2-factor activation via DUO comes to UO

My initial reaction was “oh shit, this is going to be like Concur or the Faculty Tracking Software scheme, or Craig Ashford’s plan to save millions by centralizing all UO purchasing (say, anyone know what happened to that?).”

But I’ve been using it for about 2 months and it’s seamless. Log on as usual and if I haven’t used that service in a week my phone beeps, I hit the green button, and I’m in. Strangely you don’t need it for Duckweb, so anyone who has the 6 number password I’ve used for the past 10 years can still change my students’ grades and direct deposit my paycheck to their bank, but I assume that will be part of Duo eventually:

Dear UO faculty, staff, and GEs,
With spring term nearly complete, we wanted to express our deep appreciation for everything you’ve done to teach, work, and persist through the disruptions caused by the COVID-19 (coronavirus) pandemic.
As part of our work to secure the university’s systems and data, especially during this unusual time, we will be expanding UO’s two-step login service in two important ways in the coming weeks. Action is required.
Key Points
Protect Yourself, Protect the Flock
Enrolling your Duck ID account in two-step login protects not just you but also your students, colleagues, and the university as a whole.
Enroll in Duo now by following these brief instructions. While enrollment is voluntary at this time, the deadline for taking action is rapidly approaching.

UO does Duo: Duck ID and password + Prove it's you = Secure login
Starting on July 29, you will be required to use Duo before you can log in to any protected UO services. All faculty, staff, and graduate employees must be enrolled by July 29.
Thousands of UO employees have already enrolled in Duo. Many thanks to those of you who are putting it to use!
Student employees can choose to enroll in Duo at this time but are not required to. Student enrollment in Duo will be addressed in a future phase of this project.
Increased Risk
As CIO Minton wrote in February, universities around the world, including the UO, were already high-priority targets for hackers before COVID-19. Cybercriminals try to steal credentials from UO faculty, staff, and students in hopes of gaining unauthorized access to UO systems that contain personal information, research data, and intellectual property.
Since the COVID-19 outbreak began, such attacks have only increased globally.
At the same time, the pandemic has made universities more vulnerable. The vast majority of UO students, faculty, and staff are now learning and working off campus, where it is more difficult for our institution to secure data that would typically be accessed through our campus networks.
Simple yet Powerful
Thankfully, two-step login blocks nearly 100% of attacks based on credential theft, according to research by Google and Microsoft.
At a time when everyone is adjusting to so many other changes, we’re glad to report that two-step login with Duo Security is as simple as it is powerful. The university’s IT staff, including both of us, have been using Duo for many months already and find it remarkably unobtrusive.
Most people will only have to do two-step login about once a week. Just use the “Remember me for 7 days” option. When your verification day comes, it’s as simple as tapping a button in a mobile app, entering a code, or answering a telephone call, depending on what devices you’ve registered.
Currently, Duo applies to all UO websites that use Shibboleth single sign-on—the familiar “Login Required” screen we’re accustomed to seeing in Canvas, Zoom, MyTrack, Concur, and elsewhere.
Starting on June 3, Duo will go into effect for Office 365 and UOmail. If you’re already using Duo, you’ll start receiving Duo prompts that day from UO Microsoft applications and services, including Word, Outlook, Teams, OneDrive, and others.
In the coming months, UO VPN and other services will follow.
Device Options
If you have a smartphone or tablet, we strongly encourage you to register it for Duo, at least temporarily.
In particular, we recommend using the Duo Mobile smartphone app from Duo Security because it provides a built-in backup option: you can generate mobile passcodes and write them down for later.
Although other device options exist, they’re better suited to UO’s normal campus operations, when many people have an office phone handy and it’s easier for IT staff to distribute hardware tokens.
For those who are reluctant to use a personal device for two-step login on a routine basis, you can register your device once, then write down passcodes or request temporary emergency bypass codes. Once campus operations return to normal, you can register an alternative device and unregister your smartphone.
Getting Help
Because logging in is such a fundamental aspect of nearly everything we do at the university, some people may be concerned about how two-step login will impact them. The university and Information Services remain committed to working with IT staff throughout the UO to minimize any impacts and ensure a smooth rollout.
Together we can advance cybersecurity at the University of Oregon. Thank you for helping us achieve that goal.
Sincerely,
Jessie Minton
Vice Provost for Information Services and Chief Information Officer
Leo Howell
Chief Information Security Officer
Bookmark the permalink.

35 Responses to 2-factor activation via DUO comes to UO

  1. Just Another Volunteer says:

    The UO supports a hard token option and you can use a Yubico key. This is a small device you carry on your key ring and insert into your computer, pad, phone etc. Comes in several form factors so you can use a USB port, lightening or whatever. This is a thing you’d buy yourself unless your department is privacy aware and supplies it for you. The UO will provide DUO hard tokens but they’re trash.

