Application Two Factor Authentication

Introduction

2-factor authentication (2FA) is a common security control that adds security to user accounts by requiring a secondary device to authenticate the user’s identity. This prevents any attempts to illegitimately login as another user, even with a correct password.

Virginia Tech uses Duo 2-factor authentication as a part of its Single Sign-On (SSO) service. This enables users to authenticate their login attempts by either providing a code or verifying a “push” notification via the Duo mobile app.

Valid 2-Factor Authentication Methods:

  • Phone SMS Text Message
  • Phone Voice Call
  • Duo D-100
  • Passcode from the Duo App or Virginia Tech Web Site
  • YubiKey
  • Lightweight Directory Access Protocol (LDAP)

Authentication Methods: Duo Push, Duo Mobile Passcode, Phone Callback, and SMS Passcode

Methods selected will appear as options to users during the Duo Authentication process. By default, the following methods are allowed: Duo Push, Duo Mobile Passcode, Phone Callback, and SMS Passcodes.

Using SMS Passcodes and/or Phone Callback to verify via 2FA is less secure than other methods. Consider disabling these methods in high security scenarios, but note that it consequently reduces accessibility.

For more information about the default Duo integration settings, please refer to the Duo Integration for Applications knowledge base (KB) article.

2FA via LDAP for Applications

Sometimes applications cannot directly support 2-factor authentication. In this case, Duo provides an alternative authentication proxy for applications that use LDAP for authentication. For more information regarding Duo 2FA via LDAP authentication, please visit Virginia Tech’s Middleware Services.

Procedures

Requesting a Standard DUO Integration

Virginia Tech offers free 2-factor security for its departments and workgroups. This is ideal for applications that cannot utilize the Virginia Tech Login service.

Standard Duo integrations can only be requested by Active Directory Organizational Unit admins.

  1. Login to 4Help.
  2. Go to the Duo Integration KB article.
  3. Click Request this service.
    1. On mobile, the Request this service button is located at the bottom of the screen.
    2. On desktop, the Request this service button is located on the right sidebar.
  4. Fill out the request form.

By default, the application name is the department short name and the integration type, and the Duo group name is the application name and role of the Duo group. Duo Groups are required for Duo integration requests and limit the integration access to the members of the groups.

Requesting a Duo Consultation

If you need a non-standard Duo integration for your application, you may request a consultation.

  1. Login to 4Help.
  2. Go to the Duo Integration Consultation KB article.
  3. Click Request this service.
    1. On mobile, the Request this service button is located at the bottom of the screen.
    2. On desktop, the Request this service button is located on the right sidebar.
  4. Fill out the request form.

Resources

4Help: Duo Integration for Applications

Virginia Tech Middleware Services

4Help: Duo Integration Consultation