What is VCU 2Factor Authentication?
In the cybersecurity field, three factors can be used to identify an individual to a computer system. These factors include:
-
Something you know (e.g., a user name, password, answer to a question)
-
Something you have (e.g., a phone, an ID card, or a hardware token)
-
Something you are (e.g., your fingerprint, retina/iris scan, or voice print)
Traditionally, the username and password model rely only on something you know, this is considered a single-factor authentication. The weakness with single-factor authentication using something you know is the fact that an adversary can usually find ways to steal this information, thus allowing the adversary to masquerade as the victim.
VCU 2Factor Authentication helps drastically reduce the use of stolen usernames and passwords. In addition to the username and password, VCU 2Factor relies on one or more other factors in proving and securing a user's identity.
Why is VCU Doing This?
The beginning of a sophisticated cyberattack usually starts with a phishing scam. A phishing scam is a social engineering attack that utilizes a phone call, an email, social media, or a text message to trick a victim into disclosing information that he or she would typically not disclose. The end goal of phishing scams is usually the theft of login credentials such as usernames and passwords. Armed with the username and password of an individual, a cyber adversary can then masquerade as the victim, steal his or her personal information protected by those credentials, or silently compromise the organization where the victim works while minimizing the chances of alarm.
The implementation of VCU 2Factor Authentication will significantly reduce the likelihood that these stolen accounts can be used by a cyber adversary, as individual identities are verified by not only assigned login credentials but also something the individual has in his or her possession.
How is This Done?
VCU already deployed its VCU 2Factor Authentication solution to various authentication services and will continue to integrate the VCU 2Factor Authentication solution with the VCU Central Authentication Service.
For VCU’s deployment of VCU 2Factor Authentication to the Central Authentication Service, VCU will utilize the combination of your eID credentials and a message delivered to your phone using VCU 2Factor Authentication provider.
How Will I Be Affected?
VCU will integrate VCU 2Factor Authentication to all new applications protected by the Central Authentication Service. By default:
-
VCU 2Factor Authentication will be required for all faculty, staff, and students accessing applications protected by the Central Authentication Service (CAS) when logging in from unknown and or untrusted locations (e.g., off-campus).
- Once enrolled in the VCU 2Factor authentication service, 2factor authentication will be mandatory for any applications used by the individual.
-
VCU 2Factor authentication is integrated with all web applications using the VCU Central Authentication Service (CAS).
-
All individuals using VCU 2Factor Authentication with the Central Authentication Service (CAS) will have the option to remember their device for 60 days when logging in from an unknown and or untrusted location (e.g., off-campus).
Registering with VCU 2Factor Authentication
Individuals who have never used VCU 2Factor Authentication will need to watch the video or follow the text instructions below to enroll in the service.
1. Step by Step on how to can set up a two-factor authentication device during the 'Claim my eID' process.
- Go to myeid.vcu.edu and click on the 'Claim me eID' button.
2. Click on 'Submit', after you have entered 2 out of 3 items.
-
You will need 2 out of the 3 items of information to verify your identity in order to Claim your Account:
- VNumber OR VCUCard Number
AND
- Birthdate
The Banner ID is also known as the VNumber. The VCUCard number is the 16-digit number on your physical VCUCard. You may not have VNumber if you are a VCU Health System employee, in that case, please use the 16-digit number on your badge.
3. You will now click on 'Start setup', to register your Duo device for VCU 2-factor authentication
4. Select the type of device you are registering with Duo and click on 'Continue'. 'Mobile Phone' is the recommended type.
5. Enter your mobile phone number for the device and confirm that the phone number is correct by checking the box. Click on 'Continue'.
6. Next you will be prompted to select the type of smartphone you have - iPhone, Android, or Windows Phone. Please select the type of phone and click on 'Continue'
7. You will be prompted to install the Duo Mobile App on your device. Instructions will be presented according to the phone type you selected in the previous step. Please follow the instructions and install the Duo mobile app on your device After you have installed the app on your device please click on the 'I have Duo Mobile' button to continue.
8. Now using your Duo mobile App you will scan the QR code presented on the screen during the registration process. After you have scanned the code the screen will show a green check box. Click on the 'Continue', button.
9. You will see an information box for your setting and device. You will see your phone number and type of phone. You will also be presented with the option, "When I log in:". You will have two options. Option 1. Ask me to choose an authentication method and Option 2. Automatically send this device a Duo Push
If you do not want to be prompted every time for the authentication method (Duo Push or Passcode) and would prefer to use the Duo push method (Recommended), then please select the 'Automatically send this device a Duo Push'. Click on 'Continue to Login' to proceed.
10. You should receive a push on your device. Please 'Approve', the request.
11. The above step completes the Duo registration of your phone. Please continue with the rest of the account claim process to set up personal information and password. Click on 'Next' to continue.
