What is two-factor authentication?

Two-factor authentication (2FA) leverages two separate methods of proving a user is who he or she claims to be. Anyone who has ever used a debit card to withdraw money from an ATM has used two- factor authentication. Sliding the debit card into the ATM provides the first factor of authentication: using something you have. Typing in your PIN provides the second factor of authentication: using something you know.

UAB is implementing a similar methodology for logging into select applications and sites, such as uab.box.com. To access those select applications and sites, users will be required to type in their BlazerID and strong password (something you know) and then use Duo Mobile on a smartphone, tablet, cellphone, or token (something you have) to complete the login.

A number of different synonyms and acronyms exist for two-factor authentication, in addition to the 2FA mentioned above. Among the most popular that you might hear are:

  • Strong authentication
  • Multi-factor authentication (MFA)
  • Two-step authentication

Why is UAB adopting the use of 2FA?

Like many organizations today, UAB, its employees, and its students are prime targets for hackers, online criminal organizations, and ne’er-do-wells in general. Providing this extra layer of security for access to select applications and sites enhances the level of security that UAB provides for all of its stakeholders.

In fact, a number of universities such as Harvard, Stanford, Yale, and Georgia Tech have begun using Duo Mobile 2FA. Outside of the academic arena, common examples of services and products that provide 2FA options include:

  • Many mobile and online banking applications
  • Popular email services, such as Gmail
  • Mobile phones (Androids and iPhones, for example)
  • Social media sites, such as Facebook
  • Online commerce sites (PayPal and Amazon)

How does 2FA protect me?

One of the most valuable sets of information that miscreants can steal are our BlazerIDs and strong passwords. If a malicious actor steals those credentials, whether through a successful phishing attack or a password-reuse issue, he/she can impersonate you and access any accounts to which you have access.

That can open the door to serious issues, such as changing your direct deposit settings to someone else’s bank account or corrupting/stealing/destroying your research data. Using 2FA raises the bar required to successfully pull off such attacks. .

When will 2FA be used?

UAB will begin integrating Duo Mobile’s 2FA capability soon. Duo 2FA is slated to be incorporated into the login process for select applications and sites during the 2018 fiscal year and beyond. For more information regarding the Duo Mobile app, how to use it, and how to enroll in its 2FA program, please visit http://www.uab.edu/it/home/2-factor.

Will 2FA be used to login to all UAB applications and associated sites?

Not at this time. UAB will begin integrating Duo Mobile’s 2FA capability soon. Duo 2FA is slated to be incorporated into the login process for select applications and sites during the 2018 fiscal year and beyond.

What’s needed to use Duo Mobile and 2FA?

In general, three things are needed to use Duo Mobile and the 2FA process:

  • A Duo Mobile account
  • A mobile device, such as a smartphone or tablet
  • The Duo Mobile app installed on that smartphone or tablet
  • A cellular or Wi-Fi connection

If you do not have a smartphone that can run the Duo Mobile app, alternative methods for using Duo and 2FA are available. More information on using hard tokens and cellphones can be found both later in this FAQ.

How do I get a Duo account?

As part of the University’s initiative to expand our use of two-factor authentication, most University students, faculty, and staff are automatically enrolled in Duo, effective FY 2019. Users not required to use Duo are still welcome to opt-in by visiting UAB’s 2FA Sign-Up page.

What is the Duo Mobile app and what does it do?

Duo Mobile is an app that generates an out-of-band notification to users when they attempt to login to sites or applications that require Duo 2FA. After typing in a BlazerID and strong password at such a site, Duo can be used on a mobile device to confirm that your login attempt is valid. By simply pushing a button on your mobile device or entering in the PIN that Duo generated, you can confirm that your login is a legitimate session and gain access to the site or application.

If your mobile device, such as an older cell phone, does not support apps, Duo can send passcodes via SMS text that allow you to complete the 2FA process.

How do I get the Duo Mobile app?

Android users can download the Duo Mobile app from the Google Play store. Simply search for “Duo Mobile,” which is provided by Duo Security. Apple users can download the Duo Mobile App from the App Store by using the same search term. The app is free, so simply download and install the app.

