Charles Sturt University
Charles Sturt University

Multi-Factor Authentication

Multi-factor authentication (MFA) is being progressively rolled out at CSU to access sensitive and risky information and communications technology (ICT) services. On this page you will find information on how to setup and use MFA.

What is multi-factor authentication?

MFA is one of the most effective controls that can be used to prevent an attacker from gaining access to IT services and sensitive information. It strengthens access security by requiring two or more methods - also referred to as factors - to verify your identity. These factors can include something you know - like a username and password, plus something you have - like a smartphone app to approve authentication requests.

The use of MFA is becoming common. You may be familiar with using it to access online banking, the MyGov website and other internet services, where in addition to logging in with your password, you have a second step to authenticate your identity.

Duo Security is the MFA solution delivering additional security protection for CSU users requiring remote access to sensitive or privileged ICT services.

To use MFA follow the steps below.

Enrol your device

You need to use a device that is separate to your work computer to log in to an MFA enabled ICT Service. If you have a CSU supplied mobile phone, you are required to enrol and use it. If you don’t have a CSU mobile phone, you can choose to use your own, either through installing the MFA app, or through receiving SMS messages on your phone. If you don’t have a CSU supplied mobile phone and don’t want to use your own phone, you can use a CSU supplied token generator - contact the Computer Shop.

The following steps are only required once for each device. You need to have an active internet connection for this process.

  1. Go to the MFA tool to enrol your phone, tablet or other device.
  2. At the welcome screen click on Start setup.
    Startup screenshot
  3. Select the type of device you'd like to enrol and click Continue- we recommend using a mobile phone for the best experience.
    Type of device screenshot
  4. Select your country from the drop-down list and type your phone number - if you are enrolling a tablet you are not prompted to enter a phone number.
    Use the number of your mobile phone that you will have with you when you're logging in to a Duo protected service - double check that you entered it correctly, check the box, and click Continue.
    Enter your phone number screenshot
  5. Choose your device's operating system - if you do not wish to install and use the Duo Mobile App, but wish to use SMS select Other - click Continue.
    What type of phone
  6. If using the Duo App - follow the steps below for Installing and activating the Duo Mobile App.
  7. Click on Finish Enrolment.
    My settings and devices screenshot

Note: If you wish to use the SMS option you do not need to install the Duo Mobile App -your device is now ready to use Duo Security authentication via SMS requests.

Installing and activating the Duo Mobile App

Duo Mobile is an app that runs on your smartphone and helps you authenticate quickly and easily. Activating the app links it to your account so you can use it for authentication.

Note: Duo Mobile app also offers a security checkup feature. This maintains the security hygiene of your mobile device through notifications in the Duo Mobile application - this is not a CSU MFA requirement.

  1. To begin the process access the MFA tool.
    Note: for a better experience, it is best to open this link on your computer as you have to activate Duo Mobile App on your iPhone, Android or Windows phone by scanning the QR code with the app’s built-in barcode scanner.
  2. Launch from the App Store or Google Play Store and search for Duo Mobile.
  3. Follow the platform specific instructions on the screen to install Duo Mobile app.
  4. After installing the app, return to the enrolment window and click “I have Duo Mobile installed”.
  5. On iPhone, Android, and Windows phone activate Duo Mobile by scanning the barcode with the app's built-in barcode scanner. Follow the platform specific instructions for your device.
    Activate duo mobile for iOs screenshot
    Note: If you cannot scan the barcode click “Or, have an activation link emailed to you instead” and follow the instructions.
  6. If the barcode is successfully scanned click the Continue button.
    Activate duo mobile for iOS with green tick screenshot
  7. To test click Send me a Push or click Enter a Passcode to send a SMS to your phone.
    Device choose authentication method
  8. Approve the Duo login request you receive.
    Screenshot of the Duo login request with buttons to Approve or Deny

Connecting to Duo enabled ICT services

VPN - Admin and Staff

  1. Double click on Cisco AnyConnect on your desktop.
  2. Select the appropriate Group: CSU-Admin or CSU-Staff
  3. Enter your CSU Username and Password.
  4. Cisco anyconnect VPN with push screenshotDuo staff push login screen

