In the cyber security field, there are three factors that can be used to identify an individual to a computer system. These factors include:
Something you know (e.g. a user name, password, answer to a question)
Something you have (e.g. a phone, an ID card, or a hardware token)
Something you are (e.g. your fingerprint, retina/iris scan, or voice print)
Traditionally, the username and password model rely only on something you know, therefore is considered single factor authentication. The weakness with single-factor authentication using something you know is the fact that an adversary can usually find ways to steal this information, thus allowing the adversary to masquerade as the victim. VCU 2Factor Authentication helps to drastically reduce the usefulness of stolen usernames and passwords, as it relies on one or more other factors in proving one’s identity in addition to the username and password.
The beginning of a sophisticated cyberattack usually starts with a phishing scam. A phishing scam is a social engineering attack that utilizes phone call, email, social media or text message to trick a victim into disclosing information that he or she would normally not disclose. The end goal of phishing scams is usually the theft of login credentials such as usernames and passwords. Armed with the username and password of an individual, a cyber adversary can then masquerade as the victim, steal his or her personal information protected by those credentials, or silently compromise the organization for which the victim works while minimizing the chances of raising an alarm.
The implementation of VCU 2Factor Authentication will significantly reduce the likelihood that these stolen accounts can be used by a cyber adversary, as individual identities are verified by not only assigned login credentials but also something the individual has in his or her possession.
VCU already deployed its VCU 2Factor Authentication solution to various authentication services and will continue to integrate the VCU 2Factor Authentication solution with the VCU Central Authentication Service.
For VCU’s deployment of VCU 2Factor Authentication to the Central Authentication Service, VCU will utilize the combination of your eID credentials and a message delivered to your phone using VCU 2Factor Authentication provider.
VCU will integrate VCU 2Factor Authentication to all new applications protected by the Central Authentication Service. By default:
VCU 2Factor Authentication will be required for all faculty and staff accessing applications protected by the Central Authentication Service (CAS) when logging in from unknown and/or untrusted locations (e.g. off-campus).
- VCU 2Factor Authentication will be optional for students accessing applications protected by the Central Authentication Service (CAS) when logging in from unknown and/or untrusted locations (e.g. off-campus).
- Once an individual signs up for the VCU 2Factor authentication service, the 2factor authentication service will be mandatory for any applications used by the individual.
VCU 2Factor authentication is integrated with all web applications using the VCU Central Authentication Service (CAS).
All individuals using VCU 2Factor Authentication with the Central Authentication Service (CAS) will have the option to remember their device for 60 days when logging in from an unknown and/or untrusted location (e.g. off-campus).
Registering with VCU 2Factor Authentication
Individuals who have never used VCU 2Factor Authentication will need to watch the video or follow the text instructions below to enroll in the service.
1. If you have NOT previously opted out, then visit http://my.vcu.edu from a computer or mobile device while off-campus.
- If you have previously opted out of DUO, contact the VCU IT Support Center at (804) 828-2227 and request removal from the opt-out group. Return to this step once you receive a confirmation e-mail that the change to your account is complete.
2. Enter your user name and password and press Login.
3. At the "Protect your Virginia Commonwealth University Account" screen, click on the Start Setup button
OPTIONAL: students who are not also employees may have the option to skip 2 factor authentication setup all together, as 2 factor authentication is optional for students. To disable 2 Factor authentication, simply click on the "Disable Two Factor" button on the initial setup screen. Please note that a student who have registered for 2 factor authentication previously will not have the option to disable from this screen. In this case, the student must contact the IT support center at 804-828-2227 to request the disablement of 2 Factor authentication.
4. At the "What type of Device Are you Adding?" screen, choose either a mobile phone, tablet, landline, or U2F Token options, and click Continue.
- Mobile phone - This is the most used and recommended option. Using this option will provide you with the secondary authentication through DUO Push (from DUO Mobile app for smartphones), Soft Token (from DUO Mobile App for smartphones), phone call, or SMS Text messages to your registered cell phone. Please see the DUO Enrollment Guide for detailed instructions on registering your phone.
