FAQ: Duo Multi-Factor Authentication (MFA)

Table of Contents:

Will my application work with Duo?

Why can’t I use my preferred email program anymore?

I am not getting phone call prompts on my device. How do I fix this?

I am not getting app prompts on my device's app. How do I fix this?

I got a new phone (or other device). How do I get back into my account and change my settings?

I got a new phone number. How do I get back into my account and change my settings?

I lost my device, what should I do?

Why can't I use text messaging for MFA?

I set Duo up with an Apple Watch, and I am getting "session time out" errors when I try to log in to apps on my phone.

Why do I get so many prompts to approve my login to Office 365 applications?

Should I always approve/accept/allow the login prompt?

Why do I still get phishing messages?

Do departmental or student organizational email accounts require MFA?

I'm a retiree or alumni. Do I have to use Duo MFA?

What is the difference between Duo MFA and Microsoft MFA?

I am getting the message "Your account access has been blocked". What do I do?

Steps to remove and re-add on iOS default mail app.

Steps to remove and re-add on Microsoft Outlook mobile app

 

---

 

Will my application work with Duo?

Below is a compatibility chart that lists some of the more common applications that are used with office 365, if your application is not listed you can check to see if it supports Microsoft's "Modern Authentication" or contact the service desk for more information.

  Windows MacOS iOS Android
Supported Office 365 Web Access
Office 2016 Suite Microsoft Office apps
Compatible but Unsupported Blue Mail
Office 2013 Suite Apple Mail (MacOS Mojave) iOS Mail 11 & newer Aqua Mail
Windows 10 "Mail" app   Nine
    TypeApp
Incompatible Thunderbird Edison Mail
Postbox Gmail
  Office 2011 Suite iOS Mail 10 & older  

Why can’t I use my preferred email program anymore?

Outlook and Outlook on the Web are the supported email clients at Ithaca College. They are available for all common platforms. Some other email programs do not support various features and add-ons used by the College, including security architecture that Duo relies on for integration with Office 365. This is a limitation of those email programs, and not a limitation of Duo or IC. That security architecture, called Conditional Access, provides other benefits in addition to support for Duo, and is a necessary protection for our accounts and the data our community has entrusted to us.

I am not getting phone call prompts on my device. How do I fix this?

If you have alternate devices, use those to authenticate instead and re-configure your device(s) by logging in to the Duo device page on a web browser, and following the instructions on Duo Multi-Factor Authentication Configuration Guide. Please contact the IT Service Desk if you do not have any alternate devices capable of receiving a push or generating a code registered to your account, or if this issue persists.

I am not getting app prompts on my device's app. How do I fix this?

Log in to the Duo device page on a web browser. When it asks you to choose an authentication method, select the call option to receive a phone call to your registered phone number, accept the call, and press any key on your phone's keypad to authenticate. Alternatively, use another authentication device, e.g. a token or other device with the Duo Mobile app configured.

Once you have successfully entered your account, you can follow the instructions in the main Duo Multi-Factor Authentication Configuration Guide to re-activate the app on your phone. You can do this by proceeding with the "add another device" feature.

I got a new phone (or other device). How do I get back into my account and change my settings?

If you still have the same phone number, log in to Duo device page on a web browser. When it asks you to choose an authentication method, select the call option to receive a phone call to your registered phone number, accept the call, and press any key on your phone's keypad to authenticate. Alternatively, if you still have the old device, you can authenticate using that as you would normally.

Once you have successfully entered your account, you can follow the instructions in the main Duo Multi-Factor Authentication Configuration Guide to re-activate the app on your phone. Use the "Add another device" instructions to make sure it is configured successfully. You can also remove old devices here.

If you no longer have access to the old device and do not have your account linked to any others, please fill out the Security Help Request with the details of your old and new device, and leave contact information (other than email) for us.

I got a new phone number. How do I get back into my account and change my settings?

If your device is the same, but has a new phone number, you can update the device settings on the Duo Device Registration portal. Log in to Duo device registration portal on a web browser. When it asks you to choose an authentication method, choose passcode or Duo push and follow the instructions in the main Duo Multi-Factor Authentication Configuration Guide to change your settings. If you no longer have access to the old phone number or device, or it does not work, please contact the IT Service Desk.

I lost my device, what should I do?

If you no longer have access to the old device and do not have your account linked to any others, please contact the Service Desk.

Why can't I use text messaging for MFA?

Although better than just relying on passwords alone, text message based multi-factor authentication has been defeated by attackers who are able to redirect your text messages to their phones. Because of this, we chose not to use it at IC.

