Multi-factor authentication (MFA) is being progressively rolled out at CSU to access sensitive and risky information and communications technology (ICT) services. On this page you will find information on how to setup and use MFA.
MFA is one of the most effective controls that can be used to prevent an attacker from gaining access to IT services and sensitive information. It strengthens access security by requiring two or more methods - also referred to as factors - to verify your identity. These factors can include something you know - like a username and password, plus something you have - like a smartphone app to approve authentication requests.
The use of MFA is becoming common. You may be familiar with using it to access online banking, the MyGov website and other internet services, where in addition to logging in with your password, you have a second step to authenticate your identity.
Duo Security is the MFA solution delivering additional security protection for CSU users requiring remote access to sensitive or privileged ICT services.
To use MFA follow the steps below.
You need to use a device that is separate to your work computer to log in to an MFA enabled ICT Service. If you have a CSU supplied mobile phone, you are required to enrol and use it. If you don’t have a CSU mobile phone, you can choose to use your own, either through installing the MFA app, or through receiving SMS messages on your phone. If you don’t have a CSU supplied mobile phone and don’t want to use your own phone, you can use a CSU supplied token generator - contact the Computer Shop.
The following steps are only required once for each device. You need to have an active internet connection for this process.
Note: If you wish to use the SMS option you do not need to install the Duo Mobile App -your device is now ready to use Duo Security authentication via SMS requests.
Duo Mobile is an app that runs on your smartphone and helps you authenticate quickly and easily. Activating the app links it to your account so you can use it for authentication.
Note: Duo Mobile app also offers a security checkup feature. This maintains the security hygiene of your mobile device through notifications in the Duo Mobile application - this is not a CSU MFA requirement.
|push (preferred)||Preferred option |
If you have registered the Duo app on your mobile phone you will receive a push notification on your device, then tap Approve or Deny. Touch on the green approve ✔ to connect.
|passcode||You can also enter a one-time code generated by your Duo app.|
| sms |
(cost to CSU)
You will receive an SMS message with 10 one-time codes that you can use. |
Enter one of the codes into “Duo Passcode” field to connect.
(cost to CSU)
You will receive an SMS message the same as above on your secondary device. |
Only use this if you have registered more than one phone.
(cost to CSU)
|You will receive a call on your registered phone number. As per the voice instruction, push  on your phone to connect.|
(cost to CSU)
|You will receive a call the same as the above on your secondary phone number. Only use this if you have registered more than one phone number.|
You can easily manage your devices by accessing the MFA tool.
Select Enter a Passcode.
Select Text me new codes.
The new phone is added and listed with your other enrolled devices. You can click Add another device to start the enrolment process again and add another authenticator.
Note: With one of the automatic options enabled Duo automatically sends an authentication request via push notification to the Duo Mobile app on your mobile phone or a phone call to your device (depending on your selection).
If your new device is replacing the one you previously enrolled, you can remove the device you won't be using for authentication.
Can I install Duo Security Mobile app on my laptop or desktop?
Do I need to use MFA for my work?
Do I have to install the Duo MFA app on my own mobile phone?
Do I have to start using VPN?
Does MFA apply to all VPN access?
Can I change the authentication method I use?
What do I do if I lose or misplace my MFA device?
Which ICT services will prompt me for MFA?
Will I be prompted for MFA each time I log in to an enabled service?
Why can’t I use an existing MFA application or token?
What if I don’t want to use my personal device?
What if my smartphone does not have internet connectivity and is not connected to a wi-fi network?
Which versions of Android and iOS are supported?
How much data does a Duo Push request use?
Does the Duo Mobile app need access to my mobile number?
Why does the Duo Mobile app need access to my camera?
What authentication methods are available?
If I receive a batch of SMS passcodes which one should I use?
What do I do if I have trouble receiving Duo Push on my Android device?
No. The Duo Security Mobile app is only supported on devices such as mobile phones and tablets. You can only use your laptop or desktop when you first enrol /register for Duo Security.
You will need to use a device that is separate to your work computer to generate an additional passcode to log in to an MFA enabled ICT service (VPN).
If you have a CSU supplied mobile phone you are required to enrol and use it. If you don’t have a CSU mobile phone, you can choose to use your own phone.
If you do not have a compatible mobile phone, or don't want to use your personal device, you can request a hardware token (digipass go6) – please contact the Computer Shop.
