This page
Other pages
Account
You are viewing an old version of this page. View the current version.
Compare with Current |
View Page History
Q: How do I login to MIT services that leverage Duo two-factor authentication?
- 1 Authenticating via Touchstone with the Duo authentication requirement enabled
- 1.1 Duo Push
- 1.2 Phone Call
- 1.3 Passcode
- 2 Connect to a Duo-protected VPN account with Cisco AnyConnect
- 3 Connect to a Duo-protected Microsoft Windows machine with Remote Desktop Connection (RDP)
- 4 Acquire Kerberos tickets for a Duo-protected principal using kinit
- 5 Additional Information
Authenticating via Touchstone with the Duo authentication requirement enabled
'Touchstone'
- Launch a webpage that requires Touchstone authentication and begin to authenticate as normal
- Once you have completed the Touchstone authentication steps (via Certificates, kerberos tickets or kerberos username and password), you will be prompted for Duo Authentication
- Select your Device and choose a Method
Unable to render embedded object: File (Screen Shot 2015-01-15 at 3.59.53 PM.png) not found.
Method- Duo Push (smartphones with Duo app installed)
- Phone Call (default for landline)
- Passcode (request via SMS or from mobile app)
Duo Push
- A request will be sent to your mobile device via the Duo app
You must have an active mobile (cellular) or wifi connection to receive this request - Tap Approve on your Mobile Device's Duo app
- Result: Your web browser's Touchstone session should automatically complete authentication
If your mobile phone doesn't automatically show the Duo Push request, you can force a refresh of push requests by tapping and dragging the "MIT" account downwards on your phone.
Phone Call
- An automated attendant will call your phone
- Answer and wait for the Duo automated message to begin playing
- Push any valid dialpad key on your phone (0-9,# or *) and hang-up
- Result: Your web browser's Touchstone session should automatically complete authentication
Passcode
- Request a new passcode
- On the Duo Mobile App, you can click the key icon to the right of MIT to display a current passcode
- For a mobile phone that can accept SMS messages, you can request SMS passcodes by clicking the link underneath the passcode prompt in the Touchstone authentication window
- On the Duo Mobile App, you can click the key icon to the right of MIT to display a current passcode
- Enter the passcode obtained from the Duo Mobile App or from the SMS message
If using SMS, the Touchstone login page will tell you which code to use: Next SMS passcode starts with ...
- Click Login
- Result: Your web browser's Touchstone session should automatically complete authentication
If you type the incorrect passcode, you will be prompted to enter the correct one or you can choose another device or method
Connect to a Duo-protected VPN account with Cisco AnyConnect
- Launch Cisco AnyConnect.
- Make sure the address listed is vpn.mit.edu/duo and click Connect.
- When prompted, enter your MIT username and password.
- In the field labeled "Second Password" you can enter one of the following options:
- push - Duo will send a push notification to your registered cell phone with the Duo Security mobile app installed
- sms - Duo will send an SMS to your registered cell phone
- call - Duo will call your registered cell phone
- The one time code generated by your hardware token or the Duo Security mobile app (the code changes ever 60 seconds)
In this example, we've entered "push" in the "Second Password" field.
- In this example, you will receive a push notification on your cell phone. Click Approve.
- Cisco AnyConnect should now present you with the MIT VPN banner and the VPN connection will complete.
Connect to a Duo-protected Microsoft Windows machine with Remote Desktop Connection (RDP)
- Launch Microsoft Remote Desktop and enter the hostname or IP address of the machine you wish to connect to (note: you may have to connect to MIT's VPN service to use RDP).
- When presented with the Windows login screen, enter your MIT username and password.
- In the field labeled "Second Password" you can enter one of the following options:
- push - Duo will send a push notification to your registered cell phone with the Duo Security mobile app installed
- sms - Duo will send an SMS to your registered cell phone
- call - Duo will call your registered cell phone
- The one time code generated by your hardware token or the Duo Security mobile app (the code changes ever 60 seconds)
In this example, we've entered "push" in the "Second Password" field.
- In this example, you will receive a push notification on your cell phone. Click Approve.
- The remote Windows system should now complete authentication and the Remote Desktop Connection will complete.
Acquire Kerberos tickets for a Duo-protected principal using kinit
- Log into an Athena machine (e.g. ssh athena.dialup.mit.edu).
- Initiate Kerberos ticket acquisition (e.g. kinit username/root) and enter your Kerberos password when prompted.
Note: not all Kerberos accounts will be protected with Duo. Typically, only root accounts or users with escalated privileges will be protected with Duo.
- The Duo two-factor system will now challenge your login asking for a method to contact you. You can hit the "Enter" key to see all the options available to you. By default, option "1" will send a push notification to the Duo mobile app.
In this example, we've entered "1" as the option.
Note: You will not see any input on the screen as you type. - Duo will now output, "Press return after completing Duo authentication."
- In this example, you will receive a push notification on your cell phone. Click Approve.
- Back in your console window, click the "Enter" key.
- If you have not received any error messages, you should be back at the > prompt and have valid Kerberos tickets.
- You can view your Kerberos tickets by running klist from within your console window.
Additional Information
- More documentation can be found on the vendor's website.
- Users that need additional help with Duo can contact the Help Desk.
Labels:
None
