Duo Implementation and Transition Project Overview

11/30/2016 - As of March 14, 2016, VPN is covered by Two-Factor Authentication (Duo). As of July 25, 2016, access to the My Paycheck Profile, W-2 download, non-payroll bank routing information, and Emergency Loan applications have been transitioned from Toopher to Duo. Toopher was retired on November 30, 2016.

In December 2014, the University of Texas System issued a memo mandating that certain sensitive data systems and financial applications require the use of two-factor authentication (2FA) for access. The Duo Implementation project will support a coordinated response to this mandate by allowing campus to enable 2FA using the Duo Security two-factor solution on applications where it is required.

Goals and Scope

The Duo Implementation project will coordinate the implementation effort of the Duo Security 2FA platform across key campus systems, including the technical aspects, the introduction of new 2FA methods, operational readiness, and campus communication.

At the end of this project:

  • Internal customers who rely on the central authentication infrastructure including UTLogin and Shibboleth will be able to implement 2FA with their applications.
  • VPN end users will be required to use 2FA when accessing the VPN.
  • System administrators will be able to leverage PAM/RDP modules to protect Linux and Windows machines with 2FA using Duo. *This item has been deferred until a later phase due to technical constraints.
  • The applications currently protected by Toopher will instead utilize Duo for 2FA.

Scope

Specifically, this includes:

  • UTLogin SAML and WPA integration
  • Shibboleth SAML integration
  • Cisco VPN (web and native desktop client) integration
  • Documentation to support PAM/RDP implementations *This item has been deferred until a later phase due to technical constraints.

Additionally the project scope includes the transition of existing Toopher-protected applications to Duo.

Out of Scope

The following items will not be included in this project:

  • Direct support for any of the Duo-provided integrations outside of UTLogin, Shibboleth, Cisco VPN, and PAM/RDP methods.

Timeline

Phase 1 (Complete): Beginning March 14, 2016, access