The hardware token is used to generate a one time passcode (OTP) which you enter into the login screen when prompted.
If you use the VPN service for Admin (CSU-Admin) or Staff (CSU-Staff) you need to use MFA.
You will be required to use MFA as it becomes standard for accessing sensitive services.
No. Installing the Duo app on your own personal mobile phone is optional. Alternative authentication methods are available, such as Call Me, SMS messaging or using a hardware token.
You are required to use the Duo app on a CSU supplied mobile phone.
Vendors and third parties who are required to use MFA to authenticate will not be issued with hardware tokens and are expected to use their own mobile phone.
No. You don’t have to start using VPN if you don’t already have access.
Yes. MFA applies to all users with Admin VPN and Staff VPN access.
Yes. Each time you log in using MFA you can choose which authentication method you would like to use: Push Notification (preferred option), Call Me, SMS or a one-time passcode.
You can alternate between using Push, SMS and Call Me if desired.
If you lose or misplace your MFA device call the IT Service Desk who can provide a bypass code that you can use to authenticate. You will need to confirm your identity before a bypass code will be issued.
If you have temporarily misplaced your MFA device or left it at home you can use the provided bypass code - then resume using your regular MFA device when possible.
If you have lost your MFA device or had it stolen you can use the provided bypass code to remove your device from your CSU account and enrol a new device.
The following services are configured to prompt for MFA:
The services listed below will be enabled for MFA as the project progresses - keep your eye on this space for updates.
Yes. At this stage all enabled services will require you to provide an additional factor (MFA) each time you login.
Duo Security provides a streamlined user experience through the use of push notifications and enterprise management features allowing DIT to effectively support CSU staff.
Most third-party issued MFA tokens, like the one issued by a bank, are not able to be used because they are tied to the organisation that issued them. Other MFA tokens need to be plugged into a USB port on your computer making them unsuitable for authenticating when using a smartphone or tablet. Supporting third-party MFA applications such as Google Authenticator introduces additional complexity which makes it difficult to support and provide a good user experience for our staff.
If you do not have a compatible mobile phone, or don't want to use your personal device, you can request a hardware token from the Computer Shop. The hardware token can be used to generate a one time passcode (OTP) which you will need to enter into the login screen when prompted. If you enrol your personal device after being issued a hardware token you will be requested to return the token so that it can be allocated to another staff member.
In addition to approving authentication attempts with a single press via a push notification, the Duo Mobile app can be used to generate one time passcodes (OTP) that you can use as a second authentication factor. Your mobile phone does not need to be connected to the internet to generate a one time passcode.
The current version of Duo Mobile supports Android 6.0 and greater, and iOS 10.0 and greater.
We cannot guarantee Duo Mobile's functionality on preview/beta software provided by Apple. Duo recommends upgrading to the most recent version of iOS available for your device.
Note: Duo have decided to end support for the Duo Mobile application for Android 6.0 and iOS 10.0 effective July 28, 2019.
For more details go to:
Duo Push authentication requests require a minimal amount of mobile data – less than 2KB per authentication. This amount of data usage falls well within a typical push notification. While concerns regarding data usage are certainly understandable, the bandwidth consumed by Duo Mobile for many authentication requests every day would have an overall negligible effect on mobile data use. You can find further information on the DUO Knowledge Base.
Duo will ask you for your mobile number for accessing the app. CSU would not use your number for any other purposes.
When using MFA for the first time and enrolling your device the Duo Mobile app will use your camera to scan a QR code displayed on the screen.
Push notifications (this is the preferred option) - installing the Duo Security app on your mobile phone for either push notifications or to generate one time passcodes.
Call Me - automated phone calls
You can alternate between using Push, SMS and Call Me if desired.
You can use any code from the text message - the order does not matter. The passcode will work as long as it has not been used in the past and you have not received a new batch of passcodes. A new batch of passcodes will invalidate all previous batches.
Duo keeps track of which passcodes have been used and will give you a hint about the next valid SMS passcode at the bottom of the authentication prompt:
Duo Push delivery issues are most often resolved by pulling down on the screen (pull-to-refresh). This should get push notifications working properly in most cases.
Go to troubleshooting Duo Push notification issues on Android devices for more information.
If you have any questions about using multi-factor authentication contact the IT Service Desk.