UVa Physics Home
Request/Problem
Policies
Standards
FAQ
Using the "Duo" 2-step Login Process

What is Duo?
To improve security, ITS has recently given us the ability to add an extra verification step to NetBadge logins. This type of technology is called "2-factor authentication", or "2-step authentication". The idea is that, even if someone obtains your password, they still won't be able to access your account.

The system we're using is from a company named Duo Security. Here's a short video describing how it works:

The principle of 2-factor authentication is that you need more than just a password to log in. You also need something else (some other "factor") that's completely independent from your password.

With the Duo system, this second factor can be any of several things, selected by you. For example, it can be:

  • A telephone: You can ask duo to phone you to confirm that you really want to log in. Your phone will ring, a voice will say "Press 1 to log in", and you'll be done. You can add as many telephones to your account as you want, and you can choose which phone Duo will call.
  • "Push" to a mobile device: If you have an iPhone or Android device that has a network connection, Duo can send a signal to a "Duo App" on your device whenever you try to log in. The app will pop up with two buttons, allowing you to accept or reject the login.
  • Time-based keys: Even if you're not connected to any network or data plan, mobile devices can still use the Duo app to log you in. The app can generate a six-digit time-based key code that you can type into the ITS login screen.
  • Portable codes: Finally, if you're going to be travelling and don't have a mobile device (or are worried that you might lose the device), Duo can generate a set of ten key codes that you can save or print out and take with you. These codes can be sent by SMS (text message) and can be received on any SMS-enabled mobile device, or they can be generated through the web-based Duo portal here: https://2step.virginia.edu/.
Whenever you authenticate via Duo, you have the option of remembering your login for seven days. This means you won't need to use Duo authentication again on this particular device and browser for that period. As a consequence of this, the ten key codes you can generate before leaving on a trip can, in principle, last for seventy days.

Finally, if you have trouble logging in (say, for example, that you haven't generated any printable key codes and have lost your mobile phone while travelling), you can contact Bryan and we can give you a code that will temporarily allow you to log in.

What Will Duo Prevent?
As you're probably aware, Bad Guys often send out fake e-mail messages that try to fool you into giving them your password. These messages can be very convincing, and you'd be surprised how often people are fooled by them.

In January 2016, for example, a "phishing scam" like this allowed Bad Guys to get passwords for many UVa employees. As a result, about 1,400 W2 forms were stolen. You might not know this, but scammers routinely steal W2 forms and use them to file fake tax returns in order to steal people's tax refunds. You can read more about the incident here:

http://www.virginia.edu/informationsecurity/Jan-22-incident-FAQs/

More recently, another phishing scam stole Financial Aid money from several UVa students.

ITS has run several "phishing tests" to see how many employees responded to ITS-generated fake e-mails asking them for their passwords. About 25% of the people who received these messages willingly entered their passwords. If these e-mails had been from real Bad Guys, the people who were fooled could have been in big trouble.

You can find out more about phishing here:

http://www.its.virginia.edu/secureuva/phishing.html

A 2-factor authentication system like Duo can effectively block phishing attacks like these. With Duo, even if a Bad Guy obtains your password, he can't use it. The Bad Guy doesn't have access to your telephone, so he wouldn't be able to receive confirmation calls or SMS messages to continue the login after entering your password.

Is Duo Required?
Yes, Duo is now required for access to all services that are protected by NetBadge logins.

How Do I Sign Up for Duo?
To sign up for Duo, follow the instructions here:

https://its.virginia.edu/secureuva/2steplogin/

Once you've signed up, you can add ("enroll") your first device by following the instructions here:

https://www.its.virginia.edu/secureuva/2steplogin/enroll.html

and you can add more devices by following the instructions here:

https://www.its.virginia.edu/secureuva/2steplogin/manage.html

How do I Use Duo After I've Signed Up?
After you've signed up, NetBadge will present you with a second login screen after you log in. This will allow you to select how Duo will confirm your login. You can find detailed instructions here:

https://www.its.virginia.edu/secureuva/2steplogin/use.html

How do I Add More Phones or Generate Saveable Codes?
You can add phones or generate a set of 10 saveable codes by visiting the Duo portal here: https://2step.virginia.edu/.

Please contact Bryan, or the ITS Help Desk (434-924-4357) if you have any problems.