/
Duo Authentication for OIT Managed VPN at UCI

Duo Authentication for OIT Managed VPN at UCI

Owned by LEE KNUTSON
Jul 08, 2014

What is Multi-Factor Authentication and why is it important?

First we should define "authentication". Authentication is simply the act of verifying an identity is who they say they are. Commonly this is using a password to authenticate a username, which theoretically only the owner of the username would know. However this is a low level of assurance, meaning it is possible that another identity could also know that password and impersonate that user. Either the password was weak and guessed or brute force attacked, or stolen via a keylogger, phishing email, or compromise of another authentication system where the password was reused. Whatever the reason, passwords are constantly being compromised which leaves the systems they protect vulnerable to compromise.

The example above is an example of "single-factor" authentication. A "factor" is basically a type of authentication, commonly either a knowledge factor (something only the user knows), a possession factor (something only the user has), or an inherence factor (something the user is, biometrics or location based usually). Using "multi-factor" authentication, requiring two or more of the previously mentioned factors to be verified successfully, offers a much higher level of assurance. In the example above, an attack must steal a password and also something the user physically has in their possession or impersonate who they physically are, much less likely to occur. It also increases the accountability of the user and helps in auditing as the likelihood someone was spoofing another account is almost nil.

At UCI the goal is to offer multi-factor authentication to all users and systems, primarily focused first on protecting the most high risk assets from authentication compromise, because simple password authentication just isn't secure enough anymore. UCI is using Duo Security as its multi-factor authentication solution. With Duo Security, you combine something you know (password) with something you have (mobile device or hardware token) to authenticate you truly are who you say you are.

Obtaining a Duo Security Token

To become a Duo mutli-factor authentication user (either hardware or software):

  1. Complete, agree to, and submit the UC Irvine Duo Security Token Agreement Form (UCI Google Account login required, signup here if you haven't set one up yet)
  2. Have your UCI IT contact email security@uci.edu to authorize and request a token for you
  3. A Duo Security token is then assigned. Token assignment of hardware or software is done based on availability.

Initial Token Setup Instructions

Software Token Setup

  1. You will receive an email from Duo Security with two steps.  It is best to open that email on the device you want to configure to use Duo.
    1. STEP 1: The first links are to download the Duo Mobile application based on the device platform you specified (i.e. Apple AppStore for iOS, Google Play for Android, etc).
    2. STEP 2: Once the Duo Mobile application is installed on your mobile device, the second link is to activate the Duo Mobile app specific to your user and device (if you're reading the email on your device) or to scan a QR Code (if you're reading the email from a computer).
  2. You can then test it by going to the test Duo-protected webpage below.

Hardware Token Setup

  1. Hardware tokens will need to be picked up from the OIT Security group located on 6th floor Science Library.
  2. Once the hardware token is issued to you, it should be configured and ready to go.  You can then test it by going to the test Duo-protected webpage below.

Testing Your Token

  1. The following Duo-protected webpage can be used to verify your token is working: https://thea.adcom.uci.edu/DuoSupportDesk/testToken.htm

General Usage Information

  • Duo Guide to Two-Factor Authentication
  • Keep your Duo Security token in a safe place, either with you at all times or somewhere you won't forget it, when you need access to systems from work or home
  • Duo Security requires two factors being authenticated before you are allowed to progress:
    • First Factor = the normal native password you have been using to access the system
    • Second Factor = the Duo Security Passcode or Duo Push Response
      • Example Duo Passcode using hardware token:
      • Example Duo Passcode using Android mobile app: 
      • Example Duo Push using Android mobile app: 
  • A Passcode on a Duo Security token changes every 60 seconds.
  • A Passcode can only be used once. (You must wait until passcode changes before attempting to use the Duo Security token for authentication again.)
  • Accounts by policy lockout after 5 failed login attempts
  • If you need your account reactivated after a lockout, or you've lost or forgotten your Duo Security Hardware or Software token, or have any problems related to Duo Security Authentication, please contact your UCI IT contact for assistance.
  • Duo Security tokens do not communicate to a central server and do not need internet connectivity for standard use. However, if you wish to use the Duo Push feature of the software device token, that does require a data connection of the mobile device.
  • Here is generic information (.pdf) about Two-Factor Authentication via SANS (calling the process two-step verification)

Common Usage: Step-by-step Instructions

VPN

Note: This is a sample of using an OIT Managed VPN; each VPN setup may look slightly different.

  1. Start the AnyConnect client, type in the address of the VPN server you want to connect to, and click Connect. 
  2. On the next screen, choose the tunnel group from the Group dropdown that you need to connect to.  Enter your username and both first and second factor authentication in the same window.  The first factor is your UCInet password.  The second factor is your Duo Passcode or you can type "push" if you have Duo Push enabled. 
  3. Once you enter the correct credentials, or approve the push request, you will have successfully authenticated into the VPN.

Other Possible Usage: Step-by-step Instructions

WebAuth

  1. When you get redirected to WebAuth from a web application that is enforcing multi-factor authentication, you will first see a WebAuth login page. Login with your UCInetID and Password.


  2. After successful login using first factor, you will be presented with the second factor login. You will have an option to choose your type of phone device and either Duo Push or to enter in a Passcode. The example that is shown uses "Android" as a device.  If you choose to select Duo Push, then press the "Log in" button.  Otherwise you can select "Passcode" and enter the passcode that is currently being displayed on your hardware token or mobile app, then press the "Log in" button.
  3. Once you enter the correct passcode, or approve the push request, the WebAuth page will redirect you back to the application you came from successfully authenticated.

Unix SSH

Note: This is a sample of using an ssh session; your setup may look slightly different.

  1. Open up an SSH terminal session to the Unix system you want to log into.  You will first be presented with the familiar Unix login prompt.  Here enter your Unix username and password (how first factor Unix authentication is setup various between environments, ask your system administrator for specifics). 

  2. After successful login using first factor, you will be presented with the second factor login. You can enter the passcode that is currently being displayed on your hardware token or mobile app, or if you have Duo Push enabled you can type "1" and the request will be sent to your mobile device to approve.

  3. Once you enter the correct passcode, or approve the push request, you will have successfully authenticated into the Unix system.