What devices can I use with Duo for 2FA?

  • Smartphones (iPhone, Android, Microsoft)
  • Tablets (iPad and Android)
  • Any phone capable of receiving a call
  • Mobile phones that can receive batches of Duo passcodes via text from Duo
  • Hard tokens (small devices that generate one-time PINs for Duo)

Do I need just one mobile device to use Duo for 2FA?

Yes, but it doesn’t hurt to have more than one device enrolled to use with Duo.
As long as you have an active Duo account and at least one enrolled mobile device, you can use that mobile device to complete the 2FA process. However, a best practice is to enroll two devices and use one as a primary authentication device and the other as a backup. For example, if you have an iPhone and an iPad, you can install the Duo Mobile app on each and enroll them for use with your Duo account.

Use the iPhone as your primary device for 2FA authentication. If you lose your phone or it’s stolen, you can still use your iPad for 2FA authentication until you purchase a new phone and enroll it for use with your Duo account. If you lose or break your phone, be sure to delete it from your account as soon as possible.

What if I want to add a new mobile phone or device to my Duo Mobile account?

If you already have enrolled a primary mobile device for use with your Duo account and want to add a second device, visit this link for instructions on how to add another device.

How do I enroll my first authentication device?

If you have a Duo account and you’ve never enrolled a mobile device for use with Duo, launch a browser on your computer and visit UAB’s 2FA Sign-Up page. Click the “Manage Devices” button and then log in to that site by typing your BlazerID and strong password. Once you have authenticated, you will land on Duo’s Start Setup landing page. Then visit one of the following sites for specific instructions on how to enroll your desired mobile device (be sure to skip steps 1-3 and start with step 4):

How do Duo and 2FA work?

Once a device is linked to your Duo Mobile account, that device can use multiple methods to help you login to a site that requires Duo 2FA. The two most common ways are via a Duo Push or a randomly-generated passcode. Duo Push is the recommended way to complete the 2FA process. Passcodes can also be generated, via the Duo app or via text message. The Duo app is the best way to receive passcodes, but if you do not have a smartphone, you can receive a passcode via text message. If you are unable to receive SMS messages or run the Duo app, you can also choose to receive a call to your enrolled telephone number.

How does Duo Push work?

When you login from your computer to an application or site that requires Duo 2FA with your BlazerID, you first enter your BlazerID and strong password, like usual. You will then see a screen asking you to choose a Duo authentication method (usually Duo Push or Passcode).

When you click the “Send Me a Push” button on your computer screen, you will be asked to open the Duo Mobile app on your device (phone, tablet, etc.) and check for a request. A “Request waiting” banner will appear in the Duo app on your device (Sometimes you have to swipe down to make the banner appear). Tap the banner to pull up the confirmation screen. Click the big green “Accept” check mark in the bottom-left corner of the device to complete the login. Click the big red “Deny” X to decline and cancel the login.

If you click on the “Accept” button and return to your computer screen, you will notice that your login session has been completed. If you wait too long to choose “Accept” or “Deny,” the Duo Push request will expire.

Note: If you receive a Duo Push notification and you ARE NOT trying to log in, DO NOT hit the “Accept” button. An unsolicited Push notification likely is a sign that your BlazerID credentials have been compromised and a malicious actor is trying to login as you. In such a scenario, click the “Deny” button, immediately go to BlazerID Central, and change your strong password.

How does the Call Me feature work when authenticating?

The Duo Call Me feature allows users to complete part of their authentication by means of receiving a call on an enrolled device. Users with a landline or mobile phone enrolled in Duo’s Call Me feature can click the “Call Me” button at the bottom of the Duo login screen, answer an automated call from a UAB telephone number, and press 1 on the phone’s keypad to complete the login process. This feature is ideal for phones not able to install the Duo app or receive SMS messages; however, it also works well as a backup method, in case another Duo-activated device becomes lost or stolen.

How do Passcodes work when authenticating?

