Multi-factor Authentication


Data breaches make headlines almost daily. The most common point of entry for attackers is stolen credentials. Multi-factor authentication (MFA) strengthens protections by requiring an additional layer of security beyond username and password when accessing systems. KU has partnered with Duo to provide multi-factor authentication on the Lawrence/Edwards campus.

Duo multi-factor authentication is required for:

  • Faculty and staff
  • Graduate research assistants, graduate teaching assistants and graduate assistants
  • Individuals using sponsored temporary account (STA)
  • Undergraduate student employees at the request of their department

What is Multi-factor Authentication?

MFA is the process of confirming a person’s identity using multiple pieces of evidence to verify who they are when accessing systems. This evidence is typically something they know, such as a username and password, and something they have, such as a device with a code or app.

How Does Duo Work?

Once you are enrolled and have set up Duo, log in to any KU system via single sign-on (SSO) as usual. After entering your KU Online ID and password, you will be prompted to verify your identity using Duo. Confirm your identity through the Duo app, and you will be logged in. It’s that simple! Using the Duo app on your smartphone is the easiest and most convenient way to confirm your identity. If the mobile app is not an option for you, please contact your IT Support Staff or the IT Customer Service Center to discuss your options.

Beware of Fake Approval Requests!

If you receive a Duo notification that you didn’t initiate, it probably means your KU Online ID and password have already been compromised and a hacker is trying to access your account. Contact KU IT immediately at 785-864-8080!

  • DO NOT approve any Duo push or phone call notification you receive unless you are actively logging in to a system.
  • NEVER provide a Duo code to anyone who requests one. Duo codes are only to be entered into a verified KU log in page. When logging in, double-check the URL of page to ensure it is an authentic KU website (i.e., URL ends in “ku.edu”).

Why is KU Using Multi-factor Authentication?

Collectively as an institution and as individuals we have a legal and ethical obligation to protect private, confidential and sensitive data to the best of our ability. In an increasingly complex digital world, username and password alone are not enough to stop hackers and data thieves. Multi-factor authentication using Duo gives KU an affordable and simple way to ensure all faculty and staff can do their part to protect their own data, as well as that of colleagues, students and other stakeholders.

Can I Use Duo on My Personal Accounts?

Absolutely! We encourage you to use multi-factor authentication on any personal accounts (e.g., banks, credit cards, social media, etc.) that provide the option. And, in most cases, you can use Duo to access those accounts. Duo provides information for using the app with other online services and accounts.

More Info from Duo

Duo's website provides additional information and a self-enrollment video guide to help you register your phone or tablet and activate the Duo Mobile application.
Illustration of table with notebook, laptop and coffee cup with "Duo Self Enrollment"

Setting up Duo

Follow the steps in our set up guide to begin using Duo at KU.
Set up Guide

Frequently Asked Questions

The following groups who are part of the Lawrence and/or Edwards campuses are required to use multi-factor authentication:

  • Faculty and staff
  • Graduate research assistants, graduate teaching assistants and graduate assistants
  • Individuals who use sponsored temporary accounts (STA)
  • Undergraduate student employees at the request of their department

Undergraduate students and KU retirees are exempt and are not required to use multi-factor authentication.

Passwords are easily compromised. They’re no longer enough to protect personal, sensitive or financial information. KU’s data includes YOUR data—employment information, health information, etc. A large security breach could affect the University’s finances and reputation, as well as the personal, financial and academic information of students, faculty, staff and other stakeholders.

According to Duo, “its authentication and self-enrollment features are compatible with screen readers such as NVDA and VoiceOver on PCs and Macs. Additionally, Duo Mobile app is accessible to voiceover functionality on Apple and Android devices. Duo has also made all the authentication and self-enrollment features accessible by keyboard for people with limited motor skills.”

If you have questions or concerns about accessibility, or need an accommodation, please contact the IT Customer Service Center at 785-864-8080 or itcsc@ku.edu.

Mobile phones are the most popular choice for multi-factor authentication because of the convenience. Most people seldom go anywhere without one. If using a mobile phone isn’t an option for you, contact your IT Support Staff to discuss other options.

You probably already use your phone for a work-related purpose, if only to check email or let your boss know that you’ll be out sick. General concerns about the use of a mobile phone for your job, however, should be discussed with your supervisor. KU considers the use of your phone for multi-factor authentication incidental, much like the incidental use of a KU computer for checking personal email or internet browsing.

Yes. You can use a Duo display token to generate codes for logging in. However, display tokens can be forgotten, lost and/or become out of sync. For this reason, we recommend using the Duo mobile app. The Duo app will work on a smartphone even if you have no cell service or Wi-Fi coverage. When you’re logging in, choose “Enter a Passcode.” Then, open the Duo app, tap the KU logo and enter the passcode shown.

we strongly recommended that you use the Duo app because it will make your life easier. Most of us keep our mobile devices with us at all times, or have them nearby. Duo display tokens can end up in the washing machine, slip out of pockets or get out of sync if pressed incidentally.

Assume that someone is trying to illegally access your account and do the following:

  1. Choose “Deny” in the Duo app to block the request, then
  2. Call the KU IT Customer Service Center at 785-864-8080 and report the attempt!

If you need Duo multi-factor authentication reissued on a new device or you had to reinstall the Duo app on an existing device, contact the IT Customer Service Center at itcsc@ku.edu or 785-864-8080.

You will need to answer the following:

  • Is the phone number of the new device the same as the previous device?
  • What is the OS of the new device?

The IT CSC will then reissue the DUO multi-factor authentication.

 

No. The Duo app does not give the University access to your mobile device and does not provide any control over the mobile device. During the multi-factor authentication process, the only information provided to the University is that the authentication was completed. For more information, see Duo’s privacy policy.

No. The use of personal phones for work-related matters does not make the phone a University phone. It would, however, make records on that phone of work-related matters subject to the Kansas Open Records Act (KORA), but those records would already be covered under KORA. A Duo Mobile code, however, would not be something KU would produce (or ask an employee to produce), any more than KU would seek to obtain or reveal an employee’s password. The use of personal phones for multi-factor authentication would do nothing to expand the reach of KU’s open records obligations.

Most enterprise applications at KU will require multi-factor authentication, including HR/Pay, Enroll & Pay, myKU, myIdentity, myTalent, CMS website administration, Blackboard, myCommunity (SharePoint), and others.

Duo is also required when using the KU Anywhere VPN.

When you authenticate with Duo, there will be an option to select "Remember Me." If you select Remember Me, then you will not be required to use Duo for the next 30 days as long as you are logging in from the same device using the same browser (see note below). Please be aware that the 30 day time-frame may change in the future depending upon KU’s security needs.

Note: There are two cases where you will have use Duo every time you log in. First, the KU Anywhere VPN will require you to use Duo each time you authenticate. There is no “Remember Me” option for the VPN. Second, you will be required to use Duo every time you log in to a classroom computer, even if you’ve logged in to that machine before.

Yes, you will be required to use Duo every time you log in to a classroom computer. Multi-factor authentication is connected to your role as a faculty or staff member, not to the computers you use.

Please note that the “Remember Me” option will not work because classroom computers are reset when you log off.