Using Two-factor Authentication Remotely with VPN (Virtual Private Network)
Beginning March 1, using Tech systems and services remotely via VPN (Virtual Private Network) will require an additional layer of security by using two-factor authentication. For step-by-step instructions, refer to the Quick Reference Guide on Remote Login Using VPN with Two-Factor Authentication.
For non-Cisco VPN Users: if you are using another application to log in remotely, such as IPsec, you will need to switch to Cisco AnyConnect. Please refer to the FAQ on switching to AnyConnect- “How Do I Get Started with the Campus VPN.”
To read more about using VPN with Two-factor Authentication, including your options for entering your second factor (push, code number, etc.), refer to the links below.
To install the Cisco AnyConnect VPN application: https://faq.oit.gatech.edu/content/how-do-i-get-started-campus-vpn
Two-Factor Authentication – Quick Reference Guide http://www.twofactor.oit.gatech.edu/sites/default/files/images/duo_quick_reference_guide_2016.pdf
Security Risk Using Text Messaging Option in Two-factor Authentication
Using text messages as an authentication method will no longer be an option after Wednesday, February 15, 2017. The use of SMS/text messages for authentication purposes has been deemed as a security risk according to a new standard published earlier this year by National Institute for Standards and Technology (NIST). DUO supports the findings of NIST and as a consequence will no longer support the use of SMS as an authentication method.
If you currently use SMS for authentication to Georgia Tech, there are several other methods you can use with two-factor authentication at Georgia Tech. To learn more about how to use these options, please refer to the Quick Reference Guide or see your local IT support professional to understand your options.
For a complete list of contacts, please refer to the Departmental Support Contacts List or visit the Two-factor Authentication website. For more information on the security issue in using text (SMS) with two-factor authentication, please see Duo’s new guidelines in partnership with NIST or the NIST’s report.
Notice for LastPass Users Unable to Login to Duo from the CAS Page (Chrome Users Only)
If you are using LastPass, please note that version 4.1.38 of the LastPass extension for Chrome has an issue that makes the Duo login form on the CAS login page unusable. If the CAS page is not working for you, please use another browser or disable the LastPass extension. You can read more details and check the status of this problem at Duo’s Incident page.
New to Georgia Tech? How to Enroll in Two-factor Authentication
Georgia Tech uses two-factor authentication to help protect the Institute’s data. If you are a new employee, you’ll need to include two-factor authentication to your login process.To prepare for enrollment, follow the Pre-checklist for Two-factor Enrollment Using Duo. To start using Duo, the application Tech used for implementing additional security, see your departmental IT support staff, or your hiring manager. You can find a list of IT contacts from the “For Users” tab in the link “List of Departmental Contacts for Enrolling in Two-factor Authentication."
"Remember Me for a Day" Option Extends from One to Seven Days
For users currently using the “Remember me for 1 day” option on the Duo app, there’s good news. The time required by any user to authentication using the Duo app has changed from one day to seven days. This means users who have checked this option on the Duo app will not need to authenticate with their second factor, the Duo app, for seven days after they've initially logged in and authenticated.
To use this feature, specific parameters must be met. These parameters include not changing browsers for seven days and/or not changing devices used to authenticate for seven days. For example, if a user has the “Remember me for 7 days” checked on the Duo app, but uses a different browser on the same device, or if a user uses a different device during the week, the Duo app will require a new authentication option. The "Remember me for 7 days" will only work If using a single device and the same browser for seven consecutive days.
New Self-Service Options Available for Users and IT Administrators
Self Service Options on the Duo App
1. Add a New Device – Use this feature if you have only one mobile device enrolled and you’d like to add a backup device, or if your primary device is lost or stolen and you replaced it with a new device in case you forget your mobile device or the battery needs recharging on your mobile device. (Note: This feature is available when logging into CAS, but not available when logging into Passport.)
2. Call Me or Set up a Secondary Device in Passport– If you elect to use an office phone as a backup device, you can select this option as a “Call Me” feature. To use this as a backup authentication option, go to Passport (www.passport.gatech.edu) and set up a secondary device such as an office phone. Options are located on the left menu of Passport under “Two Factor.” Please keep in mind that any phone used on campus as a “second factor” must be located inside a locked office space. Phones which are publicly accessible are not acceptable.
3. Remember Me for a Day - If you select Duo’s “Remember Me for A Day” option at the authentication prompt, you’ll only need to use two-step authentication once every 24 hours. You’ll only need to authenticate again if you switch to a new device within the 24 hour period, e.g. desktop to laptop, or laptop to tablet. (Note: This feature is available when logging into CAS, but not available when logging into Passport.)
Self Service Options in Passport
Users of Passport who are also users of two-factor authentication (Duo) can use new self-service options from the Passport menu for onboarding new users and for helping those who may need a temporary code to access systems and services.
Using the "Web of Trust" features
These features provide authorized two-factor users with the ability to onboard new users to two-factor with Duo using a "web-of-trust" feature. Authorized users can also help other users access systems and services in the event that their device is not available by giving them a 24-hour rescue code.
Note that only authenticated staff (and Mage administrators/IT leads) have rights to assist another person at this time.
Using backup codes and status indicators in Passport and CAS
Other new features in Passport not related to onboarding include:
- Providing each Duo user with the ability to generate and print backup codes in Passport.
- Offering a new status listing in Passport and CAS (login.gatech.edu) that indicates whether a two-factor user needs to add backup devices or print backup codes to help ensure he/she can access systems and services that require two-factor authentication.
Look for additional enhancements coming soon including using two-factor authentication with VPN.
For questions, email 2FA@oit.gatech.edu.
Office of the Provost Begins Adoption of Two-Factor Authentication
Division of Administration and Finance Adopts Two-factor Authentication
In an ongoing effort to bring two-factor authentication to the Georgia Tech campus, the Division of Administration and Finance began deploying two-factor authentication in April 2016 following the deployment of the Office of Development and Office of the President in late 2015. Additionally, several schools and colleges have expressed interested in adopting two-factor authentication for their faculty and staff. Deployment of two-factor authentication using Duo to other schools and departments will continue through 2016.
New Enhancements to the Duo Login Screen
Duo now allows a user to chose an option "Remember me for a day" on the login screen to limit the number of times he/she must authenticate while logged into Tech's systems.
Duo updated the two-factor authentication screen used to login to applications. They’ve introduced new features to enhance the user experience by 1) displaying how each authentication method works before a user selects an option and 2) providing an easy way to enroll new devices and utilize more self-service options.
Learn About New Features for Duo
For more information on these new enhancements, click on the following link.