- Tablet - This option will allow you to register a tablet computer such as an Apple iPad or an Android tablet. Using this option will provide you with the secondary authentication through DUO Push (from DUO Mobile app) or Soft Token (from DUO Mobile App). Please note this option will require the installation of the DUO Mobile App. Please see the DUO Enrollment Guide for detailed instructions on registering your device.
- U2F Token - This option will allow you to self-register a compatible FIDO U2F security key. This option will provide you with the secondary authentication through the use of the security key. Please note that the registered key will only work with 2Factor enabled websites, but will not work with other services such as VPN. Please see the DUO U2F enrollment guide for more information on registering your U2F security key.
5. For this walk-through, we will select the Mobile Phone option as recommended. At the "Enter your phone number" screen, enter the full 10-digit cell phone number as instructed, check the "This is the correct number" check box, and click on Continue.
6. At the "What type of phone" screen, choose the correct platform for the device from the list, and click Continue.
Please Note: If you do not wish to install the DUO Mobile App, simply choose the "Other (and cell phones)" option during this step. If you select the "Other (and cell phones)" option, then please skip to Step 9.
7. If you selected iPhone, Android, or Windows Phone option from the previous step, you may have an option to install DUO Mobile App to enable the DUO Push and the Soft Token authentication options. This is convenient option that is recommended for all Smart Phone users. Download and install the DUO Mobile App and click on the I Have Duo Mobile button.
8. Open DUO Mobile on your phone/tablet, tap the "+" button and hold your phone camera over the QR barcode on the screen. Once the code scan is complete, a green checkmark will appear over the QR Code. At this point, click the Continue button.
9. Once the phone is successfully added, click on the "Back to login" or "Continue to Login" button to return to the DUO login screen.
10. At the DUO login screen, simply choose between the "Send Me a Push" (Only available to DUO Mobile App users) or the "Enter a Passcode" option to proceed with the 2 factor authentication. If you are using a trusted device (e.g. your personal computer) You may also click the "Remember me for 60 days" checkbox so the 2 factor authentication will not be invoked for your trusted device for the next 60 days.
Logging into CAS with VCU 2Factor Authentication
Individuals who are already enrolled in VCU 2Factor Authentication,
follow the instructions below to use with the VCU Central Authentication Service.
1. Once you have registered with the VCU 2Factor Authentication System, log in with your VCU eID to any VCU 2Factor Authentication protected application or website.
2. Choose a secondary authentication method by clicking on the corresponding button.
- Send Me a Push - This option allows you to receive a Push notification to your phone on your DUO Mobile App. The DUO Mobile app will notify you of a login attempt, simply check your phone and press the Green Checkmark button to log in.
- Enter a Passcode - This option allows you to enter passcodes generated from the DUO Mobile App (generated by tapping the Key icon in the app), codes generated from a hardware token (e.g. Yubikey), or codes received through SMS text messages. If you choose this option, you can also request the system to text additional passcodes to you via SMS text message.
As an option, you can also check the "Remember me for 60 days" checkbox, which will allow you to bypass VCU 2Factor authentication from the device you are using for up to 60 days. Please note, this option should only be used on your trusted computing devices and should not be used on shared computers or public computers.
3. Complete the login process.
If your new phone has the same phone number then you need to invoke VCU 2Factor Authentication on your mobile device using the following steps:
- Ensure that you are NOT using VCU WiFi (either SafeNet or Guest). Turn off WiFi if necessary to achieve this.
- Open a new private browsing tab (also known as an "incognito tab").
- Navigate to http://my.vcu.edu
After logging in with your eID and password, choose the "Settings" option, then “My Settings and Devices” link from the VCU 2Factor Authentication page.
You will be prompted to verify your identity. At this stage, simply choose the “Enter a Passcode” option.