When you login from your computer to an application or site that requires Duo 2FA with your BlazerID, you first enter your BlazerID and strong password, like usual. You will then see a screen asking you to choose a Duo authentication method (usually Duo Push or Passcode).

When you click the “Enter a Passcode” button on your computer screen, go to your device, open the Duo Mobile app, and click the green key next to your UAB-BlazerID account. The Duo app will generate a six-digit number. Return to your computer screen, type in the six-digit number and hit the Enter key. If you typed in a valid passcode, your login session will be completed successfully.

If your device cannot run the Duo app, click the “Enter a Passcode” button in the Duo login screen, then click the “Text Me New Codes” button in the blue bar to receive an SMS message with a six-digit Duo passcode. When you receive the six-digit passcode, enter it into the Duo login box, then hit Enter to continue. If you typed in a valid passcode, your login session will be completed successfully.

What if I receive an unexpected Duo login attempt notification on my mobile device?

That is a sign that your UAB credentials likely have been compromised and an attacker is trying to login with your BlazerID. Click the red “Deny” button in the Duo Mobile app. Since the attacker doesn’t have access to your mobile device, he/she can’t complete the login via Duo. The login attempt will fail. However, you should immediately visit BlazerID Central and change your strong password.

I don’t have a smartphone. How can I use Duo and 2FA?

Users may enroll their landline or mobile phone to receive authentication phone calls via Duo’s Call Me feature. During login, click the Call Me feature once prompted. When you answer the call, press 1 on your phone’s keypad to complete the login process.

Any mobile phone that can receive an SMS text message can work with Duo Mobile. In such cases, Duo will send a batch of 10 passcodes via a text. You can use each of those passcodes to complete the 2FA sign-on once until you run out of passcodes. If you have a cell phone that can receive SMS text messages, visit the following page to learn how to enroll and use that device during the two-factor authentication process: Enrollment Guide for non smartphones

Also, a “hard token” that generates PIN passcodes can be used. In order to request a hard token, a user must first gain approval for the request from his/her supervisor and then submit a ServiceNow ticket to AskIT. Please note that users requesting hard tokens cannot use UAB’s Duo account creation and device enrollment process on UAB’s 2FA Sign-Up web page. Instead, hard token account requests will leverage AskIT for account creation and token provisioning. For more on requesting a hard token, please visit UAB’s two-factor token page.

Can I still use Duo Mobile for 2FA even if my smartphone/tablet can’t get a signal or connect to the Internet?

Yes. When you login from your computer to an application or site that requires Duo 2FA with your BlazerID, you first enter your BlazerID and strong password, like usual. You will then see a screen asking you to choose a Duo authentication method (usually Duo Push or Passcode).

When you click the “Enter a Passcode” button on your computer screen, go to your device, open the Duo Mobile app, and click the green key next to your UAB-BlazerID account. The Duo app will generate a six-digit number. Return to your computer screen, type in the six-digit number and hit the Enter key. If you typed in a valid passcode, your login session will be completed successfully.

What if my Duo-registered phone or device is lost or stolen?

If you have a second device enrolled for use with Duo Mobile, use the second device to complete the 2FA login process and access the Duo portal. Then select the “My Settings & Devices” link and refer to the following document’s “Remove a device” instructions to delete the lost or stolen device from your account: Adding a Device in Duo and Managing Settings

If you do not have a second enrolled device, contact AskIT and ask them to delete the lost or stolen device from your account. You can contact AskIT by calling 996-5555, emailing askit@uab.edu, or visiting the Contact AskIT web page.

What if I don’t have a mobile phone that receives texts, a smartphone, or a tablet?

Users who cannot use the Duo Mobile app or SMS messaging may enroll a mobile or landline telephone for use with Duo’s Call Me feature. With this method, Duo will call your enrolled phone number, advising you to press 1 on your phone’s keypad to authenticate.

A “hard token” that generates PIN passcodes can be used. In order to request a hard token, a user must first gain approval for the request from his/her supervisor and then submit a ServiceNow ticket to AskIT. Please note that users requesting hard tokens cannot use UAB’s Duo account creation and device enrollment process on UAB’s 2FA Sign-Up web page. Instead, hard token account requests will leverage AskIT for account creation and token provisioning. For more on requesting a hard token, please visit UAB’s two-factor token page.

