Add Two-Step Login to Your Online Service Using a Duo Application
For Administrators: How to add Two-Step Login to your online service using a Duo Application
This article applies to: Two-Step Login
Setting Up a Duo Application
Duo Security supports integration with a broad range of applications and technologies, listed on the top page of their online documentation. You can request that CIT set up a "Duo Application" for your service. If you are interested in adding two-factor authentication to server or workstation logins, see Two-Step Login for System Access.
Request a Duo Application
Email your request to Identity Management with this information:
- Type of Duo application: Select from the types listed in Duo's documentation.
- Proposed name: Include, in abbreviated form, the unit/department designation and description of the service. Hyphens and spaces are allowed. This name, prefaced by "Two-Step Login," will appear on the approval screen when Duo Push is used. Identity Management may edit your proposed name for length and consistency.
- Name of requesting college/unit and department.
- AD group of responsible personnel: Provide the name of an AD group that contains the people who are authorized to request changes (including retransmission or regeneration of keys) and who can be contacted about problems with the integration.
You can expect fulfillment within two business days. Identity Management will use Cornell Secure File Transfer to send the keys, API hostname, and any supplemental configuration information to the NetID of the requester.
Two-Step Login accounts can only be created using the Two-Step Login central self-service provisioning site. Employees, students, retirees, affiliates, and holders of Sponsored NetIDs are eligible for accounts. GuestIDs are not supported under Two-Step Login.
A Cornell NetID must be used as the login identifier. Usernames in the form of DOMAIN/NetID and NetID@HOSTNAME are also supported.
Recommendations for Supporting Your Users
To help with consistency, please refer to "Two-Step Login" (rather than "Duo") in any documentation and communications you produce. Although the technology is being supplied by Duo Security, the Cornell implementation is known as "Two-Step Login."
Two-Step Login is supported by the IT Service Desk, but the actual login process varies between the different integrations (Duo Applications). Particularly if your use of two-factor authentication extends beyond a small group of knowledgeable users, you should develop service documentation that captures the details of the login experience for your audience. You may be able to point people to a description of your authentication process in Duo’s user guide. Check the list under Authenticating on the left of the page.
Duo provides excellent and comprehensive online documentation on how to integrate two-factor authentication into your service. While we will assist as we can, CIT’s ability to help with a given integration will be limited, especially for technologies we have not worked with ourselves. Identity Management may need to refer some issues to Duo tech support.
If you cannot find the answer to your question in the documentation, please contact the IT Service Desk or email Identity Management.
To provide a consistent user experience and uniform level of security, standards have been established for integrating Two-Step Login into campus services. Configuration options set centrally include:
|New user policy||Deny access|
|Self-service portal||Enabled (where available)|
|Trusted devices||24 hours (where available)|
|Trusted networks||This option is not in use at Cornell|
|Group policy||This option is not in use at Cornell|
|Voice greeting||"Welcome to Cornell Two-Step Login"|
For information about what these options mean, see Duo's online documentation.
Other options are set in a local config file. If you are uncertain about the best value for a given configuration item, please contact Identity Management.
One key option that may appear in your config file, failmode, governs what happens when the Duo service cannot be accessed due to an outage or a connectivity issue. For the sake of security, your service should fail closed, meaning, deny access. Duo’s documentation will refer to this as “fail secure” (vs. “fail safe” which means allow access even without the secondary authentication).
If you feel there is some reason to configure your service to fail open (“fail safe”), you need to obtain the permission of the IT Security Office.
If the inability to reach Duo’s servers lasts long enough that university operations are seriously effected, you may receive authorization to manually change your integration’s failmode value from “secure” to “safe,” which will turn off two-factor authentication for your service until connectivity is restored. You should not switch to fail open (fail safe) without explicit permission because the cause of the outage could be an attack against Cornell (for example, a denial of service) with a goal of disabling the protection of two-factor authentication.