At this point, you can either enter a passcode received previously, or click the "Text me new codes" button to get a new batch of passcodes texted to your phone via SMS. Once you have the code, simply enter the appropriate code into the passcode box and click login.
At the "Settings and Device" screen, you will now be able to manage your devices and re-activate your DUO mobile option. To do so, simply choose the device you need to re-enroll, and click on the "Settings / Gear" icon next to it, and choose the "Reactivate DUO Mobile option"
Follow the on-screen instructions to download and activate your new device with the same phone number.
If you change your telephone number and got a new phone, then please contact the VCU IT Support Center at (804) 828-2227 or email@example.com to update your information in the system.
Yes! Other devices such as tablets, landlines, and even hardware tokens can be associated with your eID for the VCU 2Factor Authentication system.
To add a new device, log in to CAS from off-campus to invoke the VCU 2Factor Authentication system, click on the "Settings" button and “Add a new device” link from the VCU 2Factor Authentication page.
Next the system will need to verify your identity, simply choose “Send me a push” or “Enter a passcode”for your existing device to verify your identity.
Next, you will have the option to add a new device to your account. Choose the desired device, and follow the on-screen instructions to complete the setup of your new device.
If you lost your phone, you should remotely wipe your phone if possible, and contact your cellular service provider and have your phone disabled. You should also report the incident to the police if the loss of the device is the result of suspected theft. Once this is done, you should contact the VCU IT Support center and have your phone removed from your account, a temporary and timed bypass code can be generated for you while you work with your cellular service provider to replace your phone. Once you have your new phone, then you will be able to re-register your phone with the VCU 2Factor Authentication system.
You can always use the SMS text option if you don't want to install the app. To do so, at the beginning of device setup, choose the Mobile Phone option.
At the next screen, enter your phone number, check the checkbox to verify the number is correct and hit Continue.
The registration system will then prompt you to select the type of mobile device. At this screen prompt, choose "Other", and hit "Continue" to bypass the DUO Mobile registration.
Please note, setting up your phone this way will not give you the DUO Mobile authentication option, and you will be required to use a passcode (via SMS text message or a hardware token) for any future authentication. If you want to use DUO mobile in the future, then please contact the VCU IT Support Center at 804-828-2227 to re-register your device.
There are multiple options for you to complete your 2factor authentication. You can choose the DUO Mobile "Push" option if you do not wish to receive SMS text messages for authentication codes.
The DUO Mobile app also contains a passcode generator that will allow you to generate a one-time code for the "Enter a Passcode" field. This passcode generator does not require any Internet or cellular connection and is ideal for use in areas where network connection is limited. To generate a passcode from DUO Mobile app, simply tap the "Key" icon next to your VCU account in the DUO Mobile app.
Alternatively, if you do not wish to register any phones with the system, you may purchase and use hardware tokens for your 2factor authentication needs. YubiKey tokens support YubiCo OTP (Not the U2F only tokens) or hardware tokens supporting TOTP or HOTP can be used as hardware tokens. Once you acquire these tokens, it is necessary for you to contact the VCU IT Support Center (828-2227) in order to place a service request on the registration of the tokens. DUO also provides its own tokens that can be used. Please contact your IT support unit on how to acquire and register these tokens.
All faculty and staff, including students workers, are expected to use VCU 2Factor authentication system. Most students will have the option of using 2Factor authentication to protect their personal information, but will not be required to use it. Some students, particularly those in the various health disciplines, may be required to use 2Factor at the individual school's discretion.
For all individuals enrolling a phone with the VCU 2Factor authentication service, the phone number of the individual is collected during the process of enrollment.
In addition to the phone number, for individuals using the DUO Mobile App, the type of device and the version of the Operating System on the device is collected. (e.g. Apple iPhone 8 with iOS 11.2)
For individuals using hardware tokens for VCU 2factor authentication service, the token's public key, secret key, and a serial number are collected in order to ensure the functionality of the token.