Do I have to complete the 2FA process every time?

You can if you like, but you don’t have to receive a push notification, type in a passcode, or answer a call every single time you perform a Duo-enabled login. During the login process, when you choose an authentication method, there’s a “Remember me” checkbox that appears below the login choices. By placing a check in that box, Duo will remember that you successfully logged in using 2FA from that particular device. During the defined “Remember me” period, Duo will not require 2FA from that particular device.

However, Duo is device-specific and browser-specific. That means you need to check the “Remember me for 30 days” box for each device and/or browser you use for it to remember you. That might be a bit confusing, so let’s look at what device-specific means first, and then we’ll look at what browser-specific means.

For example, at 8 a.m. you log in from your desktop computer to a site or application that UAB protects with Duo, and you check the “Remember me” box during the 2FA process. During the “Remember me” period, you will not have to repeat the 2FA process for that site/application while using your computer. However, if at 10 a.m., you log in to that same site/application with a tablet, Duo will require you to complete the 2FA process because this is the first time today that it has seen you log in to the site/application with the tablet.

You can again check the “Remember me” box for your tablet and Duo also will remember that you logged in from it. At that point, you will not have to repeat the 2FA process on either your desktop computer or tablet until the “Remember me” grace period expires.

Now let’s look at what browser-specific means. In this example, you’re using your computer and the Firefox browser. You use Firefox to authenticate to uab.box.com with Duo, you click the “Remember me for 30 days” box, and Duo will remember you for 30 days while you’re using Firefox. During that time, if you use the Chrome browser to authenticate to uab.box.com with Duo, you’ll have to perform the 2FA process and use the “Remember me” function the first time because Chrome doesn’t know that you used Firefox to tell Duo to remember you earlier. However, at that point, both Firefox and Chrome will remember you for 30 days when you use that same computer.

Does Duo 2FA work with the Box app on Apple and Android mobile devices?

Yes. The two-factor login authentication process you use to login to uab.box.com is the same when you use the Box app on a mobile device. Due to their larger screens, tablets are ideal for using the Box app with the Duo 2FA login process. Due to the small size of many mobile phone screens, UAB IT recommends that you use a tablet instead of a mobile phone when using the Box app with Duo 2FA.

Why doesn't the “Remember Me” feature seem to work for me?

Duo uses cookies to enable the “Remember Me” feature that exempts users from performing the 2FA process for a defined period of time. When a user opts in to the “Remember Me” feature, Duo creates a cookie that remains on your computer and inhibits the 2FA process until the “Remember Me” grace period expires. At that time, you are required to complete the 2FA process again and check the “Remember Me” box.

If your web browser restricts cookies, does not accept them, or deletes them when you close the browser, Duo’s ability to provide the “Remember Me” grace period could be prohibited. Check your browser to see if it is blocking cookies or deleting them when you close the browser. If so, set your browser to either accept cookies or create an exception for Duo. For information on how your browser uses cookies and how to change settings associated with cookies, please visit the following pages:

This issue also could occur when using multiple devices and/or browsers with Duo 2FA. Please read the “Do I have to complete the 2FA process every time” answer to learn more about how the use of specific devices and/or browsers affects the “Remember me” function.

Is Duo available for UAB Medicine employees?

Duo is available for use with your BlazerID for all UAB students, faculty and staff.

UAB Medicine employees will continue to use RSA 2-factor authentication for healthcare software that requires it, but can sign up for a Duo account for applications that use BlazerID.

What if I get a new phone?

If you are a Duo user, UAB IT recommends that you enroll more than one device for use with two-factor authentication. If that is not possible and you recently bought a new phone to replace the one you’ve used in the past with Duo, please follow these instructions:

  • If you have a new phone with the same phone number, regardless of whether your phone’s operating system is the same or different, follow these instructions.
  • If you have a new phone with a different phone number, or you change your phone number, contact AskIT at 205-996-5555.