Multifactor Authentication
About DUO Multifactor Authentication at KU
Data breaches make headlines almost daily. The most common point of entry for attackers is stolen credentials. Multifactor authentication (MFA) strengthens protections by requiring an additional layer of security beyond username and password when accessing systems. KU has partnered with Duo to provide multifactor authentication on the Lawrence/Edwards campus.
Duo multifactor authentication is required for:
- All KU faculty and staff
- All KU students
- Sponsored Temporary Account holders
What is Multifactor Authentication?
MFA is the process of confirming a person’s identity using multiple pieces of evidence to verify who they are when accessing systems. This evidence is typically something they know, such as a username and password, and something they have, such as a device with a code or app.
How Does Duo Work?
Once you are enrolled and have set up Duo, log in to any KU system via single sign-on (SSO) as usual. After entering your KU Online ID and password, you will be prompted to verify your identity using Duo. Confirm your identity through the Duo app, and you will be logged in. It’s that simple! Using the Duo app on your smartphone is the easiest and most convenient way to confirm your identity. If the mobile app is not an option for you, please contact your IT Support Staff or the IT Customer Service Center to discuss your options.
Beware of Fake Approval Requests!
If you receive a Duo notification that you didn’t initiate, it probably means your KU Online ID and password have already been compromised and a hacker is trying to access your account. Contact KU IT immediately at 785-864-8080!
- DO NOT approve any Duo push or phone call notification you receive unless you are actively logging in to a system.
- NEVER provide a Duo code to anyone who requests one. Duo codes are only to be entered into a verified KU log in page. When logging in, double-check the URL of page to ensure it is an authentic KU website (i.e., URL ends in “ku.edu”).
Why is KU Using Multifactor Authentication?
Collectively as an institution and as individuals we have a legal and ethical obligation to protect private, confidential and sensitive data to the best of our ability. In an increasingly complex digital world, username and password alone are not enough to stop hackers and data thieves. Multifactor authentication using Duo gives KU an affordable and simple way to ensure all faculty and staff can do their part to protect their own data, as well as that of colleagues, students and other stakeholders.
Can I Use Duo on My Personal Accounts?
Absolutely! We encourage you to use multifactor authentication on any personal accounts (e.g., banks, credit cards, social media, etc.) that provide the option. And, in most cases, you can use Duo to access those accounts. Duo provides information for using the app with other online services and accounts.
More Info from Duo
Frequently Asked Questions
The following groups who are part of the Lawrence and/or Edwards campuses are required to use multifactor authentication:
- Students
- Faculty and staff
- Individuals who use sponsored temporary accounts (STA)
KU retirees are exempt and are not required to use multifactor authentication.
If you will be traveling internationally, prepare in advance to use Duo to access KU systems outside the United States:
- We encourage you to contact the IT Security Office at itsec@ku.edu for a Duo consultation prior to international travel.
- If your current mobile device isn't configured for service in your destination country, you will only be able to receive push notifications if you are connected to WiFi.
- If you will be using an alternate mobile device during your travels, be sure to add it to your Duo account as a secondary device.
- If you don't have cell service or WiFi when traveling, you can use passcodes generated by the Duo app on your mobile device.
- If you can receive texts on your mobile device, you can request a set of 10 passcodes to be used for logging in. You can request the passcodes prior to departure, and they will be valid for 30 days.
- As a final option, you can request a hardware token that generates passcodes when traveling. Contact the IT Security Office at itsec@ku.edu for more information.
- Configure access to your mobile device with a biometric (fingerprint or facial recognition), passcode or other log in method to prevent unauthorized access to Duo if your device is lost or stolen.
Duo access is blocked in select international locations:
Like many platforms licensed by KU, Duo complies with United States regulations related to embargoed countries and regions. As required by the U.S. Department of Treasury’s Office of Foreign Assets Control, Duo currently prohibits the unauthorized use of its products or services. KU users attempting to authenticate to a Duo-protected application from a device with an IP address originating in an OFAC-regulated country or region will be blocked from completing their login and receive an error message.
