Q: How do I login to MIT services that leverage Duo two-factor authentication?
On this page:
Authenticating via Touchstone with the Duo authentication requirement enabled
- Launch a webpage (Chrome, Firefox, Safari and Internet Explorer), that requires Touchstone authentication and begin to authenticate as normal
- Once you have completed the Touchstone authentication steps (via Certificates, kerberos tickets or kerberos username and password), you will be prompted for Duo Authentication
- Select your Device and choose a Method
Method- Duo Push (smartphones with Duo app installed)
- Phone Call (default for landline)
- Passcode (request via SMS or from mobile app)
- (Optional) Remember this device for 30 days: If you choose this, Duo will treat your device as "trusted".
Duo Push
- A request will be sent to your mobile device via the Duo app
You must have an active mobile (cellular) or wifi connection to receive this request - Tap Approve on your Mobile Device's Duo app. It should look similar to one of these:
|
- Result: Your web browser's Touchstone session should automatically complete authentication
If your mobile phone doesn't automatically show the Duo Push request, you can force a refresh of push requests by tapping and dragging the "MIT" account downwards on your phone.
Phone Call
- An automated attendant will call your phone
- Answer and wait for the Duo automated message to begin playing
- Push any valid dialpad key on your phone (0-9,# or *) and hang-up
- Result: Your web browser's Touchstone session should automatically complete authentication
Passcode
- Request a new passcode
On the Duo Mobile App, you can click the key icon to the right of MIT to display a current passcode
For a mobile phone that can accept SMS messages, you can request SMS passcodes by clicking the link underneath the passcode prompt in the Touchstone authentication window
- Enter the passcode obtained from the Duo Mobile App or from the SMS message
If using SMS, the Touchstone login page will tell you which code to use: Next SMS passcode starts with ...
- Click Login
- Result: Your web browser's Touchstone session should automatically complete authentication
If you type the incorrect passcode, you will be prompted to enter the correct one or you can choose another device or method
Connect to a Duo-protected Microsoft Windows machine with Remote Desktop Connection (RDP)
- Launch Microsoft Remote Desktop and enter the hostname or IP address of the machine you wish to connect to (note: you may have to connect to MIT's VPN service to use RDP).
- When presented with the Windows login screen, enter your MIT username and password.
- In the field labeled "Duo Password" you can enter one of the following options:
- push - Duo will send a push notification to your registered cell phone with the Duo Security mobile app installed
- sms - Duo will send an SMS to your registered cell phone
- phone - Duo will call your registered cell phone
- The one time code generated by your hardware token or the Duo Security mobile app (the code changes ever 60 seconds)
In this example, we've entered "push" in the "Duo Password" field.
'How to call different devices'
If you have multiple devices that can use the same method, for instance two mobile phones or two phones that can receive phone calls, you can reference them by different numbers. For instance, to call the top device on your managed devices page (http://duo.mit.edu), you can use 'phone' (for the default) or 'phone1' to call the second phone, you can use 'phone2'.
- In this example, you will receive a push notification on your cell phone. Click Approve.
- The remote Windows system should now complete authentication and the Remote Desktop Connection will complete.
Acquire Kerberos tickets for a Duo-protected principal using kinit
- Log into an Athena machine (e.g. ssh athena.dialup.mit.edu).
- Initiate Kerberos ticket acquisition (e.g. kinit username/root) and enter the appropriate Kerberos password when prompted.
Note: not all Kerberos accounts will be protected with Duo. Typically, only root accounts or users with escalated privileges (e.g. username/root or username/extra) will be protected with Duo.
- The Duo two-factor system will now challenge your login asking for a method to contact you. You can hit the "Enter" key to see all the options available to you. By default, option "1" will send a push notification to the Duo mobile app.
In this example, we've entered "1" as the option.
Note: You will not see any input on the screen as you type. - Duo will now output, "Press return after completing Duo authentication."
- In this example, you will receive a push notification on your cell phone. Click Approve.
- Back in your console window, click the Enter key.
- If you have not received any error messages, you should be back at the > prompt and have valid Kerberos tickets.
- You can view your Kerberos tickets by running klist from within your console window.
Also See
Configuring MacPorts Kerberos for Duo Authentication
1 Comment
comments.show.hideMay 09, 2013
Jacob Morzinski
If your Duo app does not receive push notifications, it might mean your phone lost its network connection. Try turning Wifi off and on. Or try using the six-digit entry code instead of using push notification.