  5. For the “Duo Passcode” field type in one of the following then click OK:
Table 1 - Duo Passcode field options
push (preferred)Preferred option
If you have registered the Duo app on your mobile phone you will receive a push notification on your device, then tap Approve or Deny. Touch on the green approve ✔ to connect.
passcode You can also enter a one-time code generated by your Duo app.
sms
(cost to CSU)
You will receive an SMS message with 10 one-time codes that you can use.
Enter one of the codes into “Duo Passcode” field to connect.
sms2
(cost to CSU)
You will receive an SMS message the same as above on your secondary device.
Only use this if you have registered more than one phone.
phone
(cost to CSU)
You will receive a call on your registered phone number. As per the voice instruction, push [1] on your phone to connect.
phone2
(cost to CSU)
You will receive a call the same as the above on your secondary phone number. Only use this if you have registered more than one phone number.

Examples

  • Push - Enter push in the Duo Passcode field. You will receive a prompt on your device to Approve or Deny. If you do not receive a push notification, this may mean that your device has not allowed notifications for Duo Mobile - check this in your settings on your device.
    Cisco anyconnect VPN with push screenshotDuo staff push login screenapprove or deny button
  • Passcode - Enter your one-time passcode (generated from the Duo Mobile app) in the Duo Passcode field. 
    Cisco anyconnect VPN with Duo passcodeDuo staff code login screen
  • SMS - Enter sms in the Duo Passcode field - you will receive 10 passcodes to your mobile phone.
    Cisco anyconnect with Duo sms screenshotDuo staff sms login screen
    The VPN screen will show login failed.
    Cisco anyconnect login failed screenshot


    Login a second time with one of the codes that gets sent to your phone via SMS. 
    Note: You do not need to enter sms again until you have used all 10 passcodes you received. 
  • Cisco anyconnect with Duo sms screenshotDuo staff sms login screen

  • Hardware token - Press the green button on your hardware token and enter the code that appears. Example code 1178472 that appeared on the hardware token.

    Duo hardware token screenshot

    Cisco anyconnect with Duo sms screenshotDuo staff sms login screen

Managing your device

You can easily manage your devices by accessing the MFA tool.

Enrol another device

  1. Access the MFA tool
  2. Choose an authentication method and complete two-factor authentication to begin adding your new device.
    Device choose authentication method

    Note: If you are setting up a new mobile phone and no longer have access to your old phone, don’t use Duo Push authentication (the Push will be sent to your old phone). If your mobile phone number has not changed you can still use SMS passcode or Call Me to authenticate. Remember that you will need to reactivate Duo Push on your new phone once you have successfully authenticated.

    To use SMS passcode:

    Select Enter a Passcode.
    Enter passcode screenshot

    Select Text me new codes.
    Text new codes screenshot

  3. Select Add another device.
    Add another device
  4. Select the type of device you are adding - Mobile phone.
    Screenshot what type of device are you adding
  5. Enter and confirm the second phone number.
    Confirm second phone number screenshot
  6. Select the new phone's operating system.
    What type of phone screenshot
  7. Install Duo Mobile on the new phone and scan the barcode to activate.
    Activate duo mobile for iOs screenshot

The new phone is added and listed with your other enrolled devices. You can click Add another device to start the enrolment process again and add another authenticator.

Enable automatic push requests

  1. Change the When I log in setting from “Ask me to choose an authentication method” to “Automatically send this device a Duo Push” or “Automatically call this device” (this is a cost to CSU) – click Save.
    Ask me to choose authentication method screenshot
  2. Click Finish Enrolment.

Reactivate Duo Mobile.

  1. Choose Device Options.
    device options screenshot
  2. Choose Reactivate Duo Mobile.
    Reactivate duo mobile screenshot

    Note: If you need to get Duo Push working on your phone, for example if you replaced your phone with a new model but kept the same phone number, after answering some questions about your device you'll receive a new QR code to scan with your phone - this will complete the Duo Mobile activation process.

