As part of University Technology's 2014 Security Initiatives, we have partnered with Duo Security to offer additional protection to your uLogin account. This new service, known as Two-Factor Authentication, protects your uLogin account by adding a second step to the login process. After entering your uLogin ID and password, you will use either your phone or a device known as a hardware token to confirm your identity. This prevents anyone but you from accessing your account, even if they know your password.
This service is not enabled by default. In order to use Duo Two-Factor Authentication, you must first enroll in the system using Duo Self-Service Enrollment. If you are not enrolled in the system, you will continue to log in to Drew University web sites using your regular uLogin ID and password.
Am I required to enroll in Duo Two-Factor Authentication?
Drew University will be requiring all faculty, staff, and contractors with uLogin accounts to enroll in the system in order to protect the sensitive University records that employees have access to as part of the course of their work. Please review the Responsible Use of University Data Policy for more information.
Students are not required to be enrolled in the system, although are welcome to do so if they choose. Student Employees may be required to enroll depending on the nature of their work and the electronic records they have access to.
What is the schedule for mandatory faculty and staff enrollment?
|Monday, January 6, 2014||Early adopter enrollment for invited testers|
|Monday, January 13, 2014||General availability. Self-service enrollment available for all members of the University community.|
|Tuesday, January 21, 2014||Open hours held in the Faculty/Staff Lab, 9:30am-11:30am.|
|Monday, January 27, 2014||Reminder email sent to all faculty, staff, and contractors with uLogin accounts about mandatory enrollment.|
|Tuesday, February 4, 2014||Open hours held in the Faculty/Staff Lab, 9:30am-11:30am.|
|Monday, February 10, 2014||Reminder email sent to supervisors about mandatory enrollment including lists of employees who have yet to enroll.|
|Monday, February 17, 2014||Open hours held in the Faculty/Staff Lab, 9:30am-11:30am.|
|Monday, February 24, 2014||Final reminder email sent to supervisors and VPs about mandatory enrollment including lists of employees who have yet to enroll.|
|Friday, March 7, 2014||Deadline for enrollment. Faculty, Staff, and Contractors who have not enrolled in the system by this date will have their uLogin accounts disabled.|
Completing Self-Service Enrollment
It's easy to enroll yourself in Duo Two-Factor Authentication using our self-service pages. After logging in, Duo Security will walk you through the steps to enroll one or more phone numbers into the system. We recommend enrolling multiple phones, such as your mobile phone and office landline. If you are enrolling multiple phones, enroll your primary cell phone first. Go to the self-service enrollment site to get started with the process.
To learn more about the enrollment process, read the Enrollment Guide on Duo Security's web site.
Please note: If you intend to enroll multiple phones, as is recommended, you should enroll them all during this initial self-service enrollment. You will not be able to add other phones yourself later. You will need to come to the UT Helpdesk with photo ID to have other devices added for you.
Please keep in mind that, when enrolling devices/landlines yourself, you will need to have them at hand to verify ownership. Also, pay attention to the order in which you add phone numbers, as this will affect how you can log in later.
What if I do not have a cell phone?
If you do not have a cell phone, you may obtain a Yubikey or Classic Hardware Token from University Technology. Tokens are distributed freely to faculty and staff who need to enroll in the two-factor authentication service. Please come to the University Technology Helpdesk with a photo ID to obtain a token. Please note that replacements for damaged or malfunctioning tokens will be provided for free. A $50 charge will apply to replace a missing token.
Using Your Account After Enrollment
Once you have enrolled in Duo Security, you will be required to complete the second step of authentication whenever you see a uLogin form. You can log in from any computer but you will need to approve the login using one of the phones (or hardware token) that you have enrolled in the system.
Simply enter your uLogin ID and password as usual and Duo will automatically use the Default method to log in. If the first phone you enrolled is a smartphone, Duo will send a Push message to that phone and prompt you to approve the login using the Duo Mobile app. If it is not a smartphone, Duo will make a regular telephone call to that number and you will be prompted to approve the login by pressing any key on your phone.
