Why do I need this?

 

Passwords Are Not Enough

According to data from the Verizon 2019 Data Breach Investigations Report, easy-to-remember passwords were the #1 cause of data breaches in 2019! Passwords are increasingly easy to compromise. They can often be stolen, guessed, or hacked — you might not even know someone is accessing your account.

 

What are Duo and MFA?

MFA – Multi-factor Authentication. Using multiple factors to ensure that a login is authentic. Using only a username and password is only one factor: something you know. Besides using a strong password, MFA is the best way to secure your accounts. Even if a hacker does manage to crack your password, they will be unable to log in without satisfying the other factor(s).  Duo is a provider of MFA, and a part of Cisco.

 

Factors

  • Something you know (i.e., a username or password)
  • Something you have (i.e., a badge, keyfob, smartphone)
  • Something you are (i.e., fingerprint or facial recognition)
  • Somewhere you are (i.e., City Hall, United States)

Duo

Duo is a something you have factor which is much more secure than SMS text messages (which can be spoofed). It can be set up to use a phone, a smartphone app, a keyfob, and other methods.

How It Works

Three steps to stronger authentication

  1. Enter username and password as usual
  2. Use your phone to verify your identity
  3. Securely logged in

 

Supported Devices

Click your device platform to learn more:

 

How does this affect me?

After your section has been turned from Microsoft MFA to Duo MFA, a couple things will change.  First off, you will no longer get text messages from Microsoft.  Your desk phone will be auto-enrolled with Duo as your primary MFA authentication device.   This means that when a Duo prompt appears, it will by default, select your desk phone to send a phone call to in order to verify your identity.

However, Duo will prompt you ONLY when you are off the city network.  If you are on the city network (wired or wireless), you should never see Duo prompts. If you plan to access any work resources while off the network (from home, out of town, etc), you will need to register another device, which is described below.

The following items are inaccessible without registering with Duo while off the city network:

  • Office 365 web applications (office.com)
  • Office 365 mobile applications, such as email on iMail, Android Mail, or Outlook mobile app
  • Remote Desktop via remote.flagstaffaz.gov

Where will I see Duo prompts?

  • When logging into Office.com.
  • When using Microsoft Remote Desktop Connections, either local or via remote.flagstaffaz.gov.
  • If you are someone who has administrative-level IT access (such as a tech partner), you will be prompted when using your admin account.

 

How do I manage my Duo devices?

Anytime you are being asked to authenticate with Duo, there are a couple key pieces of information presented.

Device types:

  • Mobile phone
    1. Allows using phone call, text message, or a “push” via the Duo Mobile app for push verification
  • Tablet
    1. Allows use of Duo Mobile app for push verification
  • Landline
    1. Allows phone call verification

 

If you are adding a secondary device (cell phone, tablet, etc) to use for authentication from off-premise, please login to remote.flagstaffaz.gov and proceed with the below steps:

 

  1. When registering a new device that is not listed there, you can call the helpdesk or register it yourself, as shown below
    2. You will be prompted to use your landline (phone call to your desk) to confirm your identity.   ***YOU MUST DO THIS FROM YOUR DESK SO YOU CAN ANSWER YOUR DESK PHONE***
    1. Select the type of device you want to add
    1. Type in the phone number or the tablet version you are adding
    1. If it is a mobile phone or tablet, you will need to install “Duo Mobile” app for android or iOS
    1. Once installed, click “I have Duo Mobile Installed”, then scan the QR code with the App, as described in the screenshot
  2. You can also choose to email the link to yourself if you can’t scan it
  1. Here is what the Duo prompt looks like
  2. Select the device drop down box if you have more than one device registered (landline/desk phone, cell phone, etc), each device displaying the associated phone number and type of device


 

 

Configure Device Options

Click the Device Options button next to any of your enrolled devices to view the actions available for that type of device. You can Reactivate Duo Mobile for an enrolled smartphone, Change Device Name for any type of phone, or delete any authentication device.

Device Options

Change Device Name

Clicking Change Device Name will open up an interface to change the display name of your phone (hardware tokens can't be renamed). Type in the new name and click Save.

Change Device Name

After successfully modifying your phone's name, not only will you see this from now on when managing devices, but it will also be how your phone is identified in the authentication dropdown.

Renamed Device

If you want to continue using your original device with Duo, you can specify which of your devices you would like to be the default. Click the Default Device: drop-down menu and pick your default device for authentication. Click Save if you're done making changes.

Choose Default Device

If this is the device you'll use most often with Duo then you may want to enable automatic push requests by changing the When I log in: option and changing the setting from "Ask me to choose an authentication method" to "Automatically send this device a Duo Push" or "Automatically call this device" and click Save. With one of the automatic options enabled Duo automatically sends an authentication request via push notification to the Duo Mobile app on your smartphone or a phone call to your device (depending on your selection).

Enable Automatic Authentication


 

 

Remove a Device

If your new device is replacing the one you previously enrolled, you can remove the device you won't be using any more for authentication. Click the Device Options button next to the device you want to remove, and then click the trash can button to delete that device.

Delete a Device

You'll have the chance to confirm that you want to delete that device.

Confirm Deletion

The authentication device is removed from your profile.

Device Removed

 

Adding or modifying from a Mobile device

  1. You can also perform the above steps on a mobile device (cell phone, tablet), but the steps are slightly different, see below:
    1. Navigate to the same website described above
    2. Click on Settings on the top right of the screen
    1. Click Add a new device
    1. You are now required to authenticate to add a new device, select your desk phone number from the drop down list, then Call Me
    1. Select the type of device you are wanting to add
    1. Click the link for the app store for your device
    1. Lastly, click Take me to Duo Mobile to open the app and finish the registration
  1. You’re all done!


 

 

 

I need help!

If you run into any problems while setting up Duo, please reach out to our IT Help Desk at

Ticket: https://helpdesk.flagstaffaz.gov

Email: helpdesk@flagstaffaz.gov

Phone: (928)213-2800




Created by: Adam Zwebti & Matt Kakert