skip to main content

Authentication & Authorization Services

Two-Factor Authentication

Frequently Asked Questions

The following links are for frequently asked questions related to the Two-Factor Authentication:

General Questions

Using Two-Factor with Your Phone

Yubikey Tokens

Accessibility

Integration Process

Enrollment Process

Troubleshooting


Q. What is Two-Factor Authentication?
A. It is the use of two independent means of evidence (factors) to assert the identity of a user requesting access to some application or service to the organization that provides the application or service. The objective of two-factor authentication, as a method of electronic computer authentication, is to decrease the probability that the requestor is not who he/she claims to be (i.e., providing false evidence of his/her identity.) Two-factor authentication is achieved by a combination of any two of the three "Somethings" below:

  • Something you know
    • Personal Identification Number (PIN)
    • Password
  • Something you have
    • Smartphone
    • Token
    • ID Badge / Smart card
  • Something you are
    • Fingerprint
    • Retinal Scan
    • Voice Pattern
    • Typing Cadence

Note that the use of a password in combination with a PIN, for example, is NOT considered two-factor authentication because both pieces of information involve a single factor - something you know.

The use of two-factor authentication has been pervasive and ubiquitous for quite a long time already. Any person who has used an ATM machine to withdraw cash for a bank account has used two factor authentication - you had to provide something you had (a card) and had to provide something you know (a PIN) in order to complete the transaction.


Q. What is the difference between Two-Factor and Multi-Factor Authentication?
A. The subtle difference is that, while two-factor authentication uses exactly two factors to assert the identity of a user, multi-factor authentication uses two or more factors to assert identity. In essence, two-factor authentication is a subset of multi-factor authentication. An example of multi-factor authentication would be the requirement to insert a smart-card (something you have) into a smart-card reader, enter a PIN (something you know), and provide a valid fingerprint (something you are) provided via a biometric fingerprint reader. This example uses three factors to assert the identity of a user.


Q. What are the business reasons to consider Two-Factor Authentication?
A. Privacy, and the threat of identity theft, is increasingly a concern as more of personal information finds its way to online applications. In addition, passwords alone can frequently be easily guessed or compromised through phishing or hacking, consequently, no longer providing adequate protection for mission-critical information system and applications containing Personally Identifiable Information (PII), Personal Health Information (PHI), and other confidential information. Some specific concerns:

  • As passwords become easier to guess or compromise, password complexity requirements are quickly coming to exceed what users can reasonably remember.
  • Password proliferation has increased the time and effort spent on user support because of forgotten passwords and the need to reset them.
  • Many password reset mechanisms are insecure, even if the passwords themselves are not.
  • The increased use of single sign on increases the value of passwords and the number of ways by which those passwords can be potentially attacked.
  • Passwords are all-too-often cached in applications (e.g., email clients or web browsers), stored off site (e.g. POP/IMAP consolidation of email from multiple accounts), and reused for multiple services, some highly sensitive.

See Passwords, a presentation at the NWACC Security Conference 2009, for an in-depth review of all the reasons why it makes good business sense to consider two-factor authentication as alternative to traditional passwords.

Compliance is also driving adoption of two-factor authentication in other areas - three examples:

  • The Federal Information Security Management Act (FISMA) applies to grantees (e.g., institutions of higher education) when they collect, store, process, transmit or use information on behalf of the United States Department of Health and Human Services (HHS) or any of its component organizations. In other words, Federal security requirements apply and the institution of higher education is responsible for ensuring appropriate security controls (see OMB Circular A-130, Appendix III and NIST SP 800-63 Electronic Authentication Guideline).
  • The Health Insurance Portability and Accountability Act (HIPAA), where the most important concern is the confidentiality of patient records and protected health information, does not explicitly require two-factor authentication but clearly makes an appeal to the use of industry best standards.
  • The Payment Card Industry Data Security Standard (PCI DSS), where the most important concern is the confidentiality of cardholder information, hints at the desirability of using multiple factors in its requirement 8.2 "In addition to assigning a unique ID, employ at least one of the following methods to authenticate all users: - Something you know, such as a password or passphrase - Something you have, such as a token device or smart card - Something you are, such as a biometric." It is more specific in its requirement 8.3 regarding remote access to the local network "Incorporate two-factor authentication for remote access (network-level access originating from outside the network) to the network by employees, administrators, and third parties. (For example, remote authentication and dialin service (RADIUS) with tokens; terminal access controller access control system (TACACS) with tokens; or other technologies that facilitate two-factor authentication.)"

