Duo User Guide
Protect your accounts using Duo Security's multi-factor authentication services.
Written by Alison Bowden
Updated at July 29th, 2024
Table of Contents
Overview
To combat potential cyber threats, CSD 509J uses Duo Security for multi-factor authentication (MFA) to add an extra layer of security to your accounts. MFA requires users to provide two or more pieces of evidence to verify their identity, reducing the risk of unauthorized access. Duo offers a user-friendly MFA solution with various authentication methods and easy implementation.
This guide will walk you through Duo enrollment, basic usage, and troubleshooting.
For clarifications on technical language used here, visit our article on Duo Technical Terminology and Definitions.
Duo Enrollment Process
Your Duo journey starts with an email notification, sent automatically once Technology Services provisions your account. Look for the subject line Duo Security Enrollment from Duo Security and click the link in the email (you can do this from any device on any network, not just a district computer). Your enrollment email will look like this:
Duo will walk you through several informational windows:
The Duo Device Health app is not required at this time. Select the “Skip for now” option to continue.
Choosing a Main Authentication Method
We recommend reading these options first and then continuing to the next sections for specific instructions on enrolling your preferred method.
Method: Duo Mobile App - Recommended
- This is the fastest and most secure authentication method!
- Available for Android and Apple devices (eg phones, tablets, iPads) and even works with most smartwatches.
- Duo Mobile won't need special permissions and won't use your personal (ie non-work) information.
- From the DUO FAQ page: Does installing the Duo Mobile app give up control of my phone?
No. Duo Mobile has no access to change settings on your phone. Duo Mobile cannot read your emails, it cannot see your browser history, and it requires your permission to send you notifications. Lastly, Duo Mobile cannot remotely wipe your phone. The visibility Duo Mobile requires is to verify the security of your device, such as OS version, device encryption status, screen lock, etc. We use this to help recommend security improvements to your device and you always are in control of whether or not you take action on these recommendations.
Requirements: phone/tablet must be upgraded to at least Android 10 or IOS 14.0
Method: Phone number
Duo will send a text message with a code each time you need to authenticate.
Requirements:
- Cell phone with texting/SMS plan
- Cellular connection to receive messages (or SMS over wifi enabled- may not be available on all phone types)
Warning: Google Voice Users
If you have a district-licensed Google Voice number, do not use this number as your main authentication method. If you are locked out of your Google account (for whatever reason) you will not receive any text messages as part of the authentication process when trying to log back in.
This can be compared to locking your key ring in your car. To open the car door you need the key, which is now inaccessible because the door is locked.
Method: TouchID (MacBook Users)
For MacBook users with a fingerprint reader, you can also access another authentication method: TouchID. It's recommended to have an alternative authentication type enabled in case your MacBook is unavailable.
Requirements:
- Fingerprint must already be registered with MacBook Touch ID settings (Apple's instructions for enrollment)
- Must use Google Chrome (Safari is currently not compatible with Duo for 2-factor authentication with Touch ID)
Method: Security Key
This is a small device (about the size of a thumb drive) that generally connects to a computer's USB port. When pressed, its button sends a signed response back to Duo to validate your login. At this time, Technology Services is not purchasing security keys in bulk for staff. However, you are welcome to use or purchase your own as long as they are compatible with Duo.
Requirements:
- View updated requirements on Duo's user guide: https://guide.duo.com/security-keys#security-key-defined
What if these methods don't work for me?
For staff members who are unable to use a smartphone, tablet, or biometric authentication required for Duo's multi-factor authentication (MFA), the district has a supply of OTP hardware tokens that can be provided instead. The flowchart below also explains how staff can make the decision between Duo Mobile and using OTP hardware tokens:
Unlike other authentication methods, OTP hardware tokens require admin intervention to be appropriately linked to a staff Duo account. To reduce the wait time, please submit a request to Technology Services through our ticketing portal: Incident IQ.
After logging into the portal, select the option Request OTP Hardware Token and you'll be walked through the ticketing process.
If you run into any issues, contact your friendly neighborhood SPOC or call the Help Desk (541-757-3911) to discuss authentication options.
Configure Authentication
Select your preferred method to view detailed instructions below:
Duo Mobile Set-up
After selecting Duo Mobile, you may enter your cell number or choose the “I have a tablet” option if your device does not support this service. Duo will save this number as an alternative authentication method, but it is not required.
If you do not want to enter your phone number, use the “I have a tablet” link.
Duo Mobile can be downloaded from Google Play (Android devices) or the App Store (Apple devices). Once installed, choose the “Next” button and a QR code will be displayed. If you view the QR code on a different device from where you just installed the Duo Mobile app, open the app and scan the code.
If you cannot scan the QR code, select the “activation link” option instead.
Duo will prompt you for an email address and will send you a Duo Mobile link. If you've installed Duo Mobile on a phone or tablet that doesn't use your district email address, you can enter a personal email to receive this activation link.
The email you use for this purpose won't be stored or linked to your account in any way- only your district address can be used for authentication.
Using the device with Duo Mobile installed, open your email and look for a message from Duo Security. Tap the link and Duo with automatically open the app and link your district profile.
You will be given the opportunity to provide a nickname for this account. This will be part of the notification when CSD programs require additional authentication through Duo. You may customize the name or tap save to finish the enrollment process.
Duo Mobile users may not see the Setup Complete message displayed below this section; as long as you used the Save button in the app, your enrollment should be finished.
MacBook Touch ID
After selecting the Touch ID method, Chrome may display a pop-up before asking for your touch input:
You must select “Continue” on the first prompt before using the touch input. A success window will display once your Touch ID has been linked to Duo.
Phone (text only) Set-up
Enter your phone number and you will receive a text containing a numeric code.
Enter the passcode to verify your identity.
After adding a primary authentication method, Duo may ask if you'd like to add a secondary option. You can proceed with this, or click “Skip for now” to complete set-up.
Congratulations, enrollment is complete!
Next, confirm you can sign in using the instructions below.
Using Duo
The best way to confirm Duo works is to visit CSD's Duo Central platform: https://csd509j.login.duosecurity.com/
Enter your full district email and password, then Duo will use your primary authentication method to confirm your identity. A notification will appear on your phone/tablet linked to Duo Mobile asking to verify your identity. Tapping on the notification banner will open the Duo Mobile app where you can Deny or Approve the sign-in attempt.
Alternatively, selecting the “Tap To View Actions” button will give you the same options without opening another app screen.
Add/Remove Devices
To add or remove secondary authentication methods in Duo, open Duo Central and sign in: https://csd509j.login.duosecurity.com/
Select the option Manage Devices and Duo will ask for authentication once more.
Once signed in, your current authentication devices will be listed.
Use the Edit button to remove a device or select the Add a device option to add additional authentication methods.
Problems?
Forgot your phone at home or otherwise don't have access to your main authentication method? Tech Services can provide a temporary passcode granting access to your protected account. Contact your building SPOC or stop by the Technology office for further information.
