Two-Factor Authentication

Duo

Two-Factor Authentication
In response to ever increasing information security threats, on July 24, 2017 ITS will enable two-factor authentication for logging into certain systems, such as Banner.  Two-factor authentication adds another layer of security when logging in to MSU systems.  The first factor required to login is something you know, i.e. your NetID/NetPassword.  The second factor is something you have, typically your smartphone or tablet.  Therefore, even if a hacker is able to get your NetID/NetPassword, he should not be able to login to your account because he does not have your second factor. 


How does two-factor authentication work?
MSU uses a two-factor authentication product called Duo.  When you enroll in 2FA, you will download and install the free Duo mobile app on your smartphone or tablet.  During the enrollment process, you will register your smartphone or tablet as your second factor device, which associates it with your NetID/NetPassword.  Once you have enrolled in 2FA, when you login to an MSU system such as Banner, you will enter your NetID and NetPassword as always, and then you will provide your second factor, typically by tapping a “confirm” or “approve” button on the Duo app of your registered mobile device.

How do I enroll in two-factor authentication?
Duo two-factor authentication is most often used in conjunction with your smart phone or tablet.  If you do not have a smart phone or tablet, you will need to contact the ITS Helpdesk.  Otherwise, follow the steps below to enroll in two-factor authentication and register your mobile device.  You should complete the following steps on a computer with your mobile device available.
1. Point your web browser to http://duo.msstate.edu
2. Enter your NetID and NetPassword and click “LOGIN”
3. Click “Proceed”
4. Click “Yes” to confirm
5. Click “Add/Manage Device”
6. Click “Start Setup”
7. Select the type of device, mobile phone or tablet, that you are adding and click “Continue”
8. If you are using your smartphone, enter your phone number and verify that it is correct by checking the box and click “Continue”.  If you are using a tablet, you will not be prompted to enter a phone number.
9. Select the type of phone or tablet and click “Continue”
10. Install the Duo mobile app on your smart phone or tablet, and then click “I have Duo Mobile”
11. Launch the Duo mobile app, tap the “+” button, and scan the barcode.  (After a successful scan a green checkmark will appear)
12. Click “Continue” and then click “Close”
13. Congratulations!  You have successfully enrolled in two-factor authentication and registered your mobile device.
14. Click “Exit” to leave Duo enrollment

Now that you have enrolled in two-factor authentication, when you login to an MSU system such as Banner, you will enter your NetID and NetPassword as usual, and then a Duo screen will appear.  The screen has two options “Send Me a Push” and “Enter a Passcode”.  Normally you will click “Send Me a Push”.  The passcode option is explained below.  After selecting “Send Me a Push”, the Duo mobile app on your registered device will prompt you to approve or deny this login attempt.  If this is a legitimate login using your NetID/NetPassword, you should approve; otherwise deny.

Note that not all MSU systems are currently protected by two-factor authentication, but all centrally supported systems that use CAS (Central Authentication System) are.  Other systems will be added as appropriate.

What is the purpose of a two-factor passcode?
Consider the scenario where you have enrolled in two-factor authentication and registered your smartphone as your second factor device.  You come to the office ready to go to work, but then you realize you left your smartphone at home.  In that scenario, you can generate a passcode that you can use for up to 24 hours in lieu of your second factor device.  A passcode can also come in handy when you buy a new smartphone to replace your old one.  Since your old phone is no longer operational, you will need a passcode so that you can login to duo.msstate.edu to add your new mobile device and remove your old device.

How do I generate a two-factor passcode?
1) Point your web browser to http://2fa.msstate.edu
2) Click “Generate a Two-Factor Authentication Passcode” under Two-Factor Maintenance
3) Enter your NetID/NetPassword and click “Login”
4) Enter your Birth Date and MSU ID Number or Social Security Number and click “Submit”
5) Enter the answer to your security question and click “Submit”
6) Your passcode will be displayed

How do I login using a two-factor passcode?
When you login to an MSU system such as Banner, you will enter your NetID and NetPassword as usual, and then a Duo screen will appear.  The screen has two options “Send Me a Push” and “Enter a Passcode”.  Instead of clicking “Send Me A Push” as you normally would do, click “Enter a Passcode”.  Then enter the passcode that you generated earlier and click “Log In”.   You should now be logged in.

Frequently Asked Questions


2FA adds another layer of security when logging in to MSU systems.  The first factor required to login is something you know, i.e. your NetID/NetPassword.  The second factor is something you have, typically your smartphone or tablet.  Therefore, even if a hacker is able to get your NetID/NetPassword, he should not be able to login to your account because he does not have your second factor.

There are two options for enrolling in 2FA. The recommended option is to receive a push notification to your mobile device. Note that is not a text, but is generated via the DUO mobile app. The second option is to enter a passcode. There are three methods available to obtain a passcode: 1. Go to 2FA. msstate.edu and click "Generate a Two-Factor Authentication Passcode; 2. Access the DUO mobile app on your device and tap the key icon next to Mississippi State University; and 3. Generate a passcode through a hardware token/fob.

Once you choose the DUO authentication method, check the box next to "Remember me for 24 hours". You will not have to use 2FA for 24 hours in that browser on that computer. 

A passcode is generated by DUO for authentication. The passcode is used as the 2fa authentication method in specific situations such as:

  1. You normally use the Duo mobile app for a “Push” notification to your device but you don’t have your mobile device with you.
  2. You don’t have a mobile device and need a hardware token (fob) to generate a passcode.
  3. You are at a location where there is no cellular or wireless service to your device, so the “Push” notification will not work.

There are three methods available to obtain a passcode. 

  1. Go to 2FA.msstate.edu and click “Generate a Two-Factor Authentication Passcode”. This passcode is valid for 24 hours. 
  2. Access the DUO mobile app on your device and tap the key icon next to Mississippi State University.   This passcode is good for one-time use. 
  3. Generate a passcode through a hardware token/fob.  This passcode is also good for one-time use. Contact the ITS Help Desk regarding a hardware token.

If autopush is selected during your set up, you will receive a message on your device with a code automatically during the Central Authentication System (CAS) login. This is not the recommended method of 2FA.

Go to 2FA.msstate.edu and click Generate a Two-Factor Authentication passcode which is good for 24 hours.

If your phone number has not changed. Go to duo.msstate.edu and click Add/Manage Device. Click “Enter a Passcode”. (See “What is a DUO Passcode?” in the FAQ above to learn how to generate one.)  Click “Device Options”. Then click “Reactivate DUO Mobile”. This will prompt a QR code to scan with the DUO App on your new phone. Tap the “+” button, and scan the QR code.

If you have a new phone number or tablet. Go to duo.msstate.edu and click Add/Manage Device. Click “Enter a Passcode”. (See “What is a DUO Passcode?” in the FAQ above to learn how to generate one.) Click “Add another device”. Follow the steps 7 – 14 above for enrolling in two-factor.

When enrolling in DUO, you are able to add multiple devices.

Not currently. However, administrative users should expect VPN connections to require 2FA at a future date.

Yes. Instead of activating Duo Mobile by scanning the QR code, click the link “Or, have an activation link emailed to you instead”. You will receive an email that will allow you to proceed.