Two factor authentication was recently introduced into Single Sign-On. Two factor authentication – 2FA for short – is a security technique that supplements your SSO password – something you know – with a second, tangible identification factor – your phone, which is something you have.
SSO’s two-factor process is implemented in partnership with Duo Security. Opting in to Two-Factor Authentication in SSO means you will be prompted by Duo to acknowledge your login requests with your chosen method:
Note that you can choose to remember your two-factor login on your computer, meaning you won’t have to answer the Duo prompt again until that period of time has elapsed.
Also note the help links on the image below. If you have trouble with your two-factor login, the links will direct you to the appropriate page on this help site.
To use a device when logging in, you will enroll your device with Duo:
As shown above, it is possible to enroll more than one device and multiple types of devices. Most people enroll their office phone (landline) first then their mobile phone.
- Mobile phone – Uses the Duo Push app, text or phone call
- Tablet – Uses the Duo Push app
- Landline – Uses phone call
- U2F token – Uses a special hardware device (coming soon)
Is Two-Factor Authentication Required?
While it isn’t required for all employees to use two-factor authentication, it is recommended that it be used as an additional security measure for all SSO account holders.
Some users – including administrators of SSO and its related applications – will be required to implement two factor authentication.
Alternate Logins and SSO Two-Factor Authentication
It is worth noting that the initial implementation of SSO’s two-factor authentication only applies when logging into SSO using your UIN. The alternate login applications that can be used with SSO will not:
- use your SSO two-factor enrollment selection
- access your two-factor device(s) registered with Duo on behalf of SSO
Additional alternate login integration work is planned that will alleviate the first issue. Since each login provider must implement its own two-factor authentication process, system-wide support for this feature across all logins will take some time.