What is VCU 2Factor Authentication?

In the cyber security field, there are three factors that can be used to identify an individual to a computer system. These factors include:

  • Something you know (e.g. a user name, password, answer to a question)

  • Something you have (e.g. a phone, an ID card, or a hardware token)

  • Something you are (e.g. your fingerprint, retina/iris scan, or voice print)

Traditionally, the username and password model rely only on something you know, therefore is considered single factor authentication. The weakness with single-factor authentication using something you know is the fact that an adversary can usually find ways to steal this information, thus allowing the adversary to masquerade as the victim. VCU 2Factor Authentication helps to drastically reduce the usefulness of stolen usernames and passwords, as it relies on one or more other factors in proving one’s identity in addition to the username and password.  

Why is VCU Doing This?

The beginning of a sophisticated cyberattack usually starts with a phishing scam. A phishing scam is a social engineering attack that utilizes phone call, email, social media or text message to trick a victim into disclosing information that he or she would normally not disclose. The end goal of phishing scams is usually the theft of login credentials such as usernames and passwords. Armed with the username and password of an individual, a cyber adversary can then masquerade as the victim, steal his or her personal information protected by those credentials, or silently compromise the organization for which the victim works while minimizing the chances of raising an alarm.

 

The implementation of VCU 2Factor Authentication will significantly reduce the likelihood that these stolen accounts can be used by a cyber adversary, as individual identities are verified by not only assigned login credentials but also something the individual has in his or her possession.

How is This Done?

VCU already deployed its VCU 2Factor Authentication solution to various authentication services and will continue to integrate the VCU 2Factor Authentication solution with the VCU Central Authentication Service.

For VCU’s deployment of VCU 2Factor Authentication to the Central Authentication Service, VCU will utilize the combination of your eID credentials and a message delivered to your phone using VCU 2Factor Authentication provider.

How Will I Be Affected?

VCU will integrate VCU 2Factor Authentication to all new applications protected by the Central Authentication Service. By default:

  • VCU 2Factor Authentication will be required for all faculty and staff accessing applications protected by the Central Authentication Service (CAS) when logging in from unknown and/or untrusted locations (e.g. off-campus).

  • VCU 2Factor Authentication will be optional for students accessing applications protected by the Central Authentication Service (CAS) when logging in from unknown and/or untrusted locations (e.g. off-campus).

  • Once an individual signs up for the VCU 2Factor authentication service, the 2factor authentication service will be mandatory for any applications used by the individual.
  • VCU 2Factor authentication is integrated with all web applications using the VCU Central Authentication Service (CAS).

  • All individuals using VCU 2Factor Authentication with the Central Authentication Service (CAS) will have the option to remember their device for 60 days when logging in from an unknown and/or untrusted location (e.g. off-campus).

Registering with VCU 2Factor Authentication

Individuals who have never used VCU 2Factor Authentication will need to watch the video or follow the text instructions below to enroll in the service.

Prefer reading instead of watching the above video? Please click here for the step-by-step instructions on registering your device with the VCU 2Factor authentication system.

Logging into CAS with VCU 2Factor Authentication

Individuals who are already enrolled in VCU 2Factor Authentication,
follow the instructions below to use with the VCU Central Authentication Service.

 

Prefer reading instead of watching the above video? Please click here for the step-by-step instructions on logging in with CAS and VCU 2Factor Authentication

FAQ

Q: If I have a new phone, how do I register and activate the DUO app on my new device?

If your new phone has the same phone number then you need to invoke VCU 2Factor Authentication on your mobile device using the following steps:

  1. Ensure that you are NOT using VCU WiFi (either SafeNet or Guest).  Turn off WiFi if necessary to achieve this.
  2. Open a new private browsing tab (also known as an "incognito tab").
  3. Navigate to http://my.vcu.edu

After logging in with your eID and password, choose the "Settings" option, then “My Settings and Devices” link from the VCU 2Factor Authentication page.


DUO Settings Management Selection Screen

 

You will be prompted to verify your identity. At this stage, simply choose the “Enter a Passcode” option.

Identity verification screen for settings 

At this point, you can either enter a passcode received previously, or click the "Text me new codes" button to get a new batch of passcodes texted to your phone via SMS. Once you have the code, simply enter the appropriate code into the passcode box and click login.