12. Add your personal email account (non-VCU email) and personal mobile number. This information will be used to allow you or VCU IT Support Center to reset your forgotten password in the future if needed. Click on 'Submit' to proceed.
13. Final step is to set a password for your eID account. Please enter a password that meets the VCU password policy as shown on the right-hand side of the screen. Re-type your password to confirm and click on 'Reset Password. This completes the account claim and Duo registration steps.
Logging into CAS with VCU 2Factor Authentication
Individuals who are already enrolled in VCU 2Factor Authentication follow the instructions below to use with the VCU Central Authentication Service.
1. Once you have registered with the VCU 2Factor Authentication System, log in with your VCU eID to any VCU 2Factor Authentication protected application or website.
2. Choose a secondary authentication method by clicking on the corresponding button.
- Send Me a Push - This option allows you to receive a Push notification to your phone on your DUO Mobile App. The DUO Mobile app will notify you of a login attempt, simply check your phone and press the Green Checkmark button to log in.
- Enter a Passcode - This option allows you to enter passcodes generated from the DUO Mobile App (generated by tapping the Key icon in the app), codes generated from a hardware token (e.g. Yubikey), or codes received through SMS text messages. If you choose this option, you can also request the system to text additional passcodes to you via SMS text message.
As an option, you can also check the "Remember me for 60 days" checkbox, which will allow you to bypass VCU 2Factor authentication from the device you are using for up to 60 days. Please note, this option should only be used on your trusted computing devices and should not be used on shared computers or public computers.
3. Complete the login process.
You can easily register a 2FA device during the eID account claim process. This video will walk you through the process of adding a 2FA device during the VCU account claim process.
You can manage your devices within eid.vcu.edu. You can delete and add new devices. The video will show you How to Manage 2FA Devices at VCU
If you change your telephone number and/or got a new phone, then please contact the VCU IT Support Center at (804) 828-2227 to update your information in the system.
Yes! Other devices such as tablets and even hardware tokens can be associated with your eID for the VCU 2Factor Authentication system. To add new devices visit eid.vcu.edu. You can watch this video on how to manage 2FA devices at VCU.
1. Log into eid.vcu.edu
2. Click 'Manage Security'. This will provide a list of devices currently connected to your account.
3. Click on 'Add New Device'. This will take you through the enrollment option to add a new device.
If you lost your phone, you should remotely wipe your phone if possible, and contact your cellular service provider and have your phone disabled. You should also report the incident to the police if the loss of the device is the result of suspected theft. Once this is done, you should contact the VCU IT Support center and have your phone removed from your account, a temporary and timed bypass code can be generated for you while you work with your cellular service provider to replace your phone. Once you have your new phone, then you will be able to re-register your phone with the VCU 2Factor Authentication system.
All faculty, staff, and students must use the VCU 2Factor authentication system.
For all individuals enrolling a phone with the VCU 2Factor authentication service, the phone number of the individual is collected during the process of enrollment.
In addition to the phone number, for individuals using the DUO Mobile App, the type of device and the version of the Operating System on the device is collected. (e.g. Apple iPhone 8 with iOS 11.2)
For individuals using hardware tokens for VCU 2factor authentication service, the token's public key, secret key, and a serial number are collected in order to ensure the functionality of the token.
During any login attempts into VCU IT systems, regardless of whether VCU 2Factor authentication service is used, the location information of the login attempt is collected. (e.g. Login from an IP xxx.xxx.xxx.xxx from Boston, MA). The collected information is used for troubleshooting and identification of anomalies that may indicate the compromise of an individual's credentials.
The owner of the generic account will need to determine how access should be handled and submit a support request to VCU Collaboration Services if changes are needed or DUO authentication is not feasible for a generic account.
In most cases, you can opt to only perform the VCU 2Factor authentication once every sixty days from the same trusted device (e.g. your personal computer). To do this, simply check the "Remember Me for 60 days" checkbox from your trusted device. When you select the checkbox, please make sure you are not using a browser in "Incognito" or "Private Browsing" mode, and that your browser supports cookies.
Please note the "Remember me for 60 days" option is applicable to individual devices. Therefore if you have multiple trusted devices, then you will need to choose the "Remember me for 60 days" for each device.
In most cases, you will not be prompted to use the VCU 2Factor Authentication system on-campus. However, you may be prompted if any of the following applies:
1. You have never enrolled in the VCU 2Factor Authentication Service. In this case, you may be prompted for enrollment.
2. You are using your cellular connection, residential wireless network, the VCU guest wireless network, a VCU residence hall network, or another open or public network that is not a part of the trusted internal VCU networks.
