== Duo 2FA Enrollment Guide for UA* == Duo's self-enrollment process makes it easy to register your phone and install the Duo Mobile application on your smartphone or tablet. Duo prompts you to enroll when you log into a protected VPN, server, or web application. '''Supported Browsers''': Chrome, Firefox, Safari, Internet Explorer 8 or later, and Opera. [[BR]] ''If you intend to use the recommended option of Duo Mobile on your smartphone or tablet, we recommend downloading / installing the Duo Mobile app on your smartphone before proceeding.'' The Duo app is available from Apple's App Store for iPhone, iPad and/or Apple Watch, from Google Play for Android devices or from the Microsoft Store for Windows phones. === 1. Welcome Screen === [[Image(enroll1.png)]] === 2. Choose Your Authenticator (device) === Select the type of device you'd like to enroll and click '''Continue'''. We recommend using a smartphone for the best experience, but you can also enroll a landline telephone, a U2F token, or iOS/Android tablets.[[BR]] [[Image(enroll2.png)]] === 3. Type Your Phone Number === Select your country from the drop-down list and type your phone number. Use the number of your smartphone, landline, or cell phone that you'll have with you when you're logging in to a Duo-protected service. You can enter an extension if you chose "Landline" in the previous step.[[BR]] Then double-check that you entered it correctly, check the box, and click '''Continue'''.[[BR]] [[Image(enroll3.png)]] === 4. Choose Platform === Choose your device's operating system and click '''Continue'''.[[BR]] [[Image(enroll4.png)]] === 5. Install Duo Mobile === Why use Duo Mobile? • It's fast & easy • Works in any country • Doesn't require cell service Duo Mobile is an app that runs on your smartphone and helps you authenticate quickly and easily. Without it you'll still be able to log in using a phone call or text message, but for the best experience we recommend that you use Duo Mobile. Follow the platform-specific instructions on the screen to install Duo Mobile. After installing our app return to the enrollment window and click '''I have Duo Mobile installed'''.[[BR]] [[Image(enroll5.png)]] === 6. Activate Duo Mobile === Activating the app links it to your account so you can use it for authentication. On iPhone, Android, Windows Phone, and BlackBerry 10, activate Duo Mobile by scanning the barcode with the app's built-in barcode scanner. Follow the platform specific instructions for your device:[[BR]] [[Image(enroll6A.png)]][[BR]] The "Continue" button is clickable after you scan the barcode successfully.[[BR]] [[Image(enroll6B.png)]][[BR]] '''Can't scan the barcode?''' Click '''Or, have an activation link emailed to you instead.''' and follow the instructions. === 7. Configure Device Options (optional) === You can use '''Device Options''' to give your phone a more descriptive name, or you can click '''Add another device''' to start the enrollment process again and add a second phone or another authenticator. If this is the device you'll use most often with Duo then you may want to enable automatic push requests by changing the '''When I log in:''' option and changing the setting from "Ask me to choose an authentication method" to "Automatically send this device a Duo Push" or "Automatically call this device" and click '''Save'''. With one of the automatic options enabled Duo automatically sends an authentication request via push notification to the Duo Mobile app on your smartphone or a phone call to your device (depending on your selection).[[BR]] [[Image(enroll7A.png)]][[BR]] Click''' Continue to login''' to proceed to the authentication prompt.[[BR]] [[Image(enroll7B.png)]] === Congratulations! === Your device is ready to approve Duo authentication requests. Click Send me a Push to give it a try. All you need to do is tap Approve on the Duo login request received at your phone. [[Image(enroll8.png)]] === Add or Manage Devices === You can add a new authentication device or manage your existing devices in the future via the authentication prompt. Otherwise, contact your organization's Duo administrator if you ever need to change your phone number, re-activate Duo Mobile, or add an additional phone. ---- *Modified with permission of Duo from https://guide.duo.com/enrollment === Use !YubiKey for 2FA === 1. Obtain a !YubiKey supporting OTP in form factor that works for you: https://www.yubico.com/products/yubikey-hardware/ 2. Download the !YubiKey Personalization Tool: https://www.yubico.com/support/knowledge-base/categories/articles/yubikey-personalization-tools/ 3. Configure your !ubiKey for OTP in one of its two (virtual) slots* (generally shipped already programmed for OTP in slot 1) using the Duo guide: https://duo.com/docs/yubikey 4. Send the CSV string with digital serial no, 6 byte private id, 16 bit secret key (like this:) {{{4475749, e7 fe 84 57 55 d4, 81 84 65 01 22 db e5 00 57 f9 68 92 7f 22 4b 6a}}} [[BR]] to IAM or Security, noting your UA Username, which is the Duo account to which the token will be attached. 5. IAM or Security will upload the CSV string to import your token, and assign it to your ID at Duo[[BR]] 6. When integrated (step 5), you can use the YubiKey to send the second factor passcode 6.1 for web logins using Chrome browser, touch the key when presented with the second factor dialog box; there is a tell-tale message in blue banner in the pane: image.png 6.2 for VPN login: In the password field type your password followed by comma then touch your key*; that is, {{{password,}}} then touch your key, which enters a one-time passcode. *Which of the !YubiKey's two (virtual) slots is used is determined by the duration of your touch. The first slot is used to generate the output when the YubiKey button is touched between 0.3 to 1.5 seconds and released and the second slot is used if the button is touched between 2 to 5 seconds.