During any login attempts into VCU IT systems, regardless of whether VCU 2Factor authentication service is used, the location information of the login attempt is collected. (e.g. Login from an IP xxx.xxx.xxx.xxx from Boston, MA). The collected information is used for troubleshooting and identification of anomalies that may indicate the compromise of an individual's credentials.
Some students, especially student workers, may be required to use the VCU 2Factor Authentication system. If it is optional for you, look for the blue "Disable Two Factor" button below the "Protect Your Account" Dialog at initial setup. Please note this is only available to individuals who have not yet registered with the VCU 2Factor Authentication system. For students who have already registered but wants to opt-out, then please contact the VCU IT Support Center at 804-828-2227 to opt-out.
1. During initial setup, click on the "Disable Two Factor" button.
2. At the confirmation prompt, click on "Yes" to confirm.
3. You will receive a confirmation message that VCU 2Factor Authentication is disabled for you.
If you wish to re-enable VCU 2Factor authentication for your account, then please contact the VCU IT Support Center at (804) 828-2227
If you started the enrollment process for VCU 2Factor but were unable to complete it, your "Disable Two Factor" button may have disappeared. Please call the IT Support Center at (804) 828-2227 to submit a request to have your VCU 2Factor account "reset."
Additionally, the "Disable Two Factor" button will also disappear if your status as a student changes to employee (e.g. student worker). Finally, some applications used by employees require Two Factor authentication, and if you are using these applications, then you will not be able to disable Two Factor authentication.
You will not see a "Disable Two Factor" button if any of the following applies:
1. The application you are trying to access requires VCU 2Factor Authentication.
2. You have already enrolled in the VCU 2Factor Authentication system from another application or system.
3. You attempted enrollment into the VCU 2Factor Authentication system but never completed the enrollment.
4. In addition to your student role, you are also an employee or affiliate (e.g. Faculty, staff, student worker, business partner)
You can contact the VCU IT Support Center at 828-2227 for additional assistance.
The owner of the generic account will need to determine how access should be handled and submit a service ticket to VCU Collaboration Services if changes are needed or DUO authentication is not feasible for a generic account.
In most cases, you can opt to only perform the VCU 2Factor authentication once every sixty days from the same trusted device (e.g. your personal computer). To do this, simply check the "Remember Me for 60 days" checkbox from your trusted device. When you select the checkbox, please make sure you are not using a browser in "Incognito" or "Private Browsing" mode, and that your browser supports cookies.
Please note the "Remember me for 60 days" option is applicable to individual devices. Therefore if you have multiple trusted devices, then you will need to choose the "Remember me for 60 days" for each device.
In most cases, you will not be prompted to use the VCU 2Factor Authentication system on-campus. However, you may be prompted if any of the following applies:
1. You have never enrolled in the VCU 2Factor Authentication Service. In this case, you may be prompted for enrollment.
2. You are using your cellular connection, residential wireless network, the VCU guest wireless network, a VCU residence hall network, or another open or public network that is not a part of the trusted internal VCU networks.
If you're attempting to access a VCU application from your mobile phone or a tablet with cellular data, your connection may travel a distant geographic distance through your mobile carrier's network before being "transferred" to the public Internet. DUO is reporting the location where your mobile device's cellular connection is being "transferred" to the Internet, which may be a good distance from your physical location. In some cases, it can even be in another state!
If you would like to use a YubiKey for VCU 2Factor, VCU Information Security can only assist you with the use of a YubiKey NEO or YubiKey 4 model. Other YubiKey models (such as those offering only FIDO and/or U2F), while good products, may not work as well with the diverse technology environment at VCU.
If you choose to purchase a new YubiKey NEO or YubiKey 4, you will receive a small card with the token, usually containing a QR code. Be prepared to provide a close-up photo of this card, including the QR code, to technology support staff upon request.
