Some information on using two factor authentication with campus and CS services
Reviewed by bil hays, 2018-10-26
Two factor authentication means using some second method of authenticating yourself in addition to your password. Since ITS is rolling out two factor as a requirement for Office365, we are also requiring it for our Google Domain.
To be clear, CS folks need to set up two factor authentication for three domains of use:
- Two factor authentication for the cs.unc.edu google domain, which will affect access to google services like gmail or drive.
- Two factor authentication for ITS services that use Duo, such as the VPN, Connect Carolina, and other services. Eventually, ITS will likely require two factor for all of the services they provide.
- Two factor authentication for Office365 provided to campus, which will affect access outlook and office apps via the web.
Also to be clear, at this time we are talking about access to services via web browsers–at this point, few other application understand two factor authentication. So for programs like Thunderbird, Mail.app, and Postbox, you will need to create what is called an application password, which is just a randomly generated password you will enter into the application.
Why would I want to do this?
If someone manages to get your password, having required a second factor lessens the chance that they will be able to get to your stuff or the stuff that other people let you access.
For example, most web sites let you reset passwords by sending you an email with a complex link. If I have access to your email, I can try to reset your password on other sites by having them send email with reset instructions. And if you use the same password for multiple sites, well, things get pretty bad pretty fast.
As for two factor authentication, there are in general multiple ways to do this:
- Using a time based one time passcode issued by an app on your smartphone. Using the app to get a code that you enter is the most secure method, as it does not require any connection between the app and the Duo software on the campus system.
- Sending an SMS message to your smart phone–but this is not recommended.
- Having the system make a phone call to you on a land line.
- Having the system push a request to your smart phone.
- Using a previously issued one time use key.
- Using a 2nd factor device such as a USB key designed to do second factor authentication.
This all sounds terribly complicated, but in practice, it’s really not that difficult. The short version is you pick out at least two methods that work for you for your second factor, and use those. You pick two so that if one method fails for whatever reason, you’re not locked out completely.
Using Two Factor Authentication with the cs.unc.edu Google Domain.
- The Google Authenticator app. This app runs on smart phones or pads, and also supports two factor for other sites, including Dropbox, Github, Facebook and WordPress. This is the most secure method.
- Google supports Yubi keys, these are usb keys that you can link to your account.
- Get a Google prompt on your phone and just tap Yes to sign in.
- Google can call landlines or cell phones to issue a code via voice–you enter the phone number of the phone you want to use, google will call to confirm you have access to that phone, and thereafter, you can have google call you at that number.
- SMS text messages, but again, this is not recommended.
- You can create a set of one time use keys as Backup Codes–you should do this, but keep the codes in a safe location, and you should not store them in your main password vault. I keep mine in an encrypted folder.
Instructions on enabling two factor authentication are here:
With google, each browser you use can be authorized as trusted as you authenticate with the second factor.
If you use third party apps like Mail or Thunderbird, you will need to generate an application password, since they do not understand two factor authentication.
Using DUO with Campus Systems
ITS has chosen Duo for the campus 2nd factor system.
- The primary method of using Duo is to install the Duo Mobile app on your smart phone or pad and push a request to the app
- The app can also issue a code for authenticating
- You can also register land line phone numbers with campus, and have duo call you on that line.
Most web pages using Duo for two factor will let you choose the method of verifying the second factor. For example, if I want to get a copy of my W-2 online, I would go to Connect Carolina, use the self service menu to select View W2/W2c, and then on the next page I would click on Verify with 2-Step. On the next page, I get a pop-up that let’s me choose whether I want to use my smart phone or my land line to authenticate, and then choose what method to use with that device. So I can have the page send a push to my smart phone, and then on the phone, click on a button to authenticate. Or I can have the page call my landline, and when it does, I just press any key on the phone to authenticate.
The Cisco VPN client works a little differently, and we recommend you test it out once you have gotten Duo set up. Starting on the 18th of September, second factor authentication will be required to use the Campus VPN. There’s a Test-Duo VPN group now on the campus VPN, if you chose that in the Cisco AnyConnect application, you put in your onyen and password and then in the second password you can put in one of the following:
- The passcode from the Duo mobile app on your smartphone or pad.
- Push a Duo notification to your smartphone or pad
- Enter the word “phone” to have Duo call the first phone number you’ve registered, “phone2” to call the second phone number you’ve registered, etc.
More information on this is available here. There is also an option for using a USB based second factor, but ITS is limiting access for this at this time as registration is currently a manual process.
Using Two Factor Authentication with Office365
As is the case with Google and Duo, you have multiple options.
- Microsoft provides their own authentication app for smart phones and pads which can push notifications.
- Their app also generates a six digit code you can use to authenticate.
- They also support land lines.
What if I don’t have a smart phone?
If you don’t have a smart phone and a land line won’t work for you for whatever reason, one option is to buy an android phone that is not associated with a carrier, these are as low as $50. You can connect it to wireless, and install the Google, Duo, and Microsoft applications. If you sent these up to issue the time based code, you don’t have to have a connection to the phone over wireless or a cell tower to generate codes to provide the second factor. The phone will need to connect to the internet about once a month for this to work.
You can also use Skype as a phone to receive codes. Do not use a google voice number for two factor authentication with Google.