skip to main content

Authentication & Authorization Services

Two-Factor Authentication

Authentication

Electronic Authentication is the process of establishing confidence in user identities that are presented in online environments. Application developers are often faced with a choice of mechanisms based on a wide variety of technologies to perform local or remote authentication. The use of Multi-Factor Authentication adds an increased layer of security to transactions by using multiple forms of authentication mechanisms during a transaction.

Authentication Mechanisms

Authentication material used to confirm a Subject's identity is categorized into one of three types or factors:

  • Something you know (for example, a password)
  • Something you have (for example, an ID badge)
  • Something you are (for example, a fingerprint)

One measure of the strength of an authentication system is the number of factors incorporated into the system. Two-factor implementations are considered to be stronger than those that use only one factor; implementations that utilize all three factors are stronger than those that only use two factors.

Determining Need for Two-Factor Authentication

The decision to require Two-Factor Authentication for a particular application is based on the potential harm or impact of an authentication error. Categories of harm and impact include:

  • Inconvenience, distress, or damage to standing or reputation
  • Financial loss or institution liability
  • Harm to institution programs
  • Unauthorized release of sensitive information
  • Personal safety
  • Civil or criminal violations

Two-Factor Authentication is one strategy application developers can take to mitigate risks associated with unauthorized access to the application.

Texas A&M InCommon Two-factor Authentication Service

The Texas A&M University System has selected the InCommon Two-factor Authentication program with Duo Security to provide two-factor authentication to Service Providers needing enhanced security. Duo's Two-factor Authentication is a cloud-based second-factor authentication with no software to install and no server to set up. Duo has patented technology and drop-in integrations to enable IT customers to easily integrate Duo into an existing application login workflow. The Duo model primarily relies on smartphones to be the device in the user's possession. Most users will like the ease and convenience of using phones to verify their identity.

Oversite

Each Texas A&M System Member manages their own Duo instance. Texas A&M IT's Identity and Access Management Team has been designated as the Registration Authority Office for this service and is responsible for overseeing the TAMU (02) Two-factor Authentication Service. The documentation on this website pertains solely to the TAMU (02) Duo offering.

Getting Started

To add robust two-factor authentication to your application or service, just follow these steps:

Step 1

Decide which service, system or applicantion you want to protect and request an integration. An integration is what links the Duo service to your resource.

To request an integration with Texas A&M's Duo service, complete and submit a request form:

All information on the form should be typed except the signatures. If you are uncertain about how to answer a question, please email idm-support@tamu.edu for assistance.

The form is printed, signed by the requester and mailed to the Identity Management Office, MS 3374, faxed to 979.845.6090 or emailed to idm-support@tamu.edu.

Note: CAS will have it's own Duo integration, so web applications relying on CAS for authentication will not need to request a separate integration.

Step 2

Use Duo's documentation to configure the Duo integration on your service, system or appliance.

Step 3

Enroll your users in Duo.

For all groups except IT professionals, users must have a NetID and password to use Duo Two-factor Authentication.

NetID account holders are able to self-enroll in Duo Two-factor Authentication via the NetID Two-Factor Authentication application. Account holders wishing to use a hardware token device will need to purchase the token at sell.tamu.edu and then go to the Identity Management Office to pick up the token.

Step 4

Start authenticating!

Two-factor Authentication Options

Duo supports a wide variety of two-factor authentication options. While this flexibility is nice for customers, this can create uncertainity about which option is best. Following is a summary of the different options.

Device Recommendations

The best choice of device for a person depends on how the person will be using two-factor authentication:

Guide for choosing a primary Two-Factor Device
Two-Factor AuthN Usage Recommended Device
use Duo Two-Factor Authentication only at work on a PC or laptop primary device: Yubikey token
set up a mobile or office phone as a backup device
regularly access applications from a mobile device primary device: Duo App (either Push or Passcode) installed on mobile device
set up home or office phone as backup device
IT professional who regularly logs into Unix or Linux servers or use RDP to connect to Windows servers primary device: Yubikey is your friend
Please be aware that SCP and RDP gateways frequently require Dup Push, so set up Dup App on mobile phone as a backup.

Device Overview

Mobile Phone-based Authentication

With this option, the person's mobile phone serves as the second security token (i.e. what you have). Mobile phones can be used in a variety of ways:

  • If the phone is a smartphone, an application can be installed on the phone. Once activated it performs the functions normally provided by a security token.
  • use Short Message Service (SMS) messaging
  • interactive telephone call
Two-Factor Authentication using Duo Mobile App Push Notification

Device Requirements

Works only on smart phones and tablets.

