What is Two-Factor Authentication?
Two-Factor Authentication is a security best practice that requires more than one type of security method when logging in to an application. An authentication method can include something you know (a password or PIN), or something you have (a unique code).
Two-Factor Authentication adds an extra layer of protection that makes it more difficult for anyone to gain access to your accounts, even if your password has been compromised.
How will my login experience change with Duo?
Your login experience will only change when you are accessing a Duo protected service in a way that it determines two-factor should be invoked, such as accessing myApps from another country.
You will continue to log into the service using a CWID and password, “something you know.” Duo then, based on a policy decision, asks for the second level of authentication by utilizing a code “something you have.” The code can be easily be accessed from a smartphone app, SMS, or voice call.
How do I enroll in Duo?
On your start date at Weill Cornell Medicine, you will receive an email from Duo with enrollment instructions. Click the link to continue and complete the enrollment. For a full overview of how to enroll in Duo see this KB article: Duo Enrollment Workflow.
You can utilize Duo on many devices, including:
- Mobile phones via app
- Tablets via app
Does the Apple Watch support Duo?
Yes, Duo supports the use of the Apple Watch to authenticate a user's session and generate a token. More information is available on the Duo website.
Can Duo be used with a physical token?
Yes. The preferred method to use Duo is by using a smartphone. However, if you do not have a smartphone, you can ask your Department Administrator to request one for you
Why is ITS requiring two-factor authentication?
Phishing is a leading method used by hackers to gain access to your password, data, and compromise your accounts. A second layer of security helps significantly to mitigate this risk. In fact, two-factor authentication is one of the best ways to protect against remote attacks on WCM accounts such as phishing, credential exploitation and other attempts to takeover your accounts. When two-factor authentication is enabled with web-based applications, such as myApps, remote attackers are unable to access your accounts without possessing your physical device needed to complete the second factor.
Does the phone on which I’d like to install Duo need to be tagged by ITS?
No, you can install Duo on any device whether it is tagged by ITS or not.
Do I need to be connected to the Internet to use the Duo app?
No. After you register with Duo, using the app does not require Internet connectivity. If your phone is not connected to the internet and you need to use the Duo app, choose the “Enter a passcode” option as an authentication method as shown on the screen below. This screen should appear when you try to login to a site that requires two-factor authentication.
Then, get your passcode by tapping the key button on your Duo app screen. This works anywhere, even in places where you don’t have an internet connection or can’t get cell service.
If I travel abroad and buy a local phone/SIM card while I’m there, can I still use Duo to access the network?
Yes. To do this, you can borrow a FOB Key (a small authentication device) from ITS. Please stop by the SMARTDesk at 1300 York in the Library a few days prior to your departure to borrow a Duo FOB. If you travel frequently you may want to purchase your own key ($18 to $50). We suggest either the FIDO U2F Security Key, YubiKey 4 or YubiKey 4 Nano. http://www.amazon.com/s/field-keywords=yubikey .
If you travel abroad and use your own phone, use the “Enter a Passcode” authentication method to access Duo enabled sites.
Do I need to re-register my email account when I install Duo?
No.
What kind of permissions does Duo need on my phone?
- Duo does ask for the ability to provide Notifications to you. This is used to notify you of login attempts and ask for your approval. You can remove this permission, but you’ll need to remember to manually open the app whenever you need to approve a Duo request.
- Duo does ask for access to the network so that it can send and receive information about your login attempts. You can remove this permission, but you’ll then need to rely on the offline Passcode authentication method that isn’t as easy or convenient as other options.
- Duo does ask for camera access so that it can scan for QR codes to more easily add accounts to the app. You can remove this permission, but you will then need to type a long string of numbers and letters into the app instead.
What kind of data does the Duo app collect?
- Duo does collect the names of applications you have saved in the Duo app, but only the name of the application is saved. Any interaction you have with those applications or data you send/receive are not monitored or saved.
- Duo does collect the On/Off value of various security-related settings on your phone. For example, Duo will log whether you do or do not have fingerprint or face recognition enabled, but the actual fingerprints or facial scans are not accessible by Duo. Duo will log whether your device is “jailbroken” or “rooted,” whether it is encrypted, what operating system it is running, and whether you have a screen lock enabled.
What kind of data does the Duo app not collect?
- Duo has no access to your apps, files, contacts, pictures, movies, text messages, or emails stored on your phone.
- Duo does not monitor or track your internet activity, including what websites you visit or what data you send to or download from other websites.
- Duo does not sell your device data to other companies.