Multi Factor Authentication (MFA) Frequently Asked Questions: Difference between revisions
| (6 intermediate revisions by the same user not shown) | |||
| Line 19: | Line 19: | ||
https://cruzid.ucsc.edu/idmuser_login | https://cruzid.ucsc.edu/idmuser_login | ||
Use your CruzID Gold username and password. You may get a call or text with MFA stuff in it as usual, but don't act on that yet. During the Duo notice that pops up in your web browser that says "Verify your identity..." there will be a small link below that which says '''Other Options'''. Click that, and from there you should be able to change the way in which | Use your CruzID Gold username and password. You may get a call or text with MFA stuff in it as usual, but don't act on that yet. During the Duo notice that pops up in your web browser that says "Verify your identity..." there will be a small link below that which says '''Other Options'''. Click that, and from there you should be able to change the way in which Duo MFA authenticates you, enroll a new device (like a phone) by selecting '''Manage Devices''', etc. | ||
== All This Documentation References "Duo Push", but I use Duo by Another Method...? == | |||
Most of our users use Duo in the context of getting a "Push", i.e. when you enter your username and password, you get a Push Request on your phone and click the green "Accept" button to finish authentication. But there are a few cases where that is not possible. If the Push option of Duo authentication is not possible, you can utilize the "Rolling Code" option or the "Yubikey" option. For the "Rolling Code" option, you must have already enrolled Duo on your phone. Then open the Duo App on your phone and click the "UC Santa Cruz" option. It should show you a six digit passcode. Then, when you authenticate to the Genomics Institute VPN, type your username in the "Username" field on your VPN client, then in the password field, type your password, then a comma, then the six digit code you see in the Duo App. | |||
'''Rolling Code Option''' | |||
For example, if my credentials were: | |||
username: bob | |||
password: C@ndyIsFun | |||
and I looked on my phone and saw my six digit code in the Duo App as "643726", I would enter these credentials: | |||
username: bob | |||
password: C@ndyIsFun,643726 | |||
And that would authenticate me. | |||
'''Yubikey Option''' | |||
It's the same idea with a Yubikey. In the "Password" field, just type in your password followed by a comma, followed by the code on your Yubikey Application. | |||
Latest revision as of 22:35, 11 February 2025
Why Do We Need MFA To Login To The VPN?
We need to comply with NIST 800-171 Security Standards in order to store data downloaded from NIH, according to new regulations. NIST 800-171 controls require we enable MFA for VPN logins to harden our security posture. MFA is a good idea, security-wise, anyway though! Even though it can be somewhat annoying.
What Kind of MFA System Are We Using here at the GI?
We are using Duo Mobile as our MFA authentication mechanism. You probably are already using it to authenticate to CruzID related systems.
Do I need a CruzID before I can use Duo Mobile at the Genomics Institute?
Yes, you do. If you do not yet have a CruzID, please ask your sponsor or PI to get you a CruzID set up. You will need this active before you can authenticate to the Genomics Institute VPN.
Duo is Working To Login to the GI VPN, But It Is Calling My Phone Instead of Sending Me a Push! What Can I Do?
If you previously set up Duo to send you a text with a code, or to call you to authenticate, and you would prefer to just receive a Push Notification instead, you can do it by logging in here:
https://cruzid.ucsc.edu/idmuser_login
Use your CruzID Gold username and password. You may get a call or text with MFA stuff in it as usual, but don't act on that yet. During the Duo notice that pops up in your web browser that says "Verify your identity..." there will be a small link below that which says Other Options. Click that, and from there you should be able to change the way in which Duo MFA authenticates you, enroll a new device (like a phone) by selecting Manage Devices, etc.
All This Documentation References "Duo Push", but I use Duo by Another Method...?
Most of our users use Duo in the context of getting a "Push", i.e. when you enter your username and password, you get a Push Request on your phone and click the green "Accept" button to finish authentication. But there are a few cases where that is not possible. If the Push option of Duo authentication is not possible, you can utilize the "Rolling Code" option or the "Yubikey" option. For the "Rolling Code" option, you must have already enrolled Duo on your phone. Then open the Duo App on your phone and click the "UC Santa Cruz" option. It should show you a six digit passcode. Then, when you authenticate to the Genomics Institute VPN, type your username in the "Username" field on your VPN client, then in the password field, type your password, then a comma, then the six digit code you see in the Duo App.
Rolling Code Option
For example, if my credentials were:
username: bob password: C@ndyIsFun
and I looked on my phone and saw my six digit code in the Duo App as "643726", I would enter these credentials:
username: bob password: C@ndyIsFun,643726
And that would authenticate me.
Yubikey Option
It's the same idea with a Yubikey. In the "Password" field, just type in your password followed by a comma, followed by the code on your Yubikey Application.