  • iOS devices must use iOS 6.0 or above
  • Android devices must use 2.3.3 (Gingerbread) or above

Set up Requirements

  1. Install Duo Mobile app on device.
  2. Register device.

Usage Limitations

Internet connectivity is required, so there may be locations/situations where use of this option is not viable or functional (airplanes, basements).

Financial Cost

None.

Two-Factor Authentication using Duo Mobile App Passcode

Device Requirements

Works only on smart phones and tablets.

  • iOS devices must use iOS 6.0 or above
  • Android devices must use 2.3.3 (Gingerbread) or above

Set up Requirements

  1. Install Duo Mobile app on device.
  2. Register device.

Usage Limitations

No limitations. This works anywhere, even in places where you don't have an internet connection or can't get cell service.

Financial Cost

None.

Two-Factor Authentication using SMS Passcode

Device Requirements

Any smart phone, tablet, or cell phone able to receive text messagess.

Set up Requirements

  1. Register device.

Usage Limitations

Cell service required.

When this option is selected, Duo sends a set of 10 passcodes for an SMS request. Users have to use the passcodes in the order given, requiring them to keep up with where they are at in their set.

SMS may be used with either Self-Service Password Reset or as a Duo Two-Factor Authentication option. It cannot be used for both. We recommend using SMS for Self-Service Password Reset rather than for Duo Two-Factor Authentication.

Financial Cost

Users are billed by their carrier for passcodes received by SMS the same way they are billed for any other text message. The specific cost to the user is based on the user's carrier plan.

Duo charges the university telephony credits for each SMS message it sends to users. The number of credits charged will vary depending on where the user is at the time the SMS message is sent. For users within the domestic U.S., an SMS costs the university one credit (one cent).

Two-Factor Authentication using Phone Call

Device Requirements

Any phone able to receive a phone call.

Set up Requirements

  1. Register device.

Usage Limitations

Cell service required.

Financial Cost

Users are billed by their carrier for phone calls the same way they are billed for any other phone call. The specific cost to the user is based on the user's carrier plan.

Duo charges the university telephony credits for each phone call. The number of credits charged will vary depending on where the user is at the time the phone call is sent. For users within the domestic U.S., a phone call costs the university two credits (two cents).

USB Token-based Authentication

A USB token is a specific type of hardware token designed to include a Universal Serial Bus (USB) connector. A USB port is standard equipment on today's computers. The token plugs into a computer's USB port. With this option, the person's token serves as the second security token (i.e. what you have).

Two-Factor Authentication using Yubikey Token

Device Requirements

Any computer with a USB port.

The Yubikey Neo token can also be used with smart phones equipped with Near Field Communication.

Set up Requirements

  1. Purchase token through the SELL.
  2. Go to Identity Management Office to register device.

Usage Limitations

Unless the Yubikey Neo token is purchased, the token can only be used with a computer equipped with a USB port.

The Yubikey Neo token can also be used with smart phones if the smart phone is equipped with Near Field Communication.

Internet connectivity is also required.

Financial Cost

Texas A&M departments are required to pay for the token.

Yubikey tokens are available from the SELL.

Two-Factor Authentication using U2F Token

Device Requirements

Any computer with a USB port.

Set up Requirements

  1. Purchase token.
  2. Register device.

Usage Limitations

U2F tokens currently only work for authenticating to web applications from the Chrome browser.

Financial Cost

Users or their departments are required to pay for their U2F token.

These tokens are available for purchase only through external vendors like Yubico or Amazon. Texas A&M departments are required to pay for the token.

Landline Phone-based Authentication

A landline phone is also an option for two-factor authentication. This option restricts the user to a specific phone in a particular location, making it much less flexible than tokens or mobile phones that can be taken anywhere.

Two-Factor Authentication using Landline Phone Call

Device Requirements

Any phone able to receive a phone call.

Set up Requirements

  1. Register phone number.

Usage Limitations

Landlines require you to be in a particular physical location. Phone service must be operational.

Financial Cost

Users are billed by their carrier for phone calls the same way they are billed for any other phone call. The specific cost to the user is based on the user's carrier plan.

