Multi-Factor Authentication

Duo MFA is a security solution that adds a second layer (factor) of protection when you attempt to access a secure system. Your password is the first factor, something you know, and your phone becomes your second factor, something you have. Even if someone has stolen your password, as long as they don't also have your Duo-connected phone or security device (the second factor) they won't be able to access your account.

The following is a brief introduction to Duo MFA:

Los Rios is committed to safeguarding our information systems and the confidential data stored on those systems. MFA requires users to complete multiple steps to verify their identity before they can access Los Rios applications or online accounts by creating an extra layer of security that makes it incredibly difficult for attackers to get past in the event a user’s password is compromised or stolen.

All employees (faculty, adjunct faculty, classified staff, temporary, contractors, and student employees) who access Los Rios systems via Single Sign On (SSO) are required to use Duo MFA. Students not employed by Los Rios will not be impacted by this change.

Duo MFA will be enabled for all applications currently accessible through Single Sign-on (SSO), including the following:

• Microsoft Office 365/Outlook, G-Suite/Gmail, Canvas, Online Grading System (OGS), Socrates, and so on
• Global Protect VPN for remote access (already in place)
• Virtual Desktop Instances (VDI)
• Peoplesoft Applications (such as Campus Solutions, Human Resources, and Financials)

How you authenticate depends on what devices you have available and enrolled. Once your device is enrolled, you may choose from the below authentication methods whenever a Duo-protected service requires two-factor authentication.

• If you chose Duo Push (recommended): If the Duo Mobile app is installed on your smartphone or tablet, then you can receive a push notification and can either approve or deny the authentication attempt. Watch a video about Duo Push.
• If you chose Call Me: You receive an automated phone call from Duo that will give instructions on approving or denying the authentication attempt. The call will also allow you to indicate if it was a fraudulent call. This option is available for smartphones, basic cell phones, and landline phones. Watch a video about Call Me.
• If you chose Enter a Passcode:
  • SMS Text Message – You will receive an SMS text message with a block of ten single-use authentication codes that are good for up to one year. This is another option if you don't have a good cellular or WiFi signal on your phone. Available for any device capable of receiving SMS text messages. Watch a video about SMS Text Messages.
  • Duo App-Generated Code – If you have the Duo Mobile app installed, then you can receive a single passcode by tapping the key in the mobile app. This passcode must be used immediately. This is a good option if you do not have a good wireless or WiFi signal on your phone. Available for smartphones and tablets. Watch a video about Duo App-Generated Code.
  • Duo Hardware Token – This is a small device (about the size of a USB drive) that generates a passcode to be entered into the Duo MFA application. Only Duo Hardware tokens issued by Los Rios will work. To generate a passcode, press the button on your hardware token. This option works anywhere and does not require a wireless or data connection. If you do not have access to a smartphone, basic phone, or landline, then request a hardware token via Service Central. Watch a video about Duo hardware tokens.

Duo Mobile is a mobile application (app) that you install on your smartphone or tablet to generate passcodes for login or receive push notifications for easy, one-tap authentication on your mobile device. It works with Duo MFA to make your logins more secure. For Android devices, it can be found in the Google Play store; for Apple IOS devices, it can be found in the iTunes App store.

Download Duo Mobile on the App StoreGet Duo Mobile on Google Play

If you have a smartphone or tablet, then we recommend Duo Push, as it is quick, easy to use, and secure.

Duo Push authentication is quicker than a text or a phone call. Authenticating with a text message requires waiting to receive the text, reading a passcode, and then typing it in. Phone calls require answering the phone, listening to the recording, and using the dial pad to approve the login.

Duo Push is as simple as approving a notification on your smartphone. Duo Push authentication is more secure as it uses cutting-edge end-to-end encryption that text messages and phone calls cannot. Additionally, the Duo Push screen displays detailed information about the application and source device that initiated the authentication request. Duo Push also allows you to report a fraudulent attempt to access your account.

No. The Skype phone system is not as secure as the other options for receiving a Duo authentication push.

