The flowchart below also explains how staff can make the decision between Duo Mobile and using OTP hardware tokens: 

Unlike other authentication methods, OTP hardware tokens require admin intervention to be appropriately linked to a staff Duo account. To reduce the wait time, please submit a request to Technology Services through our ticketing portal: Incident IQ.

After logging into the portal, select the option Request OTP Hardware Token and you'll be walked through the ticketing process.

If you run into any issues, contact your friendly neighborhood SPOC. 

 

Security Key: a physical device, typically a small USB stick, that helps protect your account by generating unique codes that are used along with your password to verify your identity when logging in to websites or services. Duo supports WebAuthn/FIDO2 security keys. Users must self-enroll WebAuthn security keys via the Duo enrollment prompt, self-service portal or through Duo Central. 

Hardware Tokens vs Security Keys

Use this memory trick to remember the difference between an OTP hardware token and a security key: 

Just like a regular key, a security key must be inserted before it can “unlock” the door (ie Duo). 

OTP Hardware tokens are like “tokens of appreciation” - they don't last very long! (One time password…)

 

Identity Verification: the Corvallis Identity Verification Procedure is the process Technology Services uses to verify the identity of a user before performing sensitive actions on an account or sharing PII (personally identifiable information).