Other requirements for two-factor authentication include Internet banking. For that reason, the Federal Financial Institutions Examination Council (FFIEC) strongly recommends two-factor authentication for consumer online banking services. Specifically, in its Supplement to Authentication in an Internet Banking Environment, under Customer Authentication for High Risk Transactions, it states "Financial institutions should implement layered security, as described herein, utilizing controls consistent with the increased level of risk for covered business transactions. Additionally, the Agencies recommend that institutions offer multi-factor authentication to their business customers."


Q. What is the Duo Two-Factor Authentication solution?
A. Two-Factor Authentication is a cloud-based second-factor authentication with no software to install and no server to set up. Duo has patented technology and drop-in integrations to enable IT customers to easily integrate Duo into an existing application login workflow. See Duo Security for more information. The Duo model primarily relies on smartphones to be the device in the user's possession. Most users will like the ease and convenience of using phones to verify their identity.


Q. Who will use the service?
A. Any Texas A&M faculty, staff, student, or designated affiliate who needs to have access to a system or service that is protected by Duo Two-Factor Authentication will eventually need to use the service. At this time, however, the service is limited to pilot areas.


Q. When will I need to use the Two-Factor Authentication Duo service?
A. Once a user is enrolled in Duo, the user will need to answer a second-factor credential challenge to authenticate into any application or server that has been configured for the Duo Second-Factor Authentication service.


Q. Why should a customer/user use the Duo Two-Factor Authentication service?
A. With increasing security attacks across higher education institutions, passwords alone are not a sufficient way to protect resources. Two-factor authentication decreases the risk of compromise because a hacker would need to acquire the thing you "have", as well as the thing you "know".


Q. What are some of the features of the service?
A. The services includes many features, such as flexible integration options for IT system administrators, user self-enrollment or bulk-enrollment options, one-tap authentication or a generated passcode when cellular service is not available, and no passwords or personally identifiable information (PII). (Examples of PII include social security numbers, credit card numbers, etc.)


Q. What data is stored by Duo?
A. The only data that Duo stores for a user is the subscriber's NetID (Duo does NOT know your NetID password) and information about your second factor, such as a phone number (if using a phone for the service) or the serial number of your hardware token (if not using a phone for the service).


Q. What if I lose my phone?
A. Contact your service administrator immediately if your phone is lost or stolen. The administrator will disable it for authentication and assist you to log into another phone.

Remember: Your NetID and password (first-level authentication) will continue to protect your account even if your phone is lost.


Q. Can I use Two-Factor with other third-party accounts, such as Google, Drop-Box, etc.?
A. Yes, if you're using a smartphone for the service, then the Duo Smartphone App can integrate third-party accounts. See Duo's Third-Party Accounts page for more information.


Q. Do I need a smartphone to use Duo Two-Factor Authentication?
A. A smartphone is the best choice since it provides the greatest level of security and allows you to use the Duo Mobile App. The app generates passcodes for login and can receive push notifications for easy, one-tap authentication.

Having said that, a smartphone is not required to use the service.


Q. I don't have a smartphone. Will I be able to use Duo Two-Factor Authentication on my regular cell phone?
A. Yes, any cell phone will work, but it will not include the advantages of the app (passcodes, prompts, etc.) and may result in regular cell phone charges in order to call back and authenticate (depending on the user's phone service), as well as incur costs to the university.


Q. What if I wanted to use a landline at my office instead of my personal phone?
A. You may use a landline instead of a mobile device, yes; however,

  • You need to take into consideration the stationary nature of a landline. Even if you work almost exclusively at your desk in your office where the landline is located, you might on rare occasions need to have access to your Texas A&M protected services from home or from a remote location (such as an annual conference).
  • Use of a landline incurs a cost to the university.


Q. What if I prefer to not use my phone at all? Can I still use Two-Factor Authentication?
A. First, using Duo on your phone is perfectly safe, and a smartphone is the preferable device to use for a number of reasons (app being available, calling prompts, one fewer "thing" to carry around and keep track of, etc.) In other words, a phone (especially a smartphone) is the preferred method.

Having said that, a hardware token is available for use instead of a phone.


Q. Can I use multiple phones, or am I restricted to one phone?
You can set up Duo Two-Factor Authentication on multiple mobile devices (phones, tablets, etc.).


