Charles Sturt University
Charles Sturt University
  • Multi-Factor Authentication
  • Service Support Articles
IT Servicesservice category ICT Security

Multi-Factor Authentication

DUO logo displaying password plus proof equals access

Multi-factor authentication (MFA) is being rolled out at Charles Sturt to access sensitive and risky information and communications technology (ICT) services. The implementation of MFA reduces the risk of staff accounts being compromised, providing less opportunity for fraud. It’s an important activity in ensuring our compliance with the Audit Office of NSW and safeguarding the university’s reputation.

What is multi-factor authentication?

MFA is one of the most effective controls that can be used to prevent an attacker from gaining access to IT services and sensitive information. It strengthens access security by requiring two or more methods - also referred to as factors - to verify your identity. These factors can include something you know - like your CSU username, CSU password, plus something you have - like a smartphone app to approve authentication requests, passcode, hardware token, call back or sms message.

Duo Security is the MFA solution delivering additional security protection for Charles Sturt users requiring off-campus access to sensitive or privileged ICT services.

To use MFA follow the two-part setup below:

  • Part One - Enrol your device
  • Part Two - Install and activate the Duo Mobile app

Push is the recommended authentication method to use with the Duo Mobile app. Simply type the word "push" into the Duo Passcode field and then approve the notification you receive on your device. Find out why push is the best way to authenticate.

Part One - Enrol your device

You need to use a device that is separate to your work computer to log in to an MFA enabled ICT Service. If you have a CSU supplied mobile phone, you are required to enrol and use it. If you don’t have a CSU mobile phone, you can choose to use your own, either through installing the MFA app, or through receiving SMS messages on your phone. If you don’t have a CSU supplied mobile phone and don’t want to use your own phone or your device is not compatible with the Duo Mobile app, you can use a CSU supplied token generator - contact the Computer Shop.

The following steps are only required once for each device. You need to have an active internet connection for this process.

  1. Go to the MFA tool to enrol your phone, tablet or other device.
  2. At the welcome screen click on Start setup.
    Startup screenshot
  3. Select the type of device you'd like to enrol and click Continue- we recommend using a mobile phone for the best experience.
    Type of device screenshot
  4. Select your country from the drop-down list and type your phone number - if you are enrolling a tablet you are not prompted to enter a phone number.
    Use the number of your mobile phone that you will have with you when you're logging in to a Duo protected service - double check that you entered it correctly, check the box, and click Continue.
    Enter your phone number screenshot
  5. Choose your device's operating system -
    1. Recommended option - iPhone, Android, Windows Phone - follow the steps in Part Two below to install and activate the Duo Mobile app
    2. Other - use this option if you do not wish to install the Duo Mobile app, but opt to use SMS instead
      What type of phone
  6. Click on Finish Enrolment.
    My settings and devices screenshot

Note: If you selected iPhone, Android, Windows Phone (as recommended) follow the steps in Part Two below to complete the process.

Part Two - Install and activate the Duo Mobile app

Duo Mobile is a free mobile application that runs on your smartphone and helps you authenticate quickly and easily at no cost to you or the university. Activating the app links it to your account so you can use it for authentication.

Note: Duo Mobile app also offers a security checkup feature. This maintains the security hygiene of your mobile device through notifications in the Duo Mobile application - this is not a CSU MFA requirement.

  1. To begin the process access the MFA tool.
    Note: for a better experience, it is best to open this link on your computer as you have to activate Duo Mobile App on your iPhone, Android or Windows phone by scanning the QR code with the app’s built-in barcode scanner.
  2. Launch from the App Store or Google Play Store and search for Duo Mobile.
  3. Follow the platform specific instructions on the screen to install Duo Mobile app.
  4. After installing the app on your phone, return to the enrolment window on your computer and click “I have Duo Mobile installed”.
  5. On your iPhone, Android or Windows phone, activate Duo Mobile by scanning the barcode with the app's built-in barcode scanner. Follow the platform specific instructions for your device.
    Activate duo mobile for iOs screenshot
    Note: If you cannot scan the barcode click “Or, have an activation link emailed to you instead” and follow the instructions.
  6. If the barcode is successfully scanned click the Continue button.
    Activate duo mobile for iOS with green tick screenshot
  7. To test, select the option that applies to your choice of setup from above:
    1. Call Me – mobile phone number
    2. Passcode for SMS
    3. Send Me a Push – for the recommended Duo Security app)