Duo charges the university telephony credits for each phone call. The number of credits charged will vary depending on where the user is at the time the phone call is sent. For users within the domestic U.S., a phone call costs the university two credits (two cents).

Frequently Asked Questions

The following links are for frequently asked questions related to the Two-Factor Authentication:

General Questions

Using Two-Factor with Your Phone

Yubikey Tokens

Accessibility

Integration Process

Enrollment Process

Troubleshooting


Q. What is Two-Factor Authentication?
A. It is the use of two independent means of evidence (factors) to assert the identity of a user requesting access to some application or service to the organization that provides the application or service. The objective of two-factor authentication, as a method of electronic computer authentication, is to decrease the probability that the requestor is not who he/she claims to be (i.e., providing false evidence of his/her identity.) Two-factor authentication is achieved by a combination of any two of the three "Somethings" below:

  • Something you know
    • Personal Identification Number (PIN)
    • Password
  • Something you have
    • Smartphone
    • Token
    • ID Badge / Smart card
  • Something you are
    • Fingerprint
    • Retinal Scan
    • Voice Pattern
    • Typing Cadence

Note that the use of a password in combination with a PIN, for example, is NOT considered two-factor authentication because both pieces of information involve a single factor - something you know.

The use of two-factor authentication has been pervasive and ubiquitous for quite a long time already. Any person who has used an ATM machine to withdraw cash for a bank account has used two factor authentication - you had to provide something you had (a card) and had to provide something you know (a PIN) in order to complete the transaction.


Q. What is the difference between Two-Factor and Multi-Factor Authentication?
A. The subtle difference is that, while two-factor authentication uses exactly two factors to assert the identity of a user, multi-factor authentication uses two or more factors to assert identity. In essence, two-factor authentication is a subset of multi-factor authentication. An example of multi-factor authentication would be the requirement to insert a smart-card (something you have) into a smart-card reader, enter a PIN (something you know), and provide a valid fingerprint (something you are) provided via a biometric fingerprint reader. This example uses three factors to assert the identity of a user.


Q. What are the business reasons to consider Two-Factor Authentication?
A. Privacy, and the threat of identity theft, is increasingly a concern as more of personal information finds its way to online applications. In addition, passwords alone can frequently be easily guessed or compromised through phishing or hacking, consequently, no longer providing adequate protection for mission-critical information system and applications containing Personally Identifiable Information (PII), Personal Health Information (PHI), and other confidential information. Some specific concerns:

  • As passwords become easier to guess or compromise, password complexity requirements are quickly coming to exceed what users can reasonably remember.
  • Password proliferation has increased the time and effort spent on user support because of forgotten passwords and the need to reset them.
  • Many password reset mechanisms are insecure, even if the passwords themselves are not.
  • The increased use of single sign on increases the value of passwords and the number of ways by which those passwords can be potentially attacked.
  • Passwords are all-too-often cached in applications (e.g., email clients or web browsers), stored off site (e.g. POP/IMAP consolidation of email from multiple accounts), and reused for multiple services, some highly sensitive.

See Passwords, a presentation at the NWACC Security Conference 2009, for an in-depth review of all the reasons why it makes good business sense to consider two-factor authentication as alternative to traditional passwords.

Compliance is also driving adoption of two-factor authentication in other areas - three examples:

  • The Federal Information Security Management Act (FISMA) applies to grantees (e.g., institutions of higher education) when they collect, store, process, transmit or use information on behalf of the United States Department of Health and Human Services (HHS) or any of its component organizations. In other words, Federal security requirements apply and the institution of higher education is responsible for ensuring appropriate security controls (see OMB Circular A-130, Appendix III and NIST SP 800-63 Electronic Authentication Guideline).
  • The Health Insurance Portability and Accountability Act (HIPAA), where the most important concern is the confidentiality of patient records and protected health information, does not explicitly require two-factor authentication but clearly makes an appeal to the use of industry best standards.
  • The Payment Card Industry Data Security Standard (PCI DSS), where the most important concern is the confidentiality of cardholder information, hints at the desirability of using multiple factors in its requirement 8.2 "In addition to assigning a unique ID, employ at least one of the following methods to authenticate all users: - Something you know, such as a password or passphrase - Something you have, such as a token device or smart card - Something you are, such as a biometric." It is more specific in its requirement 8.3 regarding remote access to the local network "Incorporate two-factor authentication for remote access (network-level access originating from outside the network) to the network by employees, administrators, and third parties. (For example, remote authentication and dialin service (RADIUS) with tokens; terminal access controller access control system (TACACS) with tokens; or other technologies that facilitate two-factor authentication.)"

