DUO – Best Practice

By Ross Madden
Published on February 15, 2021 9:01 am MT
Updated on October 17, 2024 11:18 am MT
Posted in General CNSIT, Knowledge Base, Tips and Tricks

Due to removal of the “Phone” call option – this information is now deprecated. More information on best practices will emerge soon.

As DUO 2-Factor authentication rolls out in front of more campus services, it is more important than ever that users set up their DUO enrolled devices in a meaningful way.

Essentially, your DUO device setup should not rely on a single device, such as a cell phone, which can be lost, dunked in the toilet or drained of power at the absolute worst time.

To set up and manage your DUO registered devices simply browse to the following URL:

https://duo.colostate.edu

If you are new to DUO then you will be able to follow the simple directions to register your first device. If you are already enrolled with at least one device you will need use a DUO device to unlock the tool.

Best Practice?

Setting up a personal DUO scenario may take some forethought. For most users the first device will be their mobile smart phone with the DUO app that can function for all DUO authentication types (“push, “phone” and “code”). You can probably see how leaving it at this might not be wise – a single device can be lost or damaged in a way to make this unusable and the time it will take to recover from that will be very inconvenient.

The next thought is to use your CSU office phone number as an alternative “phone” device source. In theory this makes perfect sense and regardless of how I diminish the potency of this in the next sentence, you should set this up. The trouble with stopping at this as your backup device is that CSU is about to embark (starting summer of 2021, I believe) in a campus rollout of Microsoft Teams Voice which will convert your standard office phone into a purely software based solution (no actual phones in your office for 98% of users – get used to relying on your MS Teams client even more). In combination with the plans to place all M365 services (including the new Microsoft Teams Voice) behind the DUO Two-Factor authentication wall (scheduled for as early as spring of 2021) will quickly lead to your office phone being disabled as well if you don’t have another DUO device registered.

So, what else can be done? This is where we need to get creative. Folks with home phones (either old school land-lines or a third party VOIP solution) should obviously enroll that device. However, many users do not have these any more and will probably need to bring in a trusted second person to act as their emergency DUO Two-Factor authentication source. Enrolling a spouse or partner’s mobile device as a “phone” source for this emergency purpose could save you a lot of headache.

Another option is to purchase a hardware token (small key-chain device) from RAMTech for around $30. This token will generate single use DUO codes that can be used in the event that your primary DUO device is out of order. These hardware tokens are designed and marketed at users traveling internationally where cell service to their mobile device may be unreliable or unavailable (lost) but can also be used as a backup DUO device in any case (just don’t lose this as well).

Conclusion

Planning ahead with a thoughtful DUO Two-Factor device setup is a worth while use of time. Start with your mobile device and your office phone number. Next, add a home phone number (if you have one) or a spouse/partner’s (if they will allow it). If all else fails, purchase a hardware token from RAMTech as the ultimate fail-safe.

If you still have questions or concerns (or trouble fine tuning your DUO scenario), please get in touch and we can help work through your options.

https://cnsit.colostate.edu/help

More information and DUO user guides from ACNS can be found here:

https://www.acns.colostate.edu/duo-help

Back to top of page