    Device choose authentication method

  8. If Push was selected - approve the Duo login request you receive.
    Screenshot of the Duo login request with buttons to Approve or Deny

Duo authentication options for MFA

Table 1 - Duo authentication field options

Push
(preferred option)
If you have registered the Duo app on your mobile phone, enter push in the next code field, you will receive a push notification on your device, then tap Approve or Deny. Tap on the green “Approve” ✔ to connect. (Preferred option).
Passcode You can also enter a one-time code generated by your Duo Mobile app. Open the Duo Mobile App, tap on Duo-Protected, a 6 digit code will appear. Enter this code into the next code field. This code changes for each use.
SMS You will receive an SMS message with 10 one-time codes that you can use. Enter sms in the next code field, your login attempt will fail – log in again and type one of the SMS codes into the next code field to connect. Note: You do not need to enter SMS again until you have used all 10 passcodes you received. Cost to CSU.
SMS2 You will receive an SMS message the same as above on your secondary device. Only use this if you have registered more than one phone. Cost to CSU.
Phone You will receive a call back on your registered phone number. Enter phone in the next code field, your registered phone will call and as per the voice instruction, push [1] on your phone to connect. Cost to CSU.
Phone2 You will receive a call the same as the above on your secondary phone number. Only use this if you have registered more than one phone. Cost to CSU.
Hardware token Contact the Computer Shop to be allocated a hardware token. Press the Green button on your authorised hardware token and enter the code that appears, enter that code in the next code field. Cost to School/Division.

Connect to VPN with MFA

VPN - Admin and Staff

  1. Double click on Cisco AnyConnect on your desktop.
  2. Select the appropriate Group: CSU-Admin or CSU-Staff
  3. Enter your CSU Username and Password.
  4. Cisco anyconnect VPN with push screenshotDuo staff push login screen

  5. For the “Duo Passcode” field use one of the authentication options then click OK.

Authentication options

  • Push - Enter push in the Duo Passcode field. You will receive a prompt on your device to Approve or Deny. If you do not receive a push notification, this may mean that your device has not allowed notifications for Duo Mobile - check this in your settings on your device.
    Cisco anyconnect VPN with push screenshotDuo staff push login screenapprove or deny button
  • Passcode - Enter your one-time passcode (generated from the Duo Mobile app) in the Duo Passcode field. 
    Cisco anyconnect VPN with Duo passcodeDuo staff code login screen
  • SMS - Enter sms in the Duo Passcode field - you will receive 10 passcodes to your mobile phone.
    Cisco anyconnect with Duo sms screenshotDuo staff sms login screen
    The VPN screen will show login failed.
    Cisco anyconnect login failed screenshot


    Login a second time with one of the codes that gets sent to your phone via SMS. 
    Note: You do not need to enter sms again until you have used all 10 passcodes you received.
  • Cisco anyconnect with Duo sms screenshotDuo staff sms login screen

  • Phone – Enter phone in the Duo Passcode field. Your registered number will ring, pick up and listen to the voice prompt, press any key on your phone to login. Note: This call will come from a +1 (888) number.
  • Cisco anyconnect with Duo phone screenshot for adminCisco anyconnect with Duo phone screenshot for staff

  • Hardware token - Press the green button on your hardware token and enter the code that appears. Example code 1178472 that appeared on the hardware token.

