What is Duo?

Duo is a Multi-Factor Authentication (MFA) service. MFA protects your login so that in addition to something you know (your username & password), you also need a physical object you have (typically a smartphone with the Duo app – but physical USB security keys are also available for those who do not have smartphones or regular cell phones or landline). Watch the Authenticate with Duo Mobile Video to learn more!

NOTE: Duo MFA users can have as many devices as they want and should always have at least one backup device. 


Why is Fredonia rolling Duo MFA out to students?

Nearly every week, a student’s Fredonia email account is compromised by criminals because they fall for phishing scams and then criminals use the student’s email account to victimize other students. With Duo MFA in place, a cyber-criminal can’t just login to an account (even if they’ve gotten your password via phishing, malware, or due to password reuse from other compromised sites).

How will it work at Fredonia?

  • Effective 3/1/2022, any student that has their eServices account compromised will be required to enroll in Duo MFA. The ITS Service Center will reach out to the student directly via their phone number on file to provide assistance. 

  • Effective 3/1/2022, current students can opt-in to Duo MFA. To better protect your Fredonia accounts, you just need to:

    • Download the free Duo Mobile app on your smartphone

    • Then go to: Forms @ Fredonia > Request Service > Multi-Factor Sign Up

    • When you select "Enroll Me" at the bottom of the form, you will start a process that will enroll you in MFA within 90 minutes of you submitting the form. You will be presented with a one-time registration process the first time you log onto a Fredonia service such as FredMail or OnCourse.

To verify your identity with Duo - you need one of two things listed:

a. Recommended: A smartphone or tablet (Android, iPhone, iPad) with the Duo Mobile app installed and activated (see the video below for how the Duo app works). Watch the Authenticate with Duo Mobile Video 

b. A security key which can be issued to you from the ITS Service Center if you do not have a mobile phone (image below as an example):

Picture of a Yubikey security key

Yubikey

If you have any issues or need assistance, please submit a ticket at Tracker@fredonia.edu.

For more information on how Duo works, see our Duo Frequently Asked Questions at: https://fredonia-edu.atlassian.net/wiki/spaces/AN/pages/1103790939

If you have any questions that are not covered by that FAQ, please email its.servicecenter@fredonia.

 

  • Effective 3/1/2022 any individual that becomes an active student after this date will be required to enroll in Duo MFA. 

  • Effective 3/1/2022 any student that paid their deposit before this date for the fall 2022 semester will be required to enroll in Duo MFA. 

  • Effective 6/15/2022 all current Fredonia students will be automatically enrolled in Duo MFA. After this date, the first time a student logs into a Fredonia protected service (e.g. FREDmail, OnCourse, etc.) they will be required to set up Duo MFA.

 

How can students get assistance with setting up their Duo MFA?

There are many ways that students can get assistance with setting up their Duo MFA:

Why is Fredonia using DUO MFA?

There are a number of reasons.

  • Phishing: Phishing has continued to be a significant problem both at Fredonia and at organizations worldwide.  Although the vast majority of these phishing messages are being blocked or marked as spam here at Fredonia (and many of our faculty and staff are fantastic about reporting these messages) some do get through.  At this point, the training and simulations are not a sufficient defense on their own.

  • Password reuse: Though we want all people to use a different password for all systems - we know that doesn't always happen.  People sometimes use the same password on multiple services.  When an external service gets compromised - the passwords used at that external site may be at risk.  They may be used to try to access other accounts, including those at Fredonia.  The same is true of common passwords.

  • Brute force attacks: Hackers are often trying to just 'guess' passwords.  They are doing this based on patterns of password.

  • Regulatory Compliance: There are numerous information security policies and laws that now require the use of Multi-factor Authentication (MFA) systems to protect logins to Fredonia services.

Fredonia has a duty to protect the data of our students, faculty, staff, alumni, emeritus, and donors.  Even an account of someone who does not have direct access to that data - can provide a criminal a level of access to the college which could lead to a further breach.  Because of this - we need to protect accounts with more than just a username and password.

That is why we are expanding the usage of the Duo MFA (Multi-factor Authentication) system, which is currently for all employees. 

Fredonia has chosen Duo specifically as our MFA provider for its affordability, ease of use, and compatibility with the systems that we use at SUNY Fredonia.

 

What is MFA?

Multi-factor Authentication systems are those that require at least two of the following factors (only the first two being used by Fredonia).

  • Something you know (such as usernames and passwords)

  • Something you have (such as an app on a smartphone, or a small keychain token) which is tied to your account

  • Something you are (biometrics such as fingerprints - don't worry - we have no intention of using biometrics at Fredonia)

An account protected by MFA cannot be accessed by one of those factors alone.  Were someone to get my password - but not have my smartphone, they would be unable to access accounts protected with MFA.  Vice-versa, if someone had my phone but not my password, they would also be unable to access accounts protected with MFA.

MFA is increasingly used to protect data on systems such as financial/banking accounts, email, social media, or other systems which are at high risk for compromise from criminals.  Fredonia has implemented, and is expanding the usage of, MFA to better protect the sensitive data, systems, and accounts that our campus community members are entrusted with.

 

What Fredonia services use Duo MFA?

  • Google Workspace (FREDmail, Google Drive)

  • OnCourse

  • Zoom

  • DegreeWorks

  • Starfish

  • Symplicity

  • CircleIn

  • Handshake

  • Office365

  • Tracker

 

How do I get set up for Duo?