No. You will only be required to go through the Duo MFA process once every 30 days if you use the same device and browser and have selected the Remember me for 30 days check box on the Duo MFA screen.

For example, if you’re working on your laptop accessing any SSO integrated application (for example, Canvas, OGS, Outlook, or Socrates) through the same browser, you only need to log in with MFA once every 30 days. If you need to access these applications through a separate device (such as a desktop or mobile phone) or another internet browser (such as Firefox or Chrome) on the same device, then you will be prompted to log in with MFA again and can select the Remember me for 30 days checkbox for that device/browser.

Only use Duo's Remember me feature on devices you own or that have been issued to you by Los Rios. Never use this feature on public or shared devices.

You may have set the Duo service to automatically "Send Me a Push" or "Call Me" when you enrolled your device. Please follow these steps to bypass the automatic push or call feature so you can enable the "Remember Me for 30 Days" option.

Note: You will only need to bypass the automatic push or call feature once. If you select the "Remember Me for 30 Days" option, then it will be in place for every subsequent login.

1. When Duo tries to automatically push or call you, click the Cancel button in the blue bar at the bottom. This will cancel the authentication request.
2. Click the Dismiss button that appears in the blue bar that appears at the bottom.
3. You should now see your authentication options and a box that says, Remember me for 30 days.
4. Check that box to remember your device/browser for 30 days.

Read Setting Up "Remember Me for 30 Days" in Duo Mobile.

Duo uses cookies to enable the "Remember me for 30 days" feature. If your web browser restricts cookies, does not accept them, or deletes them when you close the browser, then this feature will not work.

Check your browser to see if it is blocking cookies or deleting them when you close the browser. If it is, then set your browser to either accept cookies or create an exception for Duo.

For information on how your browser uses cookies and how to change settings associated with cookies, visit the following pages:

• Firefox
• Chrome
• Internet Explorer (Windows 7 and 8)
• Safari
• Edge

Read Setting Up "Remember Me for 30 Days" in Duo Mobile.

Yes. You can add and remove devices from the Duo prompt. Note: If you have turned on the “Remember me for 30 days” feature, you will need to use a different browser, or a private browser window to access this feature.

Additionally, if you have set up Duo to automatically send a push to your device, please refer to the “What if I don’t see the “Remember me for 30 days” checkbox?” FAQ above to enable access to this feature.

To add a device:

1. After logging in to Los Rios SSO, the Duo prompt will appear.
2. Click Settings in the upper right-hand corner.
3. Click Add a new device.
4. Now you will have to verify – choose the method you prefer (push, call, or passcode) and verify.
5. Enroll your new device using the onscreen prompts.

To remove a device:

1. After logging in to Los Rios SSO, the Duo prompt will appear.
2. Click Settings in the upper right-hand corner.
3. Click My Settings & Devices.
4. Now you will have to verify – choose the method you prefer (push, call, or passcode) and verify.
5. Click the blue and white gear icon to the right of the device you would like to remove.
6. Click Delete Device.

No. Duo Mobile has no access to change settings on your phone. It cannot read your emails or peer into your web browsing history. Lastly, Duo Mobile cannot wipe your phone or track your physical location.

The only information Duo Mobile collects is for the purpose of maintaining or troubleshooting the application. Collected data includes the hardware model, operating system version, and the version of Duo Mobile. The Duo Mobile application also will collect analytical data about how the end-user performs actions within the app such as selecting the option to use a passcode or using the Duo Push functionality. Additionally, crash reports are captured which can help IT staff report any reliability, stability, or performance issues to Duo.

Yes. Within the Duo application, select the menu button in the upper right-hand side and unselect Send Usage Data. After restarting the phone, no performance telemetry will be captured.

Duo Mobile requires permission to use your camera when you set up your smartphone or tablet. It only uses your camera to scan the Quick Response (QR) code used for activation. After activation, Duo Mobile doesn't access your camera. You can remove this permission and Duo Mobile will work fine.