    Duo hardware token screenshot

    Cisco anyconnect with Duo sms screenshotDuo staff sms login screen

Connect to VMware Horizon (VDI) with MFA

VMware Horizon client (VDI desktop client)

  1. Double click on the Virtual Desktop client on your desktop
  2. Enter your CSU username and password and click Login
    vmware Horizon client login screen
  3. The second-factor field that appears depends on the device:
    1. Next Code - Windows
    2. Tokencode - Mac
    3. Passcode -  iOS and Android
  4. Use your chosen method of authentication to complete the code field (see options below) and then click Login

VMware Horizon web version (HTML)

  1. Go to https://vdi.csu.edu.au
  2. Enter your CSU username and password and click Login
    vmware web version login screen
  3. Use your chosen method of authentication to complete the Next Code field (see options below) and then click Login

Authentication options

  • Push (recommended) - enter "push" and then approve the Duo app notification received on your device (if you do not receive a notification check your device settings)
    vmware Horizon client showing push in next code fieldvmware web version showing push in next code
  • Passcode - enter the passcode that is generated by the Duo mobile app
    vmware Horizon client with passcodevmware web version showing passcode
  • SMS - enter "sms" - you will receive 10 passcodes on your mobile phone - enter the first one (you can use a different one each time you log in)
    vmware client showing sms in code fieldvmware web showing sms in code field
  • Phone - enter "phone" which prompts a call from a +1 (888) number to your registered phone - follow the prompts to press any key on your phone to log in
    vmware client showing phone in code fieldvmware web showing phone in code field
  • Hardware token - press the green button on your token and enter the code that appears

Manage your device

You can easily manage your devices by accessing the MFA tool.

Enrol another device

  1. Access the MFA tool
  2. Choose an authentication method and complete two-factor authentication to begin adding your new device.
    Device choose authentication method

    Note: If you are setting up a new mobile phone and no longer have access to your old phone, don’t use Duo Push authentication (the Push will be sent to your old phone). If your mobile phone number has not changed you can still use SMS passcode or Call Me to authenticate. Remember that you will need to reactivate Duo Push on your new phone once you have successfully authenticated.

    To use SMS passcode:

    Select Enter a Passcode.
    Enter passcode screenshot

    Select Text me new codes.
    Text new codes screenshot

  3. Select Add another device.
    Add another device
  4. Select the type of device you are adding - Mobile phone.
    Screenshot what type of device are you adding
  5. Enter and confirm the second phone number.
    Confirm second phone number screenshot
  6. Select the new phone's operating system.
    What type of phone screenshot
  7. Install Duo Mobile on the new phone and scan the barcode to activate.
    Activate duo mobile for iOs screenshot

The new phone is added and listed with your other enrolled devices. You can click Add another device to start the enrolment process again and add another authenticator.

Enable automatic push requests

  1. Change the When I log in setting from “Ask me to choose an authentication method” to “Automatically send this device a Duo Push” or “Automatically call this device” (this is a cost to CSU) – click Save.
    Ask me to choose authentication method screenshot
  2. Click Finish Enrolment.

Reactivate Duo Mobile.

  1. Choose Device Options.
    device options screenshot
  2. Choose Reactivate Duo Mobile.
    Reactivate duo mobile screenshot

    Note: If you need to get Duo Push working on your phone, for example if you replaced your phone with a new model but kept the same phone number, after answering some questions about your device you'll receive a new QR code to scan with your phone - this will complete the Duo Mobile activation process.

    Activate duo mobile for iOs screenshot

Change device name

  1. Choose Device Options.
  2. Click Change Device Name to open up an interface to change the display name of your phone (hardware tokens can't be renamed).
    Change device name screenshot
  3. Type in the new name and click Save.
    My settings and device with save screenshot

    Note: After successfully modifying your phone's name - not only will you see this when managing devices, but it will also be how your phone is identified in the authentication drop-down.

Specify default device

  1. Click the Default Device drop-down menu and pick your device for authentication. Click Save if you're done making changes.
    Default device screenshot
  2. If this is the device you'll use most often with Duo then you may want to enable automatic push requests by changing the When I log in: option from "Ask me to choose an authentication method" to "Automatically send this device a Duo Push" or "Automatically call this device" and click Save.
    Ask me to choose authentication method screenshot
  3. Note: With one of the automatic options enabled Duo automatically sends an authentication request via push notification to the Duo Mobile app on your mobile phone or a phone call to your device (depending on your selection).

