Support

Last Update: 2018-10-25

**** PLEASE DO NOT CREATE YOUR OWN VERSION OF THE TWO-FACTOR WEB SITE! ****

This page intended for support staff.
Lots of useful information here for customers to help themselves.
See factoid list towards bottom.

UF Bronze Assurance and the following UF Affiliations are expected/eligible to use Two-Factor Authentication:

Most Faculty, Staff, and Affiliates will use Two-Factor Authentication to access University resources.  Eventually, Students will be included in the use of Two-Factor.  All compromised accounts eligible for Two-Factor must enroll.  Such accounts not responding to requests to enroll will be forced.

IDM Coordinators need to ensure people have a Level of Assurance (LOA) of at least UF Bronze by updating data using the Manage Identity Information tool in myUFL.  It takes about 15 minutes to see a change in LOA.  When someone has enrolled in Two-Factor their assurance level will be made UF Blue.  UF FISMA Moderate (UFM) and UF Blue are not the same. An Identity can possess both UFM and UF Blue simultaneously but UFM is shown by various Identity Management toolsets as it is the higher assurance profile.

Note: It is important for people to have the proper LOA and affiliations noted above as these are checked when attempting to access the enrollment service My Two-Factor.  If someone loses their affiliation or changes their data so they drop their LOA as well then they will lose access to My Two-Factor.  The Two-Factor authentication will continue to function as long as the username remains active.

To help DSAs, Identity Coordinators, Security Approvers and ISMs figure out who in your areas have increased security and responsibilities at the University we have created two reports available via "myUFL >> Enterprise Reporting >> Access Reporting >> Application Access" folder related to Password-level and roles to help you identify who in your areas of responsibility should be targeted sooner rather than later.  These reports have the name “P-Level” in them.  One allows you to find everyone with a specific P-Level and the other allows you to drill down into P-Level and Roles.  You may want to target those with P-Levels of 4 and 5 first.  Again, please work with your local IT support people and your management to start thinking through when and how you want to encourage your areas to enroll in Two-Factor.

Customers insisting not to use their personal smartphone with the Duo Mobile app and cannot make use of additional telephone devices should contact a help desk during normal business hours to obtain a security key.  Customers MUST first enroll in Two-Factor in order to get a key assigned by either Help Desk.

Browser usage: Many people at UF have been trained or encouraged over the years to open their browser, perform whatever function involving a login and then quit their browser.  This negates the Single Sign-On benefits, and with Two-Factor it means they will be annoyed with the number of times they have to perform the Two-Factor authentication.  We should be encouraging people to not close their browsers for the duration of their work during the day and to make appropriate use of screen locking mechanisms to protect their workstations.

1. https://guide.duo.com/ is a very handy resource.  Not all features shown in the guide are implemented at University of Florida.
2. My Two-Factor self-service device management/enrollment is always recommended so our customers can help themselves.  Calls to a Help Desk regarding lost/forgotten devices will result in a temporary passcode given and assistance with using My Two-Factor so the customer can add a local device (likely a phone) to be able to continue to work.
3. https://account.it.ufl.edu also has a link to reach Two-Factor device management and web site.
4. Always advise to register multiple devices via My Two-Factor to avoid being locked out and having to call the Help Desk.
5. Any device can be shared amongst people. Smartphones, landlines, tablets like iPads, security keys, etc.
6. A smartphone of one person can also be used by another.  Duo Push notifications indicate to whom the push applies and one should verify each push properly identifies who is authenticating.  Unexpected push notifications should be denied.
7. Calls placed to a phone should be denied if they are not expected.
8. Lockout will occur after 10 failed Two-Factor attempts.  The customer will be locked out for 10 minutes and will then be able to retry use of Two-Factor.
9. When using SSO via login.ufl.edu, if "Enter a Passcode" is selected, notice the ability along the blue help bar where you can text to yourself new passcodes.  You will get 5 codes which must be used in order.  First code begins with 1, then 2, and so on.  SMS Passcodes are currently valid for 5 days.  A new SMS with 5 passcodes is automatically sent when the 5th passcode is used.
10. See Using Two-Factor for help on how to use various Two-Factor enabled apps and services.
11. VPN (vpn.ufl.edu) and Two-Factor use is described at Using Two-Factor.
12. Passcode needed? The Duo Mobile app  generates a passcode to be used if the phone cannot be used for Push or during a loss of data connectivity.  In this mode, it behaves just like a hardware security key.  vpn.ufl.edu users may append this passcode to their password like password,passcode without spaces after the password.
13. Duo Mobile app: Backup and Recovery:  This feature will save time and confusion when a new phone needs to be configured and Duo Mobile is restored using iCloud or Google Play.  Encourage everyone to configure this feature in IOS and Android.  IOS: enabled if the device is backed up with iCloud.  Android: see Settings > Duo Restore.  See reactivating Duo Mobile.
14. Third Party Two-Factor: The Duo Mobile app can be used to manage third party accounts.  Click the + icon near the upper right of the app and then select the NO BARCODE? button and you will see a list of third party providers.  Choose Other for a provider not listed.
15. Offices not "allow"-ing personal cell phone use may need to reconsider their policies in light of Two-Factor.
16. Some offices have people who "float" and sit at different workstations or shared desks.  Each office phone should be added as a device for each person so they can use it as a Two-Factor device.
17. Wi-Fi/Wireless: Many people do NOT turn on Wi-Fi for their smartphones and end up complaining about connectivity problems to offices and conferences rooms.  The best solution is to turn on Wi-Fi.  Go to https://getonline.ufl.edu/ from the browser on the smartphone.
18. Our Web SSO environment is configured to offer a session for 10 hours.  An SSO event is any attempt for an application to authenticate which results in either the user authenticating or returning to the application from login.ufl.edu to continue with the SSO session.  If an SSO event doesn't happen for 2 hours, the user will have to authenticate again - going through a two-factor authentication.  Sometimes, due to bugs in our current login.ufl.edu software, no password prompt occurs but a two-factor prompt does.  Under normal circumstances - both the first factor (the password prompt) and the second factor prompt would occcur.
19. The myUFL 40 minute timeout has been removed.  See the "Browser Usage:" note above.
20. UF Identity Services is working with UF Health IT to implement Duo for UF Shands/Jax such that those members of the community using Two-Factor protected resources anywhere in UF would be using the same devices as we would be all using the very same Duo instance.  If we don't do this than those accessing protected resources in both environments would have to double register and manage with each Two-Factor environment and we all understand this would upset the several thousand people who straddle both UF University and Health resources.
21. Security Keys: a security key can get out of sync with the Duo server because the button gets pressed too many times accidentally.  Invalid code is the usual error seen when a passcode is entered from a device that is out of sync.  If one enters in a new passcode (a 2nd time) they will then get another error.  Then enter in a one more new passcode (now the 3rd time) and the device will now be brought back in sync with the Duo server and will be accepted as a valid passcode.  This is the fastest way to get the device back in sync.  If it doesn't work, try one more time giving 3 new passcodes.  If it still doesn't work, then bring the device to the Help Desk.