Other requirements for two-factor authentication include Internet banking. For that reason, the Federal Financial Institutions Examination Council (FFIEC) strongly recommends two-factor authentication for consumer online banking services. Specifically, in its Supplement to Authentication in an Internet Banking Environment, under Customer Authentication for High Risk Transactions, it states "Financial institutions should implement layered security, as described herein, utilizing controls consistent with the increased level of risk for covered business transactions. Additionally, the Agencies recommend that institutions offer multi-factor authentication to their business customers."


Q. What is the Duo Two-Factor Authentication solution?
A. Two-Factor Authentication is a cloud-based second-factor authentication with no software to install and no server to set up. Duo has patented technology and drop-in integrations to enable IT customers to easily integrate Duo into an existing application login workflow. See Duo Security for more information. The Duo model primarily relies on smartphones to be the device in the user's possession. Most users will like the ease and convenience of using phones to verify their identity.


Q. Who will use the service?
A. Any Texas A&M faculty, staff, student, or designated affiliate who needs to have access to a system or service that is protected by Duo Two-Factor Authentication will eventually need to use the service. At this time, however, the service is limited to pilot areas.


Q. When will I need to use the Two-Factor Authentication Duo service?
A. Once a user is enrolled in Duo, the user will need to answer a second-factor credential challenge to authenticate into any application or server that has been configured for the Duo Second-Factor Authentication service.


Q. Why should a customer/user use the Duo Two-Factor Authentication service?
A. With increasing security attacks across higher education institutions, passwords alone are not a sufficient way to protect resources. Two-factor authentication decreases the risk of compromise because a hacker would need to acquire the thing you "have", as well as the thing you "know".


Q. What are some of the features of the service?
A. The services includes many features, such as flexible integration options for IT system administrators, user self-enrollment or bulk-enrollment options, one-tap authentication or a generated passcode when cellular service is not available, and no passwords or personally identifiable information (PII). (Examples of PII include social security numbers, credit card numbers, etc.)


Q. What data is stored by Duo?
A. The only data that Duo stores for a user is the subscriber's NetID (Duo does NOT know your NetID password) and information about your second factor, such as a phone number (if using a phone for the service) or the serial number of your hardware token (if not using a phone for the service).


Q. What if I lose my phone?
A. Contact your service administrator immediately if your phone is lost or stolen. The administrator will disable it for authentication and assist you to log into another phone.

Remember: Your NetID and password (first-level authentication) will continue to protect your account even if your phone is lost.


Q. Can I use Two-Factor with other third-party accounts, such as Google, Drop-Box, etc.?
A. Yes, if you're using a smartphone for the service, then the Duo Smartphone App can integrate third-party accounts. See Duo's Third-Party Accounts page for more information.


Q. Do I need a smartphone to use Duo Two-Factor Authentication?
A. A smartphone is the best choice since it provides the greatest level of security and allows you to use the Duo Mobile App. The app generates passcodes for login and can receive push notifications for easy, one-tap authentication.

Having said that, a smartphone is not required to use the service.


Q. I don't have a smartphone. Will I be able to use Duo Two-Factor Authentication on my regular cell phone?
A. Yes, any cell phone will work, but it will not include the advantages of the app (passcodes, prompts, etc.) and may result in regular cell phone charges in order to call back and authenticate (depending on the user's phone service), as well as incur costs to the university.


Q. What if I wanted to use a landline at my office instead of my personal phone?
A. You may use a landline instead of a mobile device, yes; however,

  • You need to take into consideration the stationary nature of a landline. Even if you work almost exclusively at your desk in your office where the landline is located, you might on rare occasions need to have access to your Texas A&M protected services from home or from a remote location (such as an annual conference).
  • Use of a landline incurs a cost to the university.


Q. What if I prefer to not use my phone at all? Can I still use Two-Factor Authentication?
A. First, using Duo on your phone is perfectly safe, and a smartphone is the preferable device to use for a number of reasons (app being available, calling prompts, one fewer "thing" to carry around and keep track of, etc.) In other words, a phone (especially a smartphone) is the preferred method.

Having said that, a hardware token is available for use instead of a phone.


Q. Can I use multiple phones, or am I restricted to one phone?
You can set up Duo Two-Factor Authentication on multiple mobile devices (phones, tablets, etc.).