Text new passcodes option

At the "Settings and Device" screen, you will now be able to manage your devices and re-activate your DUO mobile option. To do so, simply choose the device you need to re-enroll, and click on the "Settings / Gear" icon next to it, and choose the "Reactivate DUO Mobile option"

Reactivate DUO Mobile Self-service Screen

Follow the on-screen instructions to download and activate your new device with the same phone number.

Q: What if I receive a new phone number, how do I add the new phone number to my account?
Q: Can I add other devices in addition to my cell phone to my VCU 2Factor Authentication account?
Q: What if I lost my phone?
Q: What if I don’t want to install the app?
Q: What if I don’t want to receive SMS text messages?
Q: Am I required to use VCU 2Factor Authentication?
Q: What information is VCU collecting from me with this service?
Q: If I'm a student, how do I skip 2Factor Authentication?
Q: I had a "Disable Two Factor" button but now it is gone. What happened?
Q: I'm a student, but I never see the "Disable Two Factor" button, Why?
Q: I use a generic account for work, how will it be affected?
Q: How often do I need to use VCU 2Factor Authentication?
Q: Will I need to use VCU 2Factor Authentication system on-campus?
Q: Why does the DUO prompt say I'm in another city?
Q: How do I add a YubiKey to my account?
Q: What can I do if I will absolutely not have access to my device during travel?

You can request a batch of ten passcodes to be sent via text message to your cell phone before you depart for your travel

  •  From the Duo verification screen, press Send SMS passcodes. You will receive ten single-use codes via text message, which will allow you to authenticate up to ten times during your travel.

You will need to request the passcodes before you leave, or while in an area with cell service, as you will need a cell connection to receive the text message on your phone. You may request additional batches of passcodes while in areas with cell service (your carrier’s roaming or international texting rates will apply). Requesting a new batch of passcodes will invalidate any unused codes from the previous batch.

In situations where 10 codes are not enough, contact the IT Support Center to generate a bypass code and set its validity period for the duration of travel.

To use the passcode you will be prompted to verify your identity. At this stage, simply choose the “Enter a Passcode” option.

Identity verification screen for settings 

 

Q: How to bypass the VCU 2factor authentication on a trusted device for 60 days?

Remembered device - In the login screen, there is a remember my device for 60 days option that will allow you to bypass the VCU 2factor authentication on a trusted device. Please note, you should only check this check box from a computer or mobile device you own and trust.  

If you have issues with checking the 'Remember me' option there may be two reasons for this. Please see if the below issue/solution resolve this:

1) 'Remember me for 60 Days' box is greyed out

If you configured Duo to "Automatically send a push" notification, then anytime you are re-prompted, Duo will send you a push before allowing you to choose the Remember Me option.  

Keep Automatic Push, Cancel, and Re-Push

If you like the Automatic Push, you can keep that turned on and still have devices remember you.

  1. When you are at a duo prompt where you'd like to set the "Remember me" option, press the blue "cancel" button on the Duo prompt.
  2. Ignore the prompt that is sent to your device
  3. The duo screen should still be visible, and now you should be able to check the "Remember me" box
  4. Click "Send me a Push" again.  This will send a new Duo push to your phone, and once accepted, that device will remember you for 60 days.

 

2) Check your browser settings in order for the 'Remember me for 60 days' option to work.

 

The Remember My Device feature relies on a browser cookie from duo.com. Your Internet browser must allow cookies from the duo.com domain to be stored on your computer in order for the feature to work. Below are cookie setting for each browser type (can vary depending on browser version):

  • In Chrome under Settings >  Show advanced settings > Privacy & Security - Content settings
  • In Firefox by going to Firefox > Options > Privacy & Security - History - Firefox Will: Use Custom Settings for History
  • In Internet Explorer at Tools > Internet Options > Privacy >Settings - Advanced - Third party cookies

 

  • In iPhone Safari > Settings - Safari - Privacy & Security


In Safari under Safari > Preferences > Privacy

Q: How can I use 2factor authentication without Cellular or WiFi service?

DUO app provides offline authentication options for times when you lack cell service or when using 2FA could cause you to incur extra cell phone charges, such as when you are traveling internationally. This can be a fall-back option if you have no connectivity via cell service or wifi connectivity.

    • Simply open the app and tap the key icon right next to VCU logo. Depending on your device, this button may say Generate Passcode or Generate Token Code. It may also simply contain an image of a key.
    • Enter the code provided in the Passcode field of the Duo verification screen.

NOTE: In order to take advantage of the options below, be sure to register your device(s) for use with your 2FA account (including, if applicable, downloading and installing the Duo Mobile App on your smartphone) before you begin your travel.