    Activate duo mobile for iOs screenshot

Change device name

  1. Choose Device Options.
  2. Click Change Device Name to open up an interface to change the display name of your phone (hardware tokens can't be renamed).
    Change device name screenshot
  3. Type in the new name and click Save.
    My settings and device with save screenshot

    Note: After successfully modifying your phone's name - not only will you see this when managing devices, but it will also be how your phone is identified in the authentication drop-down.

Specify default device

  1. Click the Default Device drop-down menu and pick your device for authentication. Click Save if you're done making changes.
    Default device screenshot
  2. If this is the device you'll use most often with Duo then you may want to enable automatic push requests by changing the When I log in: option from "Ask me to choose an authentication method" to "Automatically send this device a Duo Push" or "Automatically call this device" and click Save.
    Ask me to choose authentication method screenshot
  3. Note: With one of the automatic options enabled Duo automatically sends an authentication request via push notification to the Duo Mobile app on your mobile phone or a phone call to your device (depending on your selection).

Remove a device

If your new device is replacing the one you previously enrolled, you can remove the device you won't be using for authentication.

  1. Click the Device Options button next to the device you want to remove and then click the trashcan button.
    Remove a device
  2. Confirm you want to remove the device.
    Confirmation to remove device screenshot

FAQs

Can I install Duo Security Mobile app on my laptop or desktop?
Do I need to use MFA for my work?
Do I have to install the Duo MFA app on my own mobile phone?
Do I have to start using VPN?
Does MFA apply to all VPN access?
Can I change the authentication method I use?
What do I do if I lose or misplace my MFA device?
Which ICT  services will prompt me for MFA?
Will I be prompted for MFA each time I log in to an enabled service?
Why can’t I use an existing MFA application or token?
What if I don’t want to use my personal device?
What if my smartphone does not have internet connectivity and is not connected to a wi-fi network?
Which versions of Android and iOS are supported?
How much data does a Duo Push request use?
Does the Duo Mobile app need access to my mobile number?
Why does the Duo Mobile app need access to my camera?
What authentication methods are available?
If I receive a batch of SMS passcodes which one should I use?
What do I do if I have trouble receiving Duo Push on my Android device?

Can I install Duo Security Mobile app on my laptop or desktop?

duo install on laptop or desktop

No. The Duo Security Mobile app is only supported on devices such as mobile phones and tablets. You can only use your laptop or desktop when you first enrol /register for Duo Security.

You will need to use a device that is separate to your work computer to generate an additional passcode to log in to an MFA enabled ICT service (VPN).

If you have a CSU supplied mobile phone you are required to enrol and use it. If you don’t have a CSU mobile phone, you can choose to use your own phone.

If you do not have a compatible mobile phone, or don't want to use your personal device, you can request a hardware token (digipass go6) – please contact the Computer Shop.

The hardware token is used to generate a one time passcode (OTP) which you enter into the login screen when prompted.

Do I need to use MFA for my work?

If you use the VPN service for Admin (CSU-Admin) or Staff (CSU-Staff) you need to use MFA.

You will be required to use MFA as it becomes standard for accessing sensitive services.

Do I have to install the Duo MFA app on my own mobile phone?

No. Installing the Duo app on your own personal mobile phone is optional. Alternative authentication methods are available, such as Call Me, SMS messaging or using a hardware token.

You are required to use the Duo app on a CSU supplied mobile phone.

Vendors and third parties who are required to use MFA to authenticate will not be issued with hardware tokens and are expected to use their own mobile phone.

Do I have to start using VPN?

No. You don’t have to start using VPN if you don’t already have access.

Does MFA apply to all VPN access?

Yes. MFA applies to all users with Admin VPN and Staff VPN access.

Can I change the authentication method I use?

Yes. Each time you log in using MFA you can choose which authentication method you would like to use: Push Notification (preferred option), Call Me, SMS or a one-time passcode.

You can alternate between using Push, SMS and Call Me if desired.

What do I do if I lose or misplace my MFA device?

If you lose or misplace your MFA device call the IT Service Desk who can provide a bypass code that you can use to authenticate. You will need to confirm your identity before a bypass code will be issued.

