Duo Two-Factor Authentication
Two-factor authentication (2FA) adds an extra layer of security to your online accounts. Verifying your identity using a second factor, like your phone or other mobile device, prevents anyone but you from accessing your account, even if they know your password.
Why Do I Need Two-Factor Authentication?
Because passwords are increasingly easy to compromise, 2FA is being implemented to provide an additional layer of security, thus protecting your account from unauthorized use and allowing you to have real-time control over log in events on your account. With Duo, you will be alerted on your mobile device anytime anyone attempts to log in as you. You can "Approve" the access if you are logging in OR "Deny" if you were not actively logging into your account..
This enhancement is separate and independent from your UTEP username and password; thus Duo never sees your password.
How Does Two-Factor Authentication work?
Once you have successfully enrolled in Duo you are ready to start using it. Just log in using your UTEP username and password, and you will be prompted via your mobile device to approve access to your account. Your administrator can set-up the system to do this via SMS, voice call, one-time passcode, the Duo Mobile smartphone application, and so on.
What if I do not have a smart phone?
No mobile phone; no problem! You can use a landline or tablet. Duo is very flexible and allows you to link multiple devices to your account so that you can use your mobile phone and a landline, two different mobile devices, etc.
If you log into Peoplesoft or VPN from off campus, you will be forwarded to the two-factor authentication screen.
NOTE: It is important to note that if you have recently changed your UTEP password you will need to first manually delete your old UTEP password stored in the GlobalProtect VPN application, then re-authenticate with your new password. To do this, right-click on the GlobalProtect icon located in your system tray, select "Show Panel", then click on the icon located to the right of your username on the far-right side of the pop-up to delete your saved password. Close the pop-up, relaunch the application, and provide your new password when prompted.
Are there different authentication methods; how can I authenticate if I am traveling abroad or do not have cell or data service?
There are several options for using Duo 2FA if you have no cell or data service on your mobile device. Note that you must be fully registered in Duo and have the Duo Mobile application installed on your smartphone or tablet for these options to work.
- You can generate a Duo Mobile passcode on your mobile device. This does not require you to have Internet connectivity or cell service. You can simply tap on the account you want to access to generate your code. To do this, open the Duo Mobile application on your mobile device. Next tap on the down arrow next to "DUO-PROTECTED UTEP". This will generate a one-time passcode. When prompted, do not include the space between the passcode. Example: 123 456 => enter as 123456 for authenticating.
- If you do not have a cell phone, you may request a hardware token. By pressing its button, it generates a code for authenticating.
- With CISO approval, you may be issued a temporary bypass code. A business justification must be submitted at least a week prior to travel departure or the reason for needing a bypass code. Please provide travel dates and location, or duration for other business justification provided not involving travel abroad.
- Append Mode may only be used when using remote VPN application. Applications and devices that do not support the inline Duo Prompt or a secondary passcode field can use Append Mode. You will enter both your password and authentication method into the password field. For more information please visit https://guide.duo.com/append-mode.
Two-Factor log in example:
After you log in, a message will pop-up asking you which method of notification you prefer. Your options are "Send me a Push" (Preferred); "Call Me"; or "Enter a Passcode". Note that the example below is shown when one device has been registered; a slightly different version is shown when more than one devices are registered.
You will then be presented with the following prompt on your mobile device; you have the option to either "Approve" the log in attempt, OR "Deny" the log in attempt if you did not initiate it.
Click your device to learn more: