Multi-factor authentication (MFA) adds a strong layer of protection to your login process by challenging you to validate you are you using a phone number you register and a device recognized as yours. Using MFA makes it more difficult for an identity thief to steal your personal information or access the university’s systems. 

Duo Security will be your second proof of identification. To authenticate your login, MFA uses:

• Something you know (your user name and password)
• Something you have (your mobile device or landline phone)
• Somewhere you are (on-campus vs. off-campus)

MFA with Duo is required to access the university's VPN, remote desktops (VDI), as well as Microsoft 365 applications and the student and employee portals.

In addition to MFA, a more secure network access layer has been implemented requiring the use of an up-to-date browser and operating system version on devices used to access the university network. Review the table of supported devices and operating systems on the CU Secure and MFA webpage for helpful information. 

Cybercriminals are getting bolder about compromising the valuable data held within university systems across the globe. Authenticating to university systems with a username and password alone leaves your account vulnerable to hijacking attempts. Universities and private organizations (like Amazon and Google) are implementing stronger layers of cybersecurity in the form of more modern and secure access methods.

There are many reasons that the university needs to proceed at this time with adding multi-factor authentication to verify your identity when accessing Microsoft applications:

• Microsoft is continuing with plans to move to Modern Authentication in October which means that some devices and browsers may stop working when secure application access is required. 
• One of the top security compromises at CU is through our university email. Many people have compromised their email accounts by unwittingly clicking on a fraudulent or phishing email, oftentimes causing major losses financially and of personal information.

As some of us continue to work and learn from home, it is more important than ever that we all help safeguard both personal information and university private data.

Yes, all faculty, staff and students will be required to use Duo to better protect our university systems and personal data. 

At CU, faculty and staff access to the UCDAccess Portal for content such as our tax information, benefits summary and direct deposit information, is already protected by Duo Security. To access these pages on the portal, you are asked to authenticate your identity using your password and your phone. Students may recognize the same extra step of showing proof that you are who you say you are as it's similar to what many banks and other businesses are doing to help secure your account.

Please know that university faculty, students and staff across the country have already been through the MFA process — and made it through successfully — you've got this!

Yes, MFA is required for Microsoft applications including Outlook when on-campus. OIT recommends that the Microsoft desktop or mobile device applications are installed so that you only need to authenticate about every 90 days. If you use a web browser for email, for example, you will be prompted for authentication with each new browser session.

Once you have authenticated using Duo and you access your Microsoft 365 applications using desktop clients instead of a web browser, you will only be prompted to authenticate about every 90 days. Please be sure that you are using the Microsoft Outlook application for email on your mobile device and laptop.

How it works

MFA for Microsoft 365 relies on a token that is placed on your device when you access these applications while connected to the network. This means that when you connect to your email via Outlook or your OneDrive (for example) while on campus, or you connect from home using the VPN or virtual remote desktop and applications, a token that is good for up to 90 days will be placed. However, if you access Microsoft 365 browser-based applications exclusively, you will be challenged each time you connect remotely.  

Important: Authentication tokens are good for up to 90 days, but there are several factors that may cause the need to re-authenticate earlier than 90 days, even when using the Outlook client. These include changing your network password or an event that damages the token. 

OIT supports Microsoft Outlook for university email using multi-factor authentication. Faculty, students and staff are encouraged to install the Microsoft Outlook app on all your computing devices including mobile phones, tablets, laptops and desktops. 

Included with the MFA for Microsoft 365 project is a backend security upgrade that requires a more modern browser and operating system. If you have an older device, browser, and/or operating system, you may need to upgrade to access university systems. Refer to the compatibility table on the MFA and Microsoft 365 webpage for more information.

The team will make their best effort to help with troubleshooting issues with native clients, but may not be able to assist. As a reminder, the entire suite of Microsoft applications - including Outlook - is available to download on up to 5 PCs or Macs, and your mobile devices.

Refer to the following links for resources for checking operating systems and browsers:

• Check your device's operating system
• Check your device's browser 
• Microsoft Window's support page 
• Apple support page

Downloaded versions of Microsoft 365 apps will be impacted when attempting to access content that is stored on university resources while working remotely.

Generally though, you will only be prompted for MFA once about every 90 days if you use the desktop or mobile Outlook client. However, if you use a web browser session, you will be challenged for MFA each time you open a new browser session.

Possibly. The OIT Service Desk does not have access to the Linux operating system but, our research has shown that Linux users may try to install either the Mozilla Thunderbird or Gnome Evolution email client to hold a token.

You can make changes to the information in Duo at any time including adding additional devices and phone numbers. To access your Duo account, go to: https://passport.ucdenver.edu/CUSecure.php.

1. Type in your university username and password.
2. Click on My Settings & Devices.
3. You can make changes from this window including managing your preferred authentication method.

Authenticating using the Duo app on your smart phone is the easiest way to authenticate; however, there are other methods by which you can authenticate, you may:

• Register a landline - this can be your home phone, a family member’s phone, or the phone in your hotel room when travel reopens. There is no limit to how many landlines can be registered for Duo to call to authenticate.

• Register your tablet (iPad or Android) to authenticate and Duo can utilize the pass code or send a push option without having to use a mobile number. 

No, Duo does not offer a computer application for authentication. You need to use a separate device to verify your identity. 

A Duo passcode lets you log into your account when your device is without an internet connection - similar to text messaging. You can select the Passcode option on the Duo Authentication page. Be sure you clicked "Allow notifications" during the installation process. You will have five minutes to enter the passcode texted to your phone; once the passcode is entered, you can log in. 

Yes, Duo can be installed once and used to manage multiple accounts. You will need to complete the registration for the CU Secure account. After you register, you’ll see the additional CU Secure profile displayed on your Duo app.

Your personal protected data and password are not accessed by Duo Security. This second factor of authentication is separate from your username and password.

More information is available on the Duo Mobile Privacy information page at: https://help.duo.com/s/article/4683?language=en_US.