UChicago Two Factor Authentication (2FA)
What we know about the university's 2FA system (so far)
Two factor authentication, 2FA for short, is an added security measure, similar to how you protect your bank account with a pin number (something you know) and debit card (something you have) when you withdraw money from an ATM. The university's 2FA provider is a company named Duo Security (DUO).
2FA helps protect sensitive data and guard against increasingly sophisticated email and online scams (e.g., phishing attacks) that can leave you vulnerable to identity theft.
Note: We're not sure specifically which product(s) the university has purchased from this vendor, so features advertised on their site may not be reflected in the university's 2FA implementation.
- According to the enrollment schedule, faculty and staff members in the PSD have until June 12th to enroll in 2FA.
- Warning !!!: If you enroll in 2FA, you will not be able to unenroll. So, for example, if you plan to travel in the month before the deadline and you believe 2FA will be too inconvenient to deal with on the road, you may wish to wait until you get back to enroll. However, please do so before the deadline so you are not potentially locked out of essential services.
- Warning !!!: The scope of sites/services impacted by 2FA has been underreported (this goes beyond sites dealing with financial or student data). We have observed that once you enroll, all Shibboleth single sign-on sites will require you to provide this second factor. This includes not only Canvas and Workday, but also the proxy for remote access to library databases, interlibrary loan, UChicago Box, UChicago G Suite, i.e. many sites researchers depend upon to get work done. Here is a list of top sites affected by 2FA.
- Tests with cvpn.uchicago.edu, web based, indicate cnet credentials are enough to use the university's VPN system ... no 2FA involved (yet). So, if you can access a resource without an authentication prompt on campus, but if 2FA/single sign-on intercedes when you do so from an off campus network, consider first connecting to the university's VPN, then proceed to the resource. Update (5/31/18): Other tech groups report that the VPN system will move to 2FA on July 1st.
- Will I need to carry a cell-phone with me everywhere?
Not necessarily. You are advised to enroll multiple 'devices', such as a smartphone, tablet, and/or office landline phone, to avoid difficulties with verifying your identity if your only enrolled device is unavailable. A list of ten passcodes can be printed out/saved to keep in a secure location for your use any time you don’t have access to your registered devices. It is important that you keep track of which codes you use because each passcode can only be used once. Update (5/31/18):
You should be able to download/print multiple ten code sets at a time.... Only the most recently generated set of ten passcodes appear to be valid.
Most users will register their smart phone, assuming they have one, which will require you to download the Duo Mobile app from either the Google Play Store, for Android phones/tablets, or the App Store, for Apple IPhones/IPads. Once installed you will be able to enroll your device. From then on, even if you are not connected to a cell/wifi network, you should be able to generate a time-based 2FA code. However, this latter method of generating a second factor requires your device to have the correct time. If you are on a cell/wifi network, you will also be able to respond with something called a 'Push', or receive your second factor as a text message (please confirm).
You can also purchase something called a hardware token, for $30, from the ID & Privileges Office (IPO), at the Joseph Regenstein Library. It looks like a keychain/keyfob and once linked to your cnet account, which should be done at the IPO office, it will generate a code every thirty seconds or so that can act as your second factor.
To enroll or remove devices, and to print out one-time passcodes, visit Two-Factor Authentication: Manage Devices. Naturally, once enrolled, you will need 2FA to access this site, so make sure you either have an enrolled device with you or have at least one one-time passcode left to get back in to either generate more codes and/or alter your list of registered devices.
It does not appear Duo provides a software solution that can be installed on your laptop or desktop computer.
- Remember me for 30 days.
When you go to provide your second factor, you should see a check box near the bottom with a Remember me for 30 days. This can be a convenient option for users who do not wish to be challenged for secondary authentication again when they log in to that application from that device for the specified period of time.
Note: Remembered devices can only be enabled on browser-based applications, and it appears to be cookie based. So if you enable 'Remember me' on your android chrome browser, and then attempt to login with your android Firefox, on the same 'device', it probably will not remember you since your using a different application profile. Similarly, if you check 'Remember me' in a private broswer session. It should not work since cookies are wiped out after the session ends. It has been reported that you may have to enable 'Accept third party cookies', or something similar, in your browser preferences for this to work.We are not sure how this feature behaves as you move between different networks. We would appreciate your feedback as you travel off-campus so we can figure out more specifically when this works and when it breaks down.
It appears that a device in this Remember me context is a specific browser based profile relying on the persistence of http cookies.
- More information about 2FA can be obtained via the following university assets:
- If your 2FA experience differs with any of the above, or if you wish to add suggestions or clarifications to this page, please email us at firstname.lastname@example.org.