  • Effective 3/1/2022, students can opt-in to Duo MFA. To better protect your Fredonia accounts, you just need to:

    • Download the free Duo Mobile app on your smartphone

    • Then go to: Forms @ Fredonia > Request Service > Multi-Factor Sign Up

    • When you select "Enroll Me" at the bottom of the form, you will start a process that will enroll you in MFA within 90 minutes of you submitting the form.

    • Once you are enrolled, the first time you log on to one of our many services that are protected by MFA (e.g. FREDmail, OnCourse etc.), you will go through a one-time registration process to enroll your device(s). We recommend you enroll multiple devices to make sure that you have access to all services without interruption.

NOTE: If you do not have a smartphone, you can order the security keys online (see "What do I do if I don't have a smartphone" section near the bottom of this page for details), or you can contact our ITS Service Center for a token.

 

What do I do if I lose my smartphone and I can not log in? 

Everyone should always have a backup device (additional cell phone, landline, tablet, or security key) configured in their Duo MFA account. To enroll a backup device please visit “Enroll a Device with Duo”. If you do not have your smartphone or a backup device, please contact the ITS Service Center 716.673.3407 or tracker@fredonia.edu during normal business hours (Mon-Fri 8am-4:30pm). The ITS Service Center can issue you a temporary 9 digit passcode for you to use until you address your lost smartphone. 

 

Can I use the Duo phone app when my phone doesn't have Internet access?

If you are using the Duo phone app, when you don't have Internet access on your phone (such as when you are out of the country) you can still use Duo.

  • Instead of clicking "Send me a Push" when logging in, instead click "enter a passcode"

  • Go into the Duo app and click where it says "State University of New York at Fredonia".  A six digit number will come up.

  • Enter that number on the Duo login page

What if I don't have a smartphone?

If you do not have a smartphone - you can login with a hardware security key.  Fredonia uses Yubikeys which are small USB devices which you can keep on your keychain.  When prompted by Duo to login - just put the USB key into the computer you are logging in at - and touch the button when prompted.

NOTE: Active faculty, staff, and students, who do not have a smartphone can get the token from us.  Just email its.servicecenter@fredonia.edu (make sure to email us from your college email address - and include your full mailing address).

 

 What about the security or privacy of the Duo app?

Fredonia ITS and the information security industry in general have a very positive impression of Duo and the Duo app.  Duo’s app only asks for the permission to show notifications and to access your camera.  The camera permission is just for the initial setup (to scan the Duo QR code) and you can revoke that permission afterwards.  The notifications are only used to send you the ‘push’ notification that you need to approve when logging in.

Duo does not have access to the data on your phone such as pictures, files, etc. 

If your concerns are privacy related – please see the information on Duo’s site about “What data does Duo collect” and “Duo Mobile Privacy Information”.

 Duo Multi-Factor Authentication - How to use it

Image showing logging in on a computer, verifying with duo on a phone and the having access
1. Enter your user name and password  2. Verify your identity with duo  3. You're securely logged in

​​​Using Duo

To verify your identity with Duo - you need one of two things:

  1. Recommended: A smartphone or tablet (Android, iPhone, iPad) with the Duo Mobile app installed and activated (see the video below for how the Duo app works)

  2. A security key (image below as an example):

Picture of a Yubikey security key

When a user that is enrolled in the Duo service logs into a Duo protected system, they will see a screen like the following:

  • The "Send me a Push" button should be used if you use the Duo Mobile app.

  • If you have the security key - then you just need to put it into the USB port of the computer you are logging in from, and press it, to login.

 

 Duo Mobile App

The Duo Mobile app is Fredonia's recommended option for Duo.  It can be used on your iPhone or Android smartphone or tablet.  The app is free, takes only a small amount of space to install, and uses virtually no data (per month it uses a minuscule fraction of the amount of data of loading a single website) so you don't have to worry about your data plan.  

It can be downloaded by searching for "Duo Mobile" in either the Google Play store (for Android devices) or Apple App store (for iPhones/iPads), or via the links below:

Setting up the Duo Mobile app is quick and easy.  If you opt for the Duo mobile app - your account will be activated so next time you login to a Duo protected service (such as FREDmail, OnCourse, etc.) you'll be prompted to download, setup, and activate the app.

After your phone is activated, when you log with your username & password into a Duo protected application, click the Send me a push button on the site you're accessing.  You'll get a push alert on your smartphone which you can click on to bring up the Duo approve/deny screen:

If you were trying to log in to a Duo protected service, you would click Approve.

If you were NOT trying to log in to a Duo protected service, you can click Deny (and then report the attempt by clicking "It was fraudulent").  This will notify ITS staff at Fredonia.

App Permissions

When first using the Duo mobile app - it will ask for two permissions:

  • Permission to use the camera: this is only needed when setting up the device.  The app will use the camera to capture the QR code on the screen to activate your device.

  • Permission to send notifications: this is needed so you get a notification on your phone of a pending login (so you don't have to manually open the app to approve the login - you can just click on the notification).

Yubikey Security Key

The security key is a small device with a ring to keep on your keychain.  It is placed into a USB port on your computer when you need to login.

When prompted by Duo to login - just put the USB key into the computer you are logging in at - and touch the button when prompted.

NOTE: Active students, who do not have a smartphone can get the token from us.  Just email its.servicecenter@fredonia.edu (make sure to email us from your college email address - and include your full mailing address).