Two-Factor Authentication New Services Onboarding

Overview

Two-factor authentication (2FA), also referred to as multi-factor authentication (MFA), enhances the security of Duck ID authentications for University of Oregon students and staff.

With 2FA, you sign in using both your password and an additional second-factor device, such as your cell phone. Using 2FA helps prove it's really you and prevents others from accessing your Duck ID account. Information Services has partnered with Duo to provide 2FA capabilities.

The Duo implementation at the UO is commonly known as the Two-Step Login service. The Two-Step Login service has been added to both Shibboleth Single Sign-on (SSO) and Microsoft 365/Azure Active Directory authentication services.

With the rise in cyberattacks and phishing scams, having 2FA used for all UO services is recommended by the Information Services Security department. Even if your service offering can not integrate with the Two-Step Login service and can not utilize Shibboleth SSO or Microsoft 365 authentication services, it is recommended that all service owners attempt to add some form of 2FA to the authentication workflow of their service.

This knowledge base article offers service owners assistance in getting started with 2FA.

UO and 2FA to date

The University of Oregon is in the process of beginning to require all Duck ID accounts to use Duo during login to many services.

Rolling out this login protection to all accounts has been a multi-year effort. In 2019, IS started by enrolling IT staff who have sensitive or elevated permissions in order to do their jobs. In summer 2020, Duo became required for all faculty and staff. In 2021, we are focused on getting all students enrolled in Duo as well. More details on the implementation timeline can be found on the IS projects website.

Members of the UO community who are unfamiliar with 2FA or Duo can access a wealth of documentation in the UO Service Portal. The two most popular articles in the Duo knowledge base category are Getting Started with Two-Step Login (Duo) and Two-Step Login (Duo) FAQ.

Data Classification

Use of 2FA is called for in UO.PR.20 of our UO Minimum Information Security Controls Standard, and prescribed or recommended based on asset classifications defined in the Information Asset Classification & Management policy. The highest classification of information handled by a system will determine the 2FA requirements for that system.

To determine the classification of your data, please refer to the Data Security Classification Table | Information Security Office (uoregon.edu)

If you need additional help making this determination, please submit a request through the Information Security Consulting Request form.

Shibboleth SSO Integration

If all of the following statements are all true, then your service can rely on Shibboleth Single Sign-On (SSO) integration:

• Service supports integration with a SAML 2.0 Identity Provider (IdP)
• The service supports signing (required) and encryption (strongly recommended) of SAML requests and responses
• The service can produce and supply SAML metadata containing entityID, bindings, assertion consumer service URL, and signing/encryption certificates (using InCommon is optional)
• Users authenticating into the service are all managed users within UO Active Directory
• Users authenticating into the service can provide their Duck ID and password for credential

In addition to providing better single sign-on experience for end users, integration with Shibboleth SSO can also be used to add 2FA to authentications. Once a user is Duo enabled, they experience two-factor login with Two-Step Login for all Shibboleth services they access.

• Service owners wishing to integrate with Shibboleth SSO can find more details on the Shibboleth Integration for Service Providers knowledge base article.
• After reviewing the knowledge base article, please submit your request to the Authentication Services Support service page.

Azure Active Directory

Azure Active Directory (Azure AD) offers authentication integration for cloud-based services.

If the following are true, Azure AD may provide value:

1. The service is cloud based
2. The service vendor has documented Azure integration instructions and requirements
3. Users authenticating into the service are all managed users within UO Active Directory
4. Users authenticating into the service can provide their UO email and password for credential

Azure integrations not currently available:

• LDAPS connections
• Azure Domain Services

If you are interested in integrating your service with Azure AD, please submit a request through the New Application Onboarding-Two Factor Support service page.

Duo Direct Integration

If one of the following statements are all true, then your service can rely on Duo Direct Integration:

• Service has the ability to utilize Duo's RESTful API integration. For more information, please consult the Duo Auth API page from Duo.
• Service has the ability to call Duo's software development kit libraries, providing code level integration. For more information, please consult Duo Web v4 SDK - Duo Universal Prompt page from Duo.

If your service is provided by a third party, start by searching through Duo documentation portal to see if articles exist explaining the best Duo integration options.

There are solutions wherein Duo acts as an Identity Provider, these integrations are currently not supported. If your application requires these, a Shibboleth SSO or Azure integration would likely be a better option for you to investigate. Here are more details on the Duo integration not currently available:

• Duo Access Gateway
• Duo Single Sign-On

After reviewing the knowledge base article, please submit your request to theTwo-Step Login (Duo) Support service page. After clicking on Create a Ticket, select the New service integration request option.

Not sure what to do?

If you still have questions or need assistance, click the Request Support button on the New Application Onboarding-Two Factor Support service page.