Remove a device

If your new device is replacing the one you previously enrolled, you can remove the device you won't be using for authentication.

  1. Click the Device Options button next to the device you want to remove and then click the trashcan button.
    Remove a device
  2. Confirm you want to remove the device.
    Confirmation to remove device screenshot

FAQs

Can I install Duo Mobile app on my laptop or desktop?
Do I have to install the Duo Mobile app on my own mobile phone?
What authentication methods are available?
Can I change the authentication method I use?
What do I do if I lose or misplace my MFA device?
Which ICT services will prompt me for MFA?
Will I be prompted for MFA each time I log into an enabled service?
Why can’t I use an existing MFA application or token?
What if I don’t want to use my personal device?
What if my smartphone does not have internet connectivity and is not connected to a wi-fi network?
Which versions of Android and iOS are supported?
How much data does a Duo Push request use?
Does the Duo Mobile app need access to my mobile number?
Why does the Duo Mobile app need access to my camera?
If I receive a batch of SMS passcodes which one should I use?
What do I do if I have trouble receiving Duo Push on my Android device?

Can I install Duo Mobile app on my laptop or desktop?

No. The Duo Mobile app is only supported on devices such as mobile phones and tablets. You can only use your laptop or desktop when you first enrol /register for Duo Security.

You will need to use a device that is separate to your work computer to generate an additional passcode to log in to an MFA enabled ICT service (VPN).

If you have a CSU supplied mobile phone you are required to enrol and use it. If you don’t have a CSU mobile phone, you can choose to use your own phone.

If you do not have a compatible mobile phone, or don't want to use your personal device, you can request a hardware token (digipass go6) – please contact the Computer Shop.

The hardware token is used to generate a one-time passcode (OTP) which you enter into the login screen when prompted.

Do I have to install the Duo Mobile app on my own mobile phone?

No. Installing the Duo app on your own personal mobile phone is optional. Alternative authentication methods are available, such as Call Me, SMS messaging or using a hardware token.

You are required to use the Duo app on a CSU supplied mobile phone.

Vendors and third parties who are required to use MFA to authenticate will not be issued with hardware tokens and are expected to use their own mobile phone.

What authentication methods are available?

Push
(preferred option)
If you have registered the Duo app on your mobile phone, enter push in the next code field, you will receive a push notification on your device, then tap Approve or Deny. Tap on the green “Approve” ✔ to connect. (Preferred option).
Passcode You can also enter a one-time code generated by your Duo Mobile app. Open the Duo Mobile App, tap on Duo-Protected, a 6 digit code will appear. Enter this code into the next code field. This code changes for each use.
SMS You will receive an SMS message with 10 one-time codes that you can use. Enter sms in the next code field, your login attempt will fail – log in again and type one of the SMS codes into the next code field to connect. Note: You do not need to enter SMS again until you have used all 10 passcodes you received. Cost to CSU.
SMS2 You will receive an SMS message the same as above on your secondary device. Only use this if you have registered more than one phone. Cost to CSU.
Phone You will receive a call back on your registered phone number. Enter phone in the next code field, your registered phone will call and as per the voice instruction, push [1] on your phone to connect. Cost to CSU.
Phone2 You will receive a call the same as the above on your secondary phone number. Only use this if you have registered more than one phone. Cost to CSU.
Hardware token Contact the Computer Shop to be allocated a hardware token. Press the Green button on your authorised hardware token and enter the code that appears, enter that code in the next code field. Cost to School/Division.

On a registered device, you can alternate between using Push, Mobile Passcode, SMS, and Phone.

Can I change the authentication method I use?

Yes. Each time you log into a service with MFA you can choose which authentication method you would like to use.

As long as the device has been registered you can alternate between using Push (preferred option), Passcode, SMS and Call Me.

What do I do if I lose or misplace my MFA device?

If you lose or misplace your MFA device call the IT Service Desk who can provide a bypass code that you can use to authenticate. You will need to confirm your identity before a bypass code will be issued.

If you have temporarily misplaced your MFA device or left it at home you can use the provided bypass code - then resume using your regular MFA device when possible.