For iPhone or iOS devices, go to settings and select Duo Mobile from the list. Toggle Camera to the off position.

For Android-based devices, go to settings, then application manager, and select Duo Mobile from the list. Under Permissions, toggle the Camera to the off position.

No. Your password is only verified by a Los Rios server and never sent to Duo. Duo provides only the second factor, using your enrolled device to verify it's you who is logging in.

Duo Push authentication requests require a minimal amount of data – less than 2KB per authentication. For example, you would only consume one megabyte (MB) of data if you were to authenticate 500 times in a given month. This is less than the amount of data used to load a typical webpage on your device.

There are several reasons this could be happening. Please try the following to troubleshoot:

1. Make sure your enrolled device has a cellular network or WiFi connection.
2. Have the Duo Mobile app open when you authenticate.
3. Restart the phone or tablet.

If the above solutions don't work, try using another authentication method, such as passcodes provided in the Duo Mobile app, or submit a request through Service Central.

By receiving multiple codes in one text message, you avoid having to receive a new text for every authentication attempt. You can use each passcode in order, one at a time, using the "Passcode" option when logging into Duo. The passcodes are valid for one year after they are sent. If you cannot find the previous text message, then you can send yourself a new text message with a new set of codes at any time.

If you use the text message option and do not have an unlimited message plan, then you will be charged for the text message. There are up to two mandatory texts to set up Duo on your phone. After that, you only get texts if you choose to authenticate using passcodes from a text message.

If you are charged for voice minutes on your device, then you will be charged for each call from Duo when you authenticate by phone call. The calls should be very brief (under one minute each).

If your Duo authentication device (phone or tablet) does not have internet connectivity or network signal, you will not be able to use Duo Push or a phone call to complete authentication. However, there are other options that will allow you to complete multi-factor authentication.

If you know that you will be going to a location where only your computer will have internet but your authentication device will not have internet, then make sure to test one of the alternate methods before you travel.

See this Duo Knowledge Base article for information on authenticating without cell or internet service. 

No. If you are prompted for Duo authentication when you don't expect it, it may be that someone else is attempting to access your account. If you are ever unsure, click Deny and then select “It seems fraudulent”.

Submit a request through Service Central for further assistance/instructions.

Click the Cancel button in the blue bar at the bottom of the Duo login prompt to cancel the current push notification or phone call. Then, choose the other authentication method you wish to use.

The Duo authentication and device management options are keyboard-accessible and screen reader-compatible. Read more about how Duo meets accessibility requirements.

Submit a request through Service Central if you lose your phone or suspect it has been stolen.

If your phone number is the same and you only use the phone to receive text (SMS) messages or phone calls with Duo, then you do not need to do anything. You will authenticate with Duo exactly as you did on your old phone.

If your phone number has remained the same, and you have a new device you would like to use with the Duo mobile app, then read the “Can I use more than one device for Duo MFA?” FAQ to add your new device.

If your phone number has changed and you do not have a backup device enrolled for use with Duo, please submit a request through Service Central. If you previously enrolled a backup device, then follow the instructions in the “Can I use more than one device for Duo MFA?” FAQ to enroll your new device.

If the Duo mobile application was removed and needs to be reinstalled on the same device, with the same phone number, then you will reinstall the Duo mobile app on the device and reactivate it for your Los Rios account using the following steps:

1. After logging in to Los Rios SSO, the Duo prompt will appear.
2. Click Settings in the upper right-hand corner.
3. Click My Settings & Devices.
4. Now you will have to verify – if you don’t have a secondary device enrolled for your account, you will want to select Call Me to receive a push notification to your phone and then verify.
5. Click the blue and white gear icon to the right of the device you would like to reactivate.
6. Follow the onscreen prompts to reactivate your device for use with Duo mobile.

No, SID accounts have been associated with your WID account in Duo. This means that you will only have to register with Duo once with your WID account and your other accounts will automatically be associated with your WID account.

Yes, if your MFA device is temporarily not available, IT staff may be able to grant you temporary access. Please submit a request through Service Central for further assistance.