If you would like to use a YubiKey NEO or YubiKey 4 that you already own, you will need to be prepared to provide the following information:
- Serial Number
- Private Identity
- Secret Key
If you no longer have the above information from a YubiKey NEO or YubiKey 4 that you already own, you may need to use the YubiCo utilities to "regenerate" a new configuration, in "YubiCo OTP" mode. Make sure to consult the YubiCo documentation for your model, which is available online!
Once you have the necessary information for your situation (photo of the card OR serial/private ID/secret key), contact the VCU IT Support Center at (804) 828-2227. An IT Support Center staff member will assist you with the process.
Finally, PLEASE NOTE that you should be EXTREMELY CAUTIOUS of purchasing used or "second-hand" YubiKey tokens! Some YubiKey models support having their configurations locked with a passcode, in a process called "Configuration Protection;" if you purchase a used YubiKey and do not know the passcode for its configuration protection, you may not be able to use it!
You can request a batch of ten passcodes to be sent via text message to your cell phone before you depart for your travel
- From the Duo verification screen, press Send SMS passcodes. You will receive ten single-use codes via text message, which will allow you to authenticate up to ten times during your travel.
You will need to request the passcodes before you leave, or while in an area with cell service, as you will need a cell connection to receive the text message on your phone. You may request additional batches of passcodes while in areas with cell service (your carrier’s roaming or international texting rates will apply). Requesting a new batch of passcodes will invalidate any unused codes from the previous batch.
In situations where 10 codes are not enough, contact the IT Support Center to generate a bypass code and set its validity period for the duration of travel.
To use the passcode you will be prompted to verify your identity. At this stage, simply choose the “Enter a Passcode” option.
Remembered device - In the login screen, there is a remember my device for 60 days option that will allow you to bypass the VCU 2factor authentication on a trusted device. Please note, you should only check this check box from a computer or mobile device you own and trust.
If you have issues with checking the 'Remember me' option there may be two reasons for this. Please see if the below issue/solution resolve this:
1) 'Remember me for 60 Days' box is greyed out
If you configured Duo to "Automatically send a push" notification, then anytime you are re-prompted, Duo will send you a push before allowing you to choose the Remember Me option.
Keep Automatic Push, Cancel, and Re-Push
If you like the Automatic Push, you can keep that turned on and still have devices remember you.
- When you are at a duo prompt where you'd like to set the "Remember me" option, press the blue "cancel" button on the Duo prompt.
- Ignore the prompt that is sent to your device
- The duo screen should still be visible, and now you should be able to check the "Remember me" box
- Click "Send me a Push" again. This will send a new Duo push to your phone, and once accepted, that device will remember you for 60 days.
2) Check your browser settings in order for the 'Remember me for 60 days' option to work.
The Remember My Device feature relies on a browser cookie from duo.com. Your Internet browser must allow cookies from the duo.com domain to be stored on your computer in order for the feature to work. Below are cookie setting for each browser type (can vary depending on browser version):
- In Chrome under Settings > Show advanced settings > Privacy & Security - Content settings
- In Firefox by going to Firefox > Options > Privacy & Security - History - Firefox Will: Use Custom Settings for History
- In Internet Explorer at Tools > Internet Options > Privacy >Settings - Advanced - Third party cookies
- In iPhone Safari > Settings - Safari - Privacy & Security
In Safari under Safari > Preferences > Privacy
DUO app provides offline authentication options for times when you lack cell service or when using 2FA could cause you to incur extra cell phone charges, such as when you are traveling internationally. This can be a fall-back option if you have no connectivity via cell service or wifi connectivity.
- Simply open the app and tap the key icon right next to VCU logo. Depending on your device, this button may say Generate Passcode or Generate Token Code. It may also simply contain an image of a key.
- Enter the code provided in the Passcode field of the Duo verification screen.
NOTE: In order to take advantage of the options below, be sure to register your device(s) for use with your 2FA account (including, if applicable, downloading and installing the Duo Mobile App on your smartphone) before you begin your travel.