Q. Does it cost me anything to use the service via my phone? If so, will I be reimbursed by Texas A&M?
A. Text messages and voice calls are sent only when you request them, and they would be billed by your carrier in the same way that any other text message or call would. Texas A&M will not reimburse you for these charges. If the charges when using Duo exceed a level that you're comfortable with, then consider switching to a hardware token rather than a cell phone for the service.


Q. Can I change to a different phone with a different number after I have the service?
A. Yes, you can change to a different phone with a different number. You will need to reactivate Duo on the new device, and if it's a different type of device (for example, if you're going from Android to iPhone), then you will need to make sure that you select the new phone type before reactivating.


Q. What does the Duo App access on my phone?
A. It does not access your other apps or other data on your phone; it uses some base functionality of the phone and a certificate that identifies your phone to ensure accurate identification.


Q. I'm often in a location where I have poor cell coverage; how can I use the service?
A. In cases where cell coverage is not available, use the Duo Mobile App to generate a passcode. Use the passcode as your second factor. If you're not using a smartphone (and therefore do not have access to the app), then generate passcodes in advance.


Q. What is a token?
A. A physical device that can usually fit on a keyring, which generates a security code for use with networks or software applications.


Q. Who must have a Yubikey token?
A. No one is REQUIRED to have a Yubikey token. In fact, most people will not have a Yubikey token because using a phone is the easiest way to use the service when accessing web applications.

For system administrators that need to log into servers regularly, the Yubikey token is beneficial since it only requires a single touch to complete the second factor authentication step.


Q. How do Yubikey tokens work?
A. A security token generates a different series of letters or digits each time that it's used, which have to be entered as part of the authentication process to prove that you have it. This, in addition to a traditional username and password, adds a second factor of security.

With a Yubikey token, the device is inserted into a USB drive on the computer. The user touches the gold button to generate a code, which is automatically transmitted to complete the second factor authentication step.


Q. How are Yubikey tokens distributed?
A. Yubikey tokens are purchased through the Texas A&M Software Center. The customer picks up his or her token at the Identity Management Office.


Q. Are there any accessible options available?
A. Some accessibility problems can be addressed by the phone itself; however, if someone has an accessibility problem that cannot be resolved by using the service with a phone, then there are accessibility options available. Please contact Help Desk Central for more information.


Q. How will a unit or department be added to the service?
A. Texas A&M Identity Management Office will handle the integration process, which includes creating a bulk-enroll option (including assisting with communication) if necessary, pilot testing, and activating the service.


Q. What are the enrollment options?
A. There are three enrollment options: inline self-enrollment, self-enrollment invitations, and manual enrollment.


Q. What is inline self-enrollment?
A. This is when an individual who is going to use a smartphone for the service completes the enrollment process by using one of the applications that supports self-enrollment. Make sure to follow the process completely in order to successfully enroll.


Q. What is the self-enrollment invitation process?
A. This is when an email is sent to you in order to start the enrollment process. Follow the directions in the email in order to complete enrollment. Make sure to follow the process completely in order to successfully enroll.


Q. What is manual enrollment?
A. Manual enrollment is when a user shares enrollment information with a Two-Factor Authentication service administrator, who completes the enrollment process and then notifies the subscriber by email when the process has been completed.


Q. What do I enter for a mobile phone that's not a smartphone when I'm enrolling for the service?
A. Whenever you're using a cell phone that's not a smartphone, select "mobile" as type and then "unknown" under platform.


Q. I'm trying to log into my Two-Factor Authentication service on my phone, but it tells me I can't. What should I do?
A. If this is the first time that you've used the service on this particular phone, then make sure that the enrollment process has been completed and then try again.

If you've used the service on this phone before and cannot login, then make sure that phone is not locked. If it is unlocked, then you may need to restart the mobile device and try again.

Make sure that you're using the correct mobile device. If you're using a new device (even if you have the same phone number), then reactivate Duo Mobile for the new device. (If you're changing types of phone, such as going from an Android to an iPhone, then select the new type of phone before reactivating.)

If the service is still not working, then contact your local IT support staff.


Q. I'm using a hardware token, and it's not working. What should I do?
A. If you are using a hardware token and it's not working, then try to resync the token. Call Help Desk Central for assistance with that process.