If you have temporarily misplaced your MFA device or left it at home you can use the provided bypass code - then resume using your regular MFA device when possible.

If you have lost your MFA device or had it stolen you can use the provided bypass code to remove your device from your CSU account and enrol a new device.

Which ICT services will prompt me for MFA?

The following services are configured to prompt for MFA:

  • VPN Admin Access (CSU-Admin)
  • VPN Staff Access (CSU-Staff)
  • PasswordState (systems admin password management)

The services listed below will be enabled for MFA as the project progresses - keep your eye on this space for updates.

  • Non-student use of VDI environments
  • Web Outlook
  • Critical Systems Privileged Access
  • Dynamics 365 Privileged Admin Access

Will I be prompted for MFA each time I log in to an enabled service?

Yes. At this stage all enabled services will require you to provide an additional factor (MFA) each time you login.

Why can’t I use an existing MFA application or token?

Duo Security provides a streamlined user experience through the use of push notifications and enterprise management features allowing DIT to effectively support CSU staff.

Most third-party issued MFA tokens, like the one issued by a bank, are not able to be used because they are tied to the organisation that issued them. Other MFA tokens need to be plugged into a USB port on your computer making them unsuitable for authenticating when using a smartphone or tablet. Supporting third-party MFA applications such as Google Authenticator introduces additional complexity which makes it difficult to support and provide a good user experience for our staff.

What if I don’t want to use my personal device?

If you do not have a compatible mobile phone, or don't want to use your personal device, you can request a hardware token from the Computer Shop. The hardware token can be used to generate a one time passcode (OTP) which you will need to enter into the login screen when prompted. If you enrol your personal device after being issued a hardware token you will be requested to return the token so that it can be allocated to another staff member.

What if my mobile phone does not have internet connectivity and is not connected to a Wi-Fi network?

In addition to approving authentication attempts with a single press via a push notification, the Duo Mobile app can be used to generate one time passcodes (OTP) that you can use as a second authentication factor. Your mobile phone does not need to be connected to the internet to generate a one time passcode.

Which versions of Android and iOS are supported?

The current version of Duo Mobile supports Android 6.0 and greater, and iOS 10.0 and greater.

We cannot guarantee Duo Mobile's functionality on preview/beta software provided by Apple. Duo recommends upgrading to the most recent version of iOS available for your device.

Note: Duo have decided to end support for the Duo Mobile application for Android 6.0 and iOS 10.0 effective July 28, 2019.

For more details go to:

How much data does a Duo Push request use?

Duo Push authentication requests require a minimal amount of mobile data – less than 2KB per authentication. This amount of data usage falls well within a typical push notification. While concerns regarding data usage are certainly understandable, the bandwidth consumed by Duo Mobile for many authentication requests every day would have an overall negligible effect on mobile data use. You can find further information on the DUO Knowledge Base.

Does the Duo Mobile app need access to my mobile number?

Duo will ask you for your mobile number for accessing the app. CSU would not use your number for any other purposes.

Why does the Duo Mobile app need access to my camera?

When using MFA for the first time and enrolling your device the Duo Mobile app will use your camera to scan a QR code displayed on the screen.

What authentication methods are available?

Push notifications (this is the preferred option) - installing the Duo Security app on your mobile phone for either push notifications or to generate one time passcodes.

Call Me - automated phone calls

Passcodes -

You can alternate between using Push, SMS and Call Me if desired.

If I receive a batch of SMS passcodes which one should I use?

You can use any code from the text message - the order does not matter. The passcode will work as long as it has not been used in the past and you have not received a new batch of passcodes. A new batch of passcodes will invalidate all previous batches.

Duo keeps track of which passcodes have been used and will give you a hint about the next valid SMS passcode at the bottom of the authentication prompt:

Duo Security screen showing the hint for the next sms code at the bottom of the screen

What do I do if I have trouble receiving Duo Push on my Android device?

Duo Push delivery issues are most often resolved by pulling down on the screen (pull-to-refresh). This should get push notifications working properly in most cases.

Go to troubleshooting Duo Push notification issues on Android devices for more information.

Contact

If you have any questions about using multi-factor authentication contact the IT Service Desk.