Setting Up and Using Duo

The information here only pertains to using Duo with Holland Computing Center accounts. For help with your general University (i.e. TrueYou) account and Duo, contact the Huskertech Help Center via email at support@nebraska.edu.

Use of Duo two-factor authentication (https://www.duosecurity.com) is required for access to HCC resources.

Users will connect via SSH and enter their username/passwords as usual. One additional authentication step through Duo is then needed before the login is completed. This second authentication can be in several different forms (cell phone, YubiKey hardware token), and is user-selectable at each login. A brief description of each is provided below. See the Duo Authentication Methods page for more details.

Initial Setup

Most HCC account holders use the Duo Mobile application on their smartphone or purchase a YubiKey USB device.

Smartphone

If you are not currently using Duo with your TrueYou account:

  1. Install the free Duo Mobile application from the Google Play Store, Apple App Store, or Microsoft Store
  2. Visit one of the following locations.  Bring your smartphone and a valid photo ID such as your university ID card or drivers license.

    1. Visit either HCC location 118 Schorr Center, UNL | 152 Peter Kiewit Institute, UNO in-person anytime from 9am-5pm to enroll.
    2. Visit Information Technology Services 115 Otto Olsen, UNK in-person and ask for HCC identity verification.

    Due to current health and safety concerns, Duo activation is entirely remote. Join one of HCC’s Remote Open Office hours sessions every Tues/Thurs from 2-3PM CST to activate Duo. Contact hcc-support@unl.edu for alternate times if you are not able to attend.

    Faculty/staff members with a verified NU telephone number can enroll by phone. If you would like an HCC staff member to call your NU telephone number to enroll, please email hcc-support@unl.edu with a time you will be available.

If you are currently using Duo with your TrueYou account:

  1. You can request to use the same phone for HCC’s Duo as you are using for TrueYou. Please contact hcc-support@unl.edu with the request using the email address associated with your TrueYou account. In the email, include the last 4 digits of the phone number for verification.

YubiKeys

YubiKey devices are currently a one-time cost of around $25 from HCC, or can be purchased from Yubico and added in-person at either HCC location. Purchasing a YubiKey from HCC must be done via a University cost object transfer (HCC cannot accept cash or credit cards). Please bring the cost object number with you if possible. YubiKeys are also available from the Husker Tech store in the UNL City Union. Note that YubiKeys are configured for HCC’s Duo, and not for general YubiCloud or U2F use.

Example login using Duo Push

This demonstrates an example login to Swan using the Duo Push method. Using another method (SMS, phone call, etc.) proceeds in the same way.  (Click on any image for a larger version.)

First, a user connects via SSH using their normal HCC username/password, exactly as before.

Account lockout

After 10 failed authentication attempts, the user’s account is disabled. If this is the case, then the user needs to send an email to hcc-support@unl.edu including his/her username and the reason why multiple failed authentication attempts occurred.

After entering the password, instead of completing the login, the user will be presented with the Duo prompt. This gives the choice to use any authentication method that the particular account is setup to use. In this example, the choices are Duo Push notification, SMS message, or phone call. Choosing option 1 for Duo Push, a request to verify the login will be sent to the user’s smartphone.

Simply tap Approve to verify the login.

If you receive a verification request you didn’t initiate, deny the request and contact HCC immediately via email at hcc-support@unl.edu

In the terminal, the login will now complete and the user will logged in as usual.

Duo Authentication Methods

Duo Push

[Watch the Duo Push Demo]
Photo credit: https://duosecurity.com

Photo credit: https://duosecurity.com

For smartphone or tablet users (iPhone, Android, Blackberry, Windows Phone), the Duo Mobile app is available for free. A push notification will be sent to the device, and users can simply confirm the login with one tap.

Duo Mobile Passcodes

Photo credit: https://duosecurity.com

Photo credit: https://duosecurity.com

The Duo Mobile app can also be used to generate numeric passcodes, even when internet and cell service is unavailable.  Press the key icon to generate a passcode.  The passcode is then entered manually at the login prompt to complete authentication.

SMS Passcodes

For non-smartphone users, Duo can send passcodes via normal text messages which are entered manually to complete login. Please note since this is an SMS message it may not be free, depending on the details of the particular cell phone plan.

Phone Callback

For users with cell phones who prefer not to use any of the above methods and for those with landline phones, Duo will call the phone and provide a passcode via automatic voice message. The passcode is then entered manually to complete the login.

YubiKey

[Yubico]
Photo credit: Yubico

Photo credit: Yubico

YubiKeys are USB hardware tokens that generate passcodes when pressed. With HCC clusters, there is no prompt to press on the YubiKey. When the DUO prompt appears in the terminal, press the YubiKey and it will output a string to the terminal to authenticate you. They appear as a USB keyboard to the computer they are connected to, and so require no driver software with almost all modern operating systems. YubiKeys are available from the Husker Tech store at UNL. Users may also purchase them directly from Yubico if desired; this does require stopping by either HCC location in person to have the YubiKey added to the user’s account. For your convenience, HCC often carries some YubiKeys as well; these may only be purchased via a Cost Object transfer.