    Using your private phone number is a privacy risk – and you’ll see many big ID providers asking for a second factor – banks brokers social security –
    This hey can and do use any phone data supplied as part of risk profiling and will run a credit check in some cases.

    I got a bunch of Yubi keys and it’takes a bit of fiddling to set up the first time but it’s worth it. You can also lock your laptop with a Yubi key if you’re worried about security when you carry it around. Handy – the high end ones cost $70 but there are cheaper options

  2. Inquiring Minds says:

    You. An use a UO issued token/fob instead of smartphone if needed. See more info link in article.
    I use iPhone and it’s easy. Coworker has the token

  3. Observer says:

    Then what happens when we’re abroad, sometime in the future when abroad is accessible again? I do not use my American cellphone when I’m abroad. I certainly don’t want to have to lug it around and charge it up all the time just so I can do the annoying two-step log-in so I can work on my computer and get my UO email for the duration. So how does it work when we’re abroad?

  4. New Year Cat says:

    You can use a landline or cell phone or both. I added both my office landline and my personal cell and each time I can choose which phone Duo will call.

  5. Uncle Phil's Phabulous Phallus says:

    Using safari on a mac, the remember me for 7 days thing doesn’t work unless you disable “prevent cross-site tracking.” This means you have to choose between your computer’s security or constant logins, in service of UO’s security theater.

  6. Old Gray Mare says:

    Do you have to have a cell phone? Asking for friend.

    • uomatters says:

      A smart phone and brand tone word training are now mandatory for all faculty and staff.

    • Dog says:

      This is all simplest if your friend has an Android Cell Phone;
      I-phone should mostly work but it could flake out; the app is designed specifically for an android phone.

      Frankly, there are better ways to do this two-step login thing,
      but the UO chose this way, and hence it is most excellent or perhaps they are just tone-deaf …

      • uomatters says:

        I’ve got an old iphone, duo works great for me. Though I am bit worried about how the Duck coaches are going to manage it with their burner phones.

    • Fishwrapper says:

      You *shouldn’t* need to have a cell phone. Duo also used tokens – basically an electronic 1-use cipher code book. It’s a little keychain fob with a button that you set up with your account. Bottom line, you shouldn’t need to have a cell phone; that said, if UO cheaps out on the features and has a plan that requires cell phones, they they have to provide it for you.

      • Tug o' the Forelock says:

        My iPhone5 is too old for the Duo Mobile app. I just registered my cell phone as my “home landline” and I get a call, press 1, and I’m in. This is also a solution for those who would rather not (further) commingle their personal phone with UO apps.

  7. just checking says:

    If you install the phone app, does it mean UO has the right to track your phone information? There was something along those lines when we switched to Outlook (about the Outlook app on a phone) that was a little nerve-inducing.

    • Anonymous says:

      Aside from the security implications (you get to the app store with a *personal* account, with *personal* ToS, so Google/Apple gets to link your personal/work accounts, and use the weaker protections of the personal one to see stuff that should maybe be contractually protected, because you “agreed” to that when “you” linked the accounts?), this is one of the serious concerns I have with the campus just *assuming* that everyone is on-board with using personal devices for work like this.

      I think the strongest wordage I’ve seen to date is a mandate to immediately report it to the campus if one’s personal device is lost and it has any UO-tied 2FA tied to it (app, phone number, whatever), but the more we keep just *expecting* people to have things like Outlook and Teams and Duo, the more this is an issue the campus needs to formally spell out and stick to.

      I’m guessing the tension is that formally spelling this out would cause basically *everyone* to demand work-funded devices, and there might be “budgetary concerns” over that (and the fun optics of where there is/isn’t a budget for what), so it’s probably considered easier to just let it be effectively mandated in practice without it “officially” being a “formal” rule.

      • just checking says:

        Thanks, that jogs the memory – I recollect something like if you have the Outlook app, UO is able to remotely lock your phone if you report it missing. That gave me significant pause, so I stayed with the web-based option for phone use.

        Most of us have to mix personal and work devices (who wants two phones?) but I don’t want my workplace to be able to infiltrate my phone.

  8. Observer says:

    When it says, “The list of UO services protected by Duo will include Office 365 starting June 3,” what does this mean? Every time I use my computer, I’ll have to do the two-step log-in?

    • uomatters says:

      Just once a week. I hope.

    • Anonymous says:

      What I *hear* is that local apps (Outlook*, Teams, OneDrive) and the web interfaces (anything Microsoft and cloud-based, so pretty much all Office stuff in your browser) will want to verify, and will supposedly also offer the once-a-week thing* (again, supposedly that option requires push authentication, which requires the app).