Using Duo Security options to select another login method
By clicking the Duo Security link on the uLogin form, you can select another method to use to log in. Click the drop-down to view the available options. The phones you have enrolled are designated Phone 1, Phone 2, and Phone 3 in the order in which you registered them during the enrollment process.
- Defaults - If you do not select any Duo Security options, Duo will automatically use the Default method. If the first phone you registered is a smartphone, Duo will automatically send a Push notification to that phone to approve the login. If the first phone is not a smartphone, Duo will place a telephone call to that number instead.
- Push (recommended) - If you have registered a smartphone and installed the Duo Mobile app, the Push method of authentication is recommended. In this mode, Duo will send a notification to your smartphone. Simply accept the pop-up message on your phone and click Approve to authorize the login request.
- Text - You may use the Text option with any phone capable of receiving text messages. When you select the Text option, Duo will send a set of 10 one-time passcodes to the phone you have selected. After the text message has been sent, you will be returned back to the uLogin form with a login failed message. Once you have the text message, you may use each code in the message to log in once using the Passcode option. Once you have exhausted your 10 passcodes, use the Text option again to get more. Whenever you use the Text option to send passcodes, any previously texted passcodes are invalidated immediately, even if unused.
- Call - When you select the Call option, Duo will place a voice call to the phone selected. Answer the phone and listen to the voice prompt. Pressing any key on your touch tone phone will approve the login request.
- Passcode - You may obtain a 6-digit one-time login passcode from one of several sources. Simply enter the passcode into the box below the drop-down to log in.
- Using a Yubikey - If you have been issued a Yubikey, position the cursor in the third text box and press the button on your Yubikey to enter the passcode.
- Using a classic hardware token - If you have been issued a hardware token, simply press the button to generate a new passcode and enter it into the text box.
- From a text message - If you have used the Text option to send yourself 10 one-time passcodes, enter a passcode you have not used previously. When you have run out of passcodes, you can use the Text option again to send 10 more.
- Using the Duo Mobile app on your phone - If you have registered your smartphone with Duo, but you are out of cell coverage and cannot use the normal Push method, you may use the app to generate a passcode instead. Using your Duo Mobile app, touch the key icon next to the Drew University account to generate a new one-time passcode.
Using Your Device with Duo
Duo supports a wide-variety of different devices for authentication. Select the type of device you are using to learn more:
- iPhone or iPad
- Android Phones and Tablets
- Windows Phone
- Landlines and Cell Phones
- Classic Hardware Tokens
Syncing Your Drew Email to Your Phone, Tablet, or Other Programs
After enrolling in Duo you will need to take additional steps if you currently synchronize your Drew University email and calendar with your smartphone or tablet, or use other email and calendar software such as Microsoft Outlook, Apple Mail, or Thunderbird. At present, these applications do not support two-factor authentication. Therefore, once you have activated Duo, we generate a new password specifically for use with these services known as your device password. Your device password is automatically managed by the system and will be changed for you every 90 days. Device Passwords are not necessary for accessing your Drew Google account via a web browser.
When setting up your phone or tablet to connect to Drew email, please consult our instructions. However, instead of entering your normal uLogin Password, enter your Device Password instead.
Obtaining your Device Password
You may obtain your current Device Password at any time by visiting the self-service site. For security reasons, you will be prompted to perform two-factor authentication again even if you have already logged into uLogin. Information about your device password is displayed towards the bottom of the page:
We recommend selecting Enable Notifications so that you will receive an email automatically when your device password is about to expire and when it has been changed automatically.
What happens when my device password expires?
When your device password expires, the system will generate a new one for you. If you have selected Enable Notifications, the system will send you an email several days before the device password expires and after it has been changed. Once your device password has changed, your smartphone, tablet, or other email software will stop receiving new email and calendar updates. Most phones will automatically prompt you for the new password. Simply visit the self-service site to obtain your new password and enter it into your device. Your device should start sending and receiving email and calendar updates normally.