Please contact the Office of Global Operations & Security (GOS) at gos@ku.edu if traveling to a restricted country.
Passwords are easily compromised. They’re no longer enough to protect personal, sensitive or financial information. KU’s data includes YOUR data—academic information, employment information, health information, etc. A large security breach could affect the University’s finances and reputation, as well as the personal, financial and academic information of students, faculty, staff and other stakeholders.
Mobile phones are the most popular choice for multifactor authentication because of the convenience. Most people seldom go anywhere without one. If using a mobile phone isn’t an option for you, contact your IT Support Staff to discuss other options.
You probably already use your phone for a work-related purpose, if only to check email or let your boss know that you’ll be out sick. General concerns about the use of a mobile phone for your job, however, should be discussed with your supervisor. KU considers the use of your phone for multifactor authentication incidental, much like the incidental use of a KU computer for checking personal email or internet browsing.
Yes. You can use a Duo display token to generate codes for logging in. However, display tokens can be forgotten, lost and/or become out of sync. For this reason, we recommend using the Duo mobile app. The Duo app will work on a smartphone even if you have no cell service or Wi-Fi coverage. When you’re logging in, choose “Enter a Passcode.” Then, open the Duo app, tap the KU logo and enter the passcode shown.
We strongly recommended that you use the Duo app because it will make your life easier. Most of us keep our mobile devices with us at all times, or have them nearby. Duo display tokens can end up in the washing machine, slip out of pockets or get out of sync if pressed incidentally.
Assume that someone is trying to illegally access your account and do the following:
- Choose “Deny” in the Duo app to block the request, then
- Call the KU IT Customer Service Center at 785-864-8080 and report the attempt!
If you need Duo multifactor authentication reissued on a new device or you had to reinstall the Duo app on an existing device, contact the IT Customer Service Center at itcsc@ku.edu or 785-864-8080.
You will need to answer the following:
- Is the phone number of the new device the same as the previous device?
- What is the OS of the new device?
The IT CSC will then reissue the DUO multifactor authentication.
According to Duo, “its authentication and self-enrollment features are compatible with screen readers such as NVDA and VoiceOver on PCs and Macs. Additionally, Duo Mobile app is accessible to voiceover functionality on Apple and Android devices. Duo has also made all the authentication and self-enrollment features accessible by keyboard for people with limited motor skills.”
If you have questions or concerns about accessibility, or need an accommodation, please contact the IT Customer Service Center at 785-864-8080 or itcsc@ku.edu.
No. The Duo app does not give the University access to your mobile device and does not provide any control over the mobile device. During the multifactor authentication process, the only information provided to the University is that the authentication was completed. For more information, see Duo’s privacy policy.
No. The use of personal phones for work-related matters does not make the phone a University phone. It would, however, make records on that phone of work-related matters subject to the Kansas Open Records Act (KORA), but those records would already be covered under KORA. A Duo Mobile code, however, would not be something KU would produce (or ask an employee to produce), any more than KU would seek to obtain or reveal an employee’s password. The use of personal phones for multifactor authentication would do nothing to expand the reach of KU’s open records obligations.
Most enterprise applications at KU will require multifactor authentication, including HR/Pay, Enroll & Pay, myKU, myIdentity, myTalent, CMS website administration, Canvas, myCommunity (SharePoint), and others.
Duo is also required when using the KU Anywhere VPN.
When you authenticate with Duo, there will be an option to select "Remember Me." If you select Remember Me, then you will not be required to use Duo for the next 30 days as long as you are logging in from the same device using the same browser (see note below). Please be aware that the 30 day time-frame may change in the future depending upon KU’s security needs.
Note: There are two cases where you will have use Duo every time you log in. First, the KU Anywhere VPN will require you to use Duo each time you authenticate. There is no “Remember Me” option for the VPN. Second, you will be required to use Duo every time you log in to a classroom computer, even if you’ve logged in to that machine before.
Yes, you will be required to use Duo every time you log in to a classroom computer. Multifactor authentication is connected to your role as a faculty or staff member, not to the computers you use.
Please note that the “Remember Me” option will not work because classroom computers are reset when you log off.