Q. Does it cost me anything to use the service via my phone? If so, will I be reimbursed by Texas A&M?
A. Text messages and voice calls are sent only when you request them, and they would be billed by your carrier in the same way that any other text message or call would. Texas A&M will not reimburse you for these charges. If the charges when using Duo exceed a level that you're comfortable with, then consider switching to a hardware token rather than a cell phone for the service.


Q. Can I change to a different phone with a different number after I have the service?
A. Yes, you can change to a different phone with a different number. You will need to reactivate Duo on the new device, and if it's a different type of device (for example, if you're going from Android to iPhone), then you will need to make sure that you select the new phone type before reactivating.


Q. What does the Duo App access on my phone?
A. It does not access your other apps or other data on your phone; it uses some base functionality of the phone and a certificate that identifies your phone to ensure accurate identification.


Q. I'm often in a location where I have poor cell coverage; how can I use the service?
A. In cases where cell coverage is not available, use the Duo Mobile App to generate a passcode. Use the passcode as your second factor. If you're not using a smartphone (and therefore do not have access to the app), then generate passcodes in advance.


Q. What is a token?
A. A physical device that can usually fit on a keyring, which generates a security code for use with networks or software applications.


Q. Who must have a Yubikey token?
A. No one is REQUIRED to have a Yubikey token. In fact, most people will not have a Yubikey token because using a phone is the easiest way to use the service when accessing web applications.

For system administrators that need to log into servers regularly, the Yubikey token is beneficial since it only requires a single touch to complete the second factor authentication step.


Q. How do Yubikey tokens work?
A. A security token generates a different series of letters or digits each time that it's used, which have to be entered as part of the authentication process to prove that you have it. This, in addition to a traditional username and password, adds a second factor of security.

With a Yubikey token, the device is inserted into a USB drive on the computer. The user touches the gold button to generate a code, which is automatically transmitted to complete the second factor authentication step.


Q. How are Yubikey tokens distributed?
A. Yubikey tokens are purchased through the Texas A&M Software Center. The customer picks up his or her token at the Identity Management Office.


Q. Are there any accessible options available?
A. Some accessibility problems can be addressed by the phone itself; however, if someone has an accessibility problem that cannot be resolved by using the service with a phone, then there are accessibility options available. Please contact Help Desk Central for more information.


Q. How will a unit or department be added to the service?
A. Texas A&M Identity Management Office will handle the integration process, which includes creating a bulk-enroll option (including assisting with communication) if necessary, pilot testing, and activating the service.


Q. What are the enrollment options?
A. There are three enrollment options: inline self-enrollment, self-enrollment invitations, and manual enrollment.


Q. What is inline self-enrollment?
A. This is when an individual who is going to use a smartphone for the service completes the enrollment process by using one of the applications that supports self-enrollment. Make sure to follow the process completely in order to successfully enroll.


Q. What is the self-enrollment invitation process?
A. This is when an email is sent to you in order to start the enrollment process. Follow the directions in the email in order to complete enrollment. Make sure to follow the process completely in order to successfully enroll.


Q. What is manual enrollment?
A. Manual enrollment is when a user shares enrollment information with a Two-Factor Authentication service administrator, who completes the enrollment process and then notifies the subscriber by email when the process has been completed.


Q. What do I enter for a mobile phone that's not a smartphone when I'm enrolling for the service?
A. Whenever you're using a cell phone that's not a smartphone, select "mobile" as type and then "unknown" under platform.


Q. I'm trying to log into my Two-Factor Authentication service on my phone, but it tells me I can't. What should I do?
A. If this is the first time that you've used the service on this particular phone, then make sure that the enrollment process has been completed and then try again.

If you've used the service on this phone before and cannot login, then make sure that phone is not locked. If it is unlocked, then you may need to restart the mobile device and try again.

Make sure that you're using the correct mobile device. If you're using a new device (even if you have the same phone number), then reactivate Duo Mobile for the new device. (If you're changing types of phone, such as going from an Android to an iPhone, then select the new type of phone before reactivating.)

If the service is still not working, then contact your local IT support staff.


Q. I'm using a hardware token, and it's not working. What should I do?
A. If you are using a hardware token and it's not working, then try to resync the token. Call Help Desk Central for assistance with that process.


Q. Why have I stopped receiving push notifications on Duo Mobile?
A. If you have stopped receiving push notifications, then check for network between your phone and internet. It may help to take your phone into and out of airplane mode. If there is not a network problem, then request a re-activation of the service from your local IT support staff.