I set Duo up with an Apple Watch, and I am getting "session time out" errors when I try to log in to apps on my phone.

At this time, if the Duo Mobile app is set up to send push notifications to your Apple Watch, you will have to use the Call Me option to authenticate to apps on your phone. If you have set up automatic push notifications, you can click Cancel and then click Call Me.

Why do I get so many prompts to approve my login to Office 365 applications?

Duo requires that you approve the login whenever you sign in differently than you did last time. Differently could mean from a different device (mobile phone, home computer, office computer, etc.), a different Web browser, a different Office 365 application (OneDrive, Outlook, etc.), or even a different location. Even if you have checked the "remember me for 14 days" option, the 14-day grace period only applies to that particular device, application, and browser.

Note that if you do not see the "remember me for 14 days", it may be because your settings automatically send an authentication request. Like the "remember me" tick box for logging into accounts on a browser, the "remember me for 14 days" option must be checked before logging in/authenticating for it to work. You can hit the x on the blue bar at the bottom of the Duo screen, and the "remember me for 14 days" tick box will appear.

Should I always approve/accept/allow the login prompt?

No. If you are prompted for Duo authentication when you don't expect it, it may be that someone else is attempting to access your account. If you are ever unsure, click Deny and contact the IT Service Desk if you have any questions or concerns regarding your account.

Why do I still get phishing messages?

Using Duo cannot prevent you from getting phishing messages. It's purpose is to prevent someone from getting into your account in the event that they obtain your username and password through a phishing message or some other method. Of course, there are measures in place to prevent you from receiving as many spam/junk/phishing messages as possible, but some still get through.

Do departmental or student organizational email accounts require MFA?

No, at this time we do not have a specific plan or time line for requiring MFA on these types of email accounts. This may change at a future date.

I'm a retiree or alumni. Do I have to use Duo MFA?

Retirees are required to use Duo, but at this time, alumni are not.

What is the difference between Duo MFA and Microsoft MFA?

Duo and Microsoft each have their own "brand" of multi-factor authentication product (as do Google and other companies). In December 2017, because it was not yet technically feasible to integrate Duo with Office 365, IC required about 300 staff who most regularly deal with sensitive data, to use Microsoft MFA for Office 365. Once Duo for Office 365 became feasible, we chose it over MS MFA for the following reasons:

  • Duo licensing is inclusive of the entire IC community, including alumni, retirees, and IC affiliates.
  • Duo provides more user-friendly enrollment and self-service capabilities.
  • Duo is already in use for access to our VPN and a few other applications, and is compatible with our single sign-on, so Duo can be our single MFA solution instead of having to use different products for different IC services.
  • Microsoft MFA does not support any kind of hardware token for authentication. This means that dozens of IC people who do not have cell phones and who do not work from fixed locations with landlines would have no way to access their accounts.

I am getting the message "Your account access has been blocked". What do I do?

If your email account was added to a mobile mail app before enrolling in Duo, your mail application security settings may have been incompatible with duo when you initially signed in. The fix for this is to remove and re-add the email account to automatically configure the correct settings. Note that your phone must be on iOS 11 or higher (iOS) or be using the Outlook mail app (android) or in order to work with Duo. If you are on an older version of iOS or Microsoft Outlook Mobile, you will either need to update your phone or you can download the Microsoft Outlook Mobile app which will work on any operating system and will always continue to work with Duo.

Steps to remove and re-add on iOS default mail app

1. Go to Settings

2. Select "Accounts & Passwords"

3. Select your IC email account (it's default descriptor is "Exchange" but you may have designated it as "Ithaca," "IC Email," "School Email," etc. )

4. Select "Delete Account" 

5. Review the steps to re-add the account on our main email article here.

Steps to remove and re-add on Microsoft Outlook mobile app

  1. Open the Outlook app.
  2. Click the 3-lined Menu icon at the top left-hand corner of the screen, or the Inbox header at he top of the screen.
  3. Press the Gear icon at the bottom left-hand corner of the screen.
  4. Once you press that, the accounts you have currently in the app will show up. Press the account you wish to update.
  5. Once you press the account, an option button with red text will come up saying "Delete Account." Press that button. This will delete it from the local application, not deleting your data on the server.
  6. Press Add Account and follow the steps on screen to add your account.

Note: If this is the only account you have set up with your Outlook app, it will automatically prompt you to re-add an account.

Details

Article ID: 332
Created
Wed 5/2/18 11:16 AM
Modified
Tue 5/7/19 9:44 AM