Q. Why have I stopped receiving push notifications on Duo Mobile?
A. If you have stopped receiving push notifications, then check for network between your phone and internet. It may help to take your phone into and out of airplane mode. If there is not a network problem, then request a re-activation of the service from your local IT support staff.

Technical Requirements and Information

Texas A&M Duo Service

Duo Two-factor Authentication is being used to add a second layer of security to NetID accounts for those personnel accessing sensitive or higher risk systems. Departmental IT professionals may also integrate Duo Two-factor Authentication with their local (non-NetID) administrator accounts.

Users

This service is available for use to the following groups:

  • faculty
  • researchers
  • staff
  • students
  • IT professionals

For all groups except IT professionals, users must have a NetID and password to use Duo Two-factor Authentication.

Eligible NetID account holders are able to self-enroll in Duo Two-factor Authentication via the Duo Enrollment application. Account holders wishing to use a hardware token device will need to contact the Identity Management Office for assistance.

Pricing

  • Service licensing is centrally funded.
  • Smartphone and mobile app are free with use of this service.
  • Service telephony credits for call use and SMS messages with traditional cell phones and landline phones is currently covered through Texas A&M IT and is periodically subject to review.
  • Note: Text messages and voice calls are sent only when a user requests them, and they would be billed by the user's carrier in the same way that any other text message or call would be based on a user's carrier plan. Texas A&M will not reimburse users for these charges. If the charges when using Duo exceed a level that a user is comfortable with, then the user should consider switching to a hardware token rather than a cell phone for the service.
  • Hardware token devices typically used with this service are priced at $25.00 to $65.00 per device and can be purchased through the Texas A&M Software Center.

Community

tamus-duo-discuss@lists.tamu.edu is a mailing list devoted to Texas A&M's Duo service. Developers using this service are encouraged to subscribe.

Duo's Two-Factor Authentication

The illustration below outlines the basic steps in a successful two-factor authentication event. For a comprehensive description of Duo features, please review the Duo documentation.

Diagram of steps in Duo two-factor authentication event

Preliminary Step: Service Provider Duo-enables their site

To utilize two-factor authentication,

  • Web-based Service Providers will:
    • CAS-enable the Service Provider site. As with single-factor authentication, CAS will handle all steps in the two-factor authentication process.
    • Update logic used to parse CAS payload to consume the two-factor authentication information and enforce two-factor if required for the service.
  • Other types of Service Providers will:
    • Register the service and obtain an integration key and secret key.
    • Add a Duo client to the core service code or configure service to prompt for second authentication event.
    • Configure the Duo client.

The following is a very generalized explanation of the two-factor authentication process. Information for specific types of service integrations are available on Duo's website.

Step 1: Subject attempts to access a two-factor authN Service Provider site

When a Subject navigates to a two-factor Service Provider, the Service Provider initiates the login process.

Step 2 (Primary Authentication): Subject submits NetID and password

The login process is a two step process that starts with verification of the Subject's NetID and password. The Subject enters and submits his or her NetID and password.

Step 3 (Primary Authentication): Service Provider validates the Credential

The Service Provider submits the Credential to the Credential Store for verification. If the Credential is valid, the Primary Authentication is successful.

Step 4 (Secondary Authentication): Service Provider submits an authentication request to Duo

After the Subject successfully authenticates with the NetID/password pair, the Service Provider initiates the secondary authentication process by generating an authentication request. The request is a HMAC-SHA1 of the username, integration key and an expiration timestamp, using the integration's secret key as the HMAC key.

Once generated, contact with the Duo server is initiated and Duo prompts the Subject to select an authentication mechanism. The options presented to the Subject will depend on the devices that the Subject previously registered with Duo.

If a Subject has not previously registered their devices, Service Providers can allow Subjects to be prompted to register at the time the Subject attempts to access the service. Subject Providers also have the option of refusing to allow Subjects to access the service if they are not previously registered.

Step 5 (Secondary Authentication): Subject selects Secondary Authentication mechanism

Subjects are encouraged to register multiple devices to provide backup authentication avenues if something happens to their primary device. Once the Subject selects an authentication mechanism, Duo sends an authentication request to Subject's device.

Step 6 (Secondary Authentication): Subject completes Secondary Authentication request

Specific steps followed by the Subject to complete the Duo authentication event will vary depending on the selected mechanism. Once completed, Duo notifies the Service Provider that the authentication event has been completed.

For some integrations, the Service Provider will perform an additional step of verifying that the notification received from Duo is legitimate.