If you're attempting to access a VCU application from your mobile phone or a tablet with cellular data, your connection may travel a distant geographic distance through your mobile carrier's network before being "transferred" to the public Internet. DUO is reporting the location where your mobile device's cellular connection is being "transferred" to the Internet, which may be a good distance from your physical location. In some cases, it can even be in another state!
If you would like to use a YubiKey for VCU 2Factor, VCU Information Security can only assist you with the use of a YubiKey NEO, YubiKey 4 or Yubikey 5 model. Other YubiKey models (such as those offering only FIDO and/or U2F), while good products, may not work as well with the diverse technology environment at VCU.
If you choose to purchase a new YubiKey NEO, YubiKey 4 or Yubikey 5 , you will receive a small card with the token, usually containing a QR code. Be prepared to provide a close-up photo of this card, including the QR code, to technology support staff upon request.
If you would like to use a YubiKey NEO, YubiKey 4 or Yubikey 5 that you already own, you will need to be prepared to provide the following information:
- Serial Number
- Private Identity
- Secret Key
If you no longer have the above information from a YubiKey NEO, YubiKey 4 or Yubikey 5 that you already own, you may need to use the YubiCo utilities to "regenerate" a new configuration, in "YubiCo OTP" mode. Make sure to consult the YubiCo documentation for your model, which is available online!
Once you have the necessary information for your situation (photo of the card OR serial/private ID/secret key), contact the VCU IT Support Center at (804) 828-2227. An IT Support Center staff member will assist you with the process.
Finally, PLEASE NOTE that you should be EXTREMELY CAUTIOUS of purchasing used or "second-hand" YubiKey tokens! Some YubiKey models support having their configurations locked with a passcode, in a process called "Configuration Protection;" if you purchase a used YubiKey and do not know the passcode for its configuration protection, you may not be able to use it!
Remembered device - In the login screen, there is a remember my device for 60 days option that will allow you to bypass the VCU 2factor authentication on a trusted device. Please note, you should only check this check box from a computer or mobile device you own and trust.
If you have issues with checking the 'Remember me' option there may be two reasons for this. Please see if the below issue/solution resolve this:
1) 'Remember me for 60 Days' box is greyed out
If you configured Duo to "Automatically send a push" notification, then anytime you are re-prompted, Duo will send you a push before allowing you to choose the Remember Me option.
Keep Automatic Push, Cancel, and Re-Push
If you like the Automatic Push, you can keep that turned on and still have devices remember you.
- When you are at a duo prompt where you'd like to set the "Remember me" option, press the blue "cancel" button on the Duo prompt.
- Ignore the prompt that is sent to your device
- The duo screen should still be visible, and now you should be able to check the "Remember me" box
- Click "Send me a Push" again. This will send a new Duo push to your phone, and once accepted, that device will remember you for 60 days.
2) Check your browser settings in order for the 'Remember me for 60 days' option to work.
The Remember My Device feature relies on a browser cookie from duo.com. Your Internet browser must allow cookies from the duo.com domain to be stored on your computer in order for the feature to work. Below are cookie setting for each browser type (can vary depending on browser version):
- In Chrome under Settings > Show advanced settings > Privacy & Security - Content settings
- In Firefox by going to Firefox > Options > Privacy & Security - History - Firefox Will: Use Custom Settings for History
- In Internet Explorer at Tools > Internet Options > Privacy >Settings - Advanced - Third party cookies
- In iPhone Safari > Settings - Safari - Privacy & Security
In Safari under Safari > Preferences > Privacy
The DUO app provides offline authentication options for times when you lack cell service or when using 2FA, which could cause you to incur extra cell phone charges, such as when traveling internationally. This can be a fall-back option without cell service or Wi-Fi connectivity.
Please use the following method to authenticate using Duo during your trip.
- When prompted for Duo authentication, please click the link below for ‘Other options.’
- Please click on the ‘Duo Mobile passcode’ option.
- Next, You will be prompted to enter a passcode.
- Please open your Duo Mobile App and enter the generated passcode ( as shown in the example image below) in the passcode window for authentication.
NOTE: To take advantage of the options below, register your device(s) for use with your 2FA account (including, if applicable, downloading and installing the Duo Mobile App on your smartphone) before you begin your travel.
How to use Duo hardware token at VCU
- When prompted for Duo authentication, please click the link below for ‘Other options’.
- Please click on the ‘Hardware token’’ option
- You will be prompted to enter a passcode. Now, press the button on your hardware token, and a new code will appear in the display. Type the passcode on your screen and click verify.
- Duo will prompt you to confirm if this is your device. Click ‘Yes, this is my device’ if it is yours. If you are using a device that belongs to someone else, please select the option ‘No, other people use this device.’ This will complete your authentication to VCU resources