If you have lost your MFA device or had it stolen you can use the provided bypass code to remove your device from your CSU account and enrol a new device.

Which ICT services will prompt me for MFA?

The following services are configured to prompt for MFA:

  • PasswordState
  • Cisco AnyConnect (VPN) “CSU-Admin”
  • Cisco AnyConnect (VPN) “CSU-Staff”
  • Non-student VMware Horizon VDI “Off-Campus/Remote Users”

A risk management approach is being used to consider other potential MFA candidates, which may result in the list of ICT services changing throughout the year.

Other services will be enabled for MFA as the project progresses - keep your eye on this space for updates.

Will I be prompted for MFA each time I log into an enabled service?

Yes. At this stage all enabled services will require you to provide an additional factor (MFA) each time you log in.

Why can’t I use an existing MFA application or token?

Duo Security provides a streamlined user experience through the use of push notifications and enterprise management features allowing DIT to effectively support CSU staff.

Most third-party issued MFA tokens, like the one issued by a bank, are not able to be used because they are tied to the organisation that issued them. Other MFA tokens need to be plugged into a USB port on your computer making them unsuitable for authenticating when using a smartphone or tablet. Supporting third-party MFA applications such as Google Authenticator introduces additional complexity which makes it difficult to support and provide a good user experience for our staff.

What if I don’t want to use my personal device?

If you do not have a compatible mobile phone or don't want to use your personal device, you can request a hardware token from the Computer Shop. The hardware token can be used to generate a one-time passcode (OTP) which you will need to enter into the login screen when prompted. If you enrol your personal device after being issued a hardware token you will be requested to return the token so that it can be allocated to another staff member.

What if my mobile phone does not have internet connectivity and is not connected to a Wi-Fi network?

In addition to approving authentication attempts with a single press via a push notification, the Duo Mobile app can be used to generate one-time passcodes (OTP) that you can use as a second authentication factor. Your mobile phone does not need to be connected to the internet to generate a one-time passcode.

Which versions of Android and iOS are supported?

The current version of Duo Mobile supports Android 6.0 and greater, and iOS 10.0 and greater.

We cannot guarantee Duo Mobile's functionality on preview/beta software provided by Apple. Duo recommends upgrading to the most recent version of iOS available for your device.

Note: Duo has decided to end support for the Duo Mobile application for Android 6.0 and iOS 10.0 effective July 28, 2019.

For more details go to:

How much data does a Duo Push request use?

Duo Push authentication requests require a minimal amount of mobile data – less than 2KB per authentication. This amount of data usage falls well within a typical push notification. While concerns regarding data usage are certainly understandable, the bandwidth consumed by Duo Mobile for many authentication requests every day would have an overall negligible effect on mobile data use. You can find further information on the DUO Knowledge Base.

Does the Duo Mobile app need access to my mobile number?

Duo will ask you for your mobile number for accessing the app. CSU would not use your number for any other purposes.

Why does the Duo Mobile app need access to my camera?

When using MFA for the first time and enrolling your device the Duo Mobile app will use your camera to scan a QR code displayed on the screen.

If I receive a batch of SMS passcodes which one should I use?

You can use any code from the text message - the order does not matter. The passcode will work as long as it has not been used in the past and you have not received a new batch of passcodes. A new batch of passcodes will invalidate all previous batches.

Duo keeps track of which passcodes have been used and will give you a hint about the next valid SMS passcode at the bottom of the authentication prompt:

Duo Security screen showing the hint for the next sms code at the bottom of the screen

What do I do if I have trouble receiving Duo Push on my Android device?

Duo Mobile automatically checks for authentication requests, but if you think you have missed a request, then tap the list of accounts (DUO-PROTECTED Charles Sturt University) and pull down to refresh. Pulling down on the screen should get push notifications working properly in most cases.

Go to troubleshooting Duo Push notification issues on Android devices for more information.

Contact

If you have any questions about using multi-factor authentication contact the IT Service Desk.

Service Support Articles

Introduction to Duo Security

Getting started with Duo Security

Authenticate with Duo Push

MFA for VPN access