      Alas, getting into an early test group is less trivial than one might hope (and I know I’m not alone in asking), so the *exact* behavior is not something I can comment on until we’re all there anyway, but it does sound like a possibility that some of us are going to get a few calls *every morning* as OneDrive tries to synchronize, and then opening Outlook and Teams, then some of us will of course need to VPN and that’s supposedly in the works to require Duo too…

      ——–

      * Oh, when I say Outlook, that gets more complicated. The rebels using other e-mail clients will have an interesting time, because the thing actually requiring 2FA/Duo will be the cloud-based UOmail part. If your local client *doesn’t* support the 2FA, then it might well just stop working after this change? If the client *does* support 2FA, I presume it’ll work but just need you to follow whatever process it uses to comply with Duo. I kept saying Outlook because that’s technically what we’re all using, but alas, not using Outlook probably won’t make life easier.

  9. Fishwrapper says:

    Been using it for over a year with no problems. I love it.

  10. Anonymous says:

    It’s great you can run the app and it’s going so smoothly for you.

    Those of us who *can’t* run the app (anyone with older/cheaper devices with outdated OS/no storage, anyone who roots a device for other personal purposes, or anyone who doesn’t even have a *smart*phone) are definitely feeling the sting from this.

    Also, with no app, apparently the 7-day remember option doesn’t even work and you can’t generate backup codes for if your device breaks/you lose service/other drama happens.

    • Oryx says:

      It’s interesting that the highly paid administrators get plush car allowances, the claim being they use their cars for official work, but regular employees can’t get phone allowances for using their phones for official work.

      • Fishwrapper says:

        You should not have to provide your own tools to do your work, unless you are working in a trade that is represented and the CBA that covers your position specifies you bring your own trade-specific tools. If your employer requires you to have access to data services, then locks them up, it’s on the employer to provide the key. And you should (unless UO went cheap on the features available from Duo) be able to use a token for access. Bottom line – if you use your own phone for work, you get what you pay for: the expectation that they can distribute the costs of doing business across their employees.

        • come on says:

          I’m into hating the admin as much as the next guy, but come on. Most people have a smart phone. Their is no additional cost from the app. And if you don’t have a smart phone, you should just get one. It will probably improve your life even accounting for the hassle of a duo.

          • uomatters says:

            Like. That said, you make me wonder if UO could fire a professor if they simply stopped using email?

          • Anonymous says:

            Part of the issue though is that they’re assuming 100% of people have smartphones of a certain caliber or higher. If you’re poorer, you may *have* a smartphone, but the cheaper options often have older OSes (unsupported), or virtually no storage, and the difference between a $100 phone that your carrier will basically just give you and an $800+ phone that you only get if you sign a contract for a more expensive plan than you would otherwise need can be significant.

            Then there’s also the issue that personal smartphones have a *lot* of access to you, and how much data apps can collect. The entire ecosystem technically gets “consent” from the user in a legal sense, but it’s consent where if you don’t agree then you don’t have a device everyone just assumes you have, and it’s “consent” with a private company.

            For some folks, upgrading (and maintaining that upgrade) to be compatible with this mandate is a financial burden. For others, it represents a serious indirect invasion into privacy, as even if UO isn’t mandating something that snoops on data, it is mandating you sign up for something that *does*.

            I don’t think the hate is on the idea of requiring the security, I think the concern is over the far-reaching implications that those who didn’t already have a compatible device are probably the most impacted by. There’s almost certainly a strong overlap between “people who still don’t have a smartphone in the duopoly in 2020” and “people who actually read the ToS and hold objections, so they’re gonna care about being forced to agree all of a sudden”.

            The “You should just get one” attitude is, probably moreso than you likely intend it, rather close to a mindset that hurts people in edge cases, rather than examine why the system is incapable of better flexibility.

            (And to be clear, I am confident you mean well. I simply get the sense you may have had fewer opportunities than some of us to observe some systemic implications in this situation, and hopefully some of our words are helping to clarify why there might exist groups who would be rightly concerned about the pressures to comply placed by making this system more burdensome in specific scenarios, rather than provide multiple options to make the service more convenient for everyone.)

        • dtl says:

          Would that include PPE? Because I hear management thinks masks should be provided by your union….

          • Fishwrapper says:

            If one looks carefully at carefully worded guidance that will be forthcoming, you likely will be recommended to wear a mask, rather than required. This is part of that; another part is that if your employer requires you to wear protective gear, there are federal (and likely similar state) laws that mandate documented training in use of protective gear. This ain’t a union thing, per se, it’s a statutory thing, influenced by the state of emergency or absence of one, and workplace safety laws. Essentially, workplace safety is the responsibility of the employer. See 29CFR 1910.132(b) and (d)(2)

  11. Dog says:

    Yes
    Duo is mostly innocuous

Leave a Reply

Your email address will not be published.