I am planning to go on a trip. How do I ensure that my phone's email service is not interrupted due to my device password changing?
We cannot extend the 90 day deadline for device password changes. However, you can expire your device password early to ensure uninterrupted service while you are away. Before your trip, simply visit the self-service site to check when your device password expires. If it will expire during your trip, click Generate a new device password to expire your current password immediately and generate a new one. This new password will expire in 90 days. Enter the new password into your phone and you will be able to enjoy uninterrupted service while you are away.
Frequently Asked Questions and Common Issues
- Do I still need to change my uLogin password every 180 days after enrolling in this service? No. Duo Two-Factor authentication adds additional verification after every login. For this reason, Drew does not require two-factor users to change their regular uLogin passwords every 180 days. Once you have completed Duo enrollment, the password expiration policy will be removed from your uLogin account automatically.
- My phone has stopped receiving email and calendar updates after enrolling in Duo. Once you enroll in Duo, any other devices you have connected to your Drew email account, including smartphones and tablets as well as third-party email programs like Outlook, Apple Mail, or Thunderbird, will need to use a special password to connect to your account. This password is known as your device password and will be generated automatically by the system. Learn more about using your device password here. The device password is only necessary if you have connected the built-in Mail and Calendar apps on your smartphone or tablet to your Drew account or are using third-party mail applications on your computer. When accessing your Google account via a web browser you will continue to log in using your regular password.
- Does Duo Security only apply to Drew web sites using uLogin? What about logging into my computer? At present, Duo Security applies to web-based services protected by Drew's uLogin system. Duo authentication is not required for local logins to your computer.
- I'm not getting my push notification. How do I log in? If your phone is out of cell coverage, you can use the Duo Mobile app on your phone to generate a one-time passcode (yes, even if you don't have service) by pressing the key icon next to "Drew University". On the uLogin page, click "Duo Security", change the dropdown to "Passcode", and enter the code generated by the app before clicking Login.
- I forgot my phone at home. How do I log in? If you set up your office phone, you can click Duo Security at the uLogin page and choose "Call" (usually under Phone 2, but this depends on which numbers you set up on your account in which order!) from the dropdown menu. If you do not have your office phone set up, you can come to the UT Helpdesk with a photo ID so that we can add the line for you.
- I've lost my phone. What do I do? Please contact the University Technology Service Center (+1 973-408-HELP) immediately so that we can deactivate that phone as a valid authenticator for your account. If you set up your office phone as an additional "device", you can click Duo Security at the uLogin page and choose "Call" (usually under Phone 2, but this depends on which numbers you set up on your account in which order!) from the dropdown menu. If you do not have your office phone set up, you can come to the UT Helpdesk with a photo ID so that we can add the line for you.
- I need to re-activate Duo Mobile. If you have a new phone (or have done a factory reset on an existing phone) and need to reactivate the Duo Mobile app, please contact the University Technology Service Center for assistance. If you are still able to log into your Drew account via another phone or token registered to your account, we will be able to send you a new activation link for Duo Mobile. Otherwise, you will need to visit the Helpdesk in person with a photo ID to register the new device.
- My hardware token stopped working. Contact the University Technology Service Center if your hardware token has stopped working or you cannot log in using the passcodes it generates.
Your token can get "out of sync" if the button is pressed too many times in a row and the generated passcodes aren't used for login. In some cases this can happen by accident if the token is stored next to other objects in a pocket, backpack, etc. The Helpdesk will ask you to generate three passcodes in a row and can attempt to resynchronize the token.
- My token is physically damaged or has been lost. If your token has been lost, please contact the Service Center immediately so that it can be deactivated as a valid authenticator for your account. Faculty and staff may obtain new tokens from the Helpdesk with a Photo ID. Replacements for damaged or malfunctioning tokens will be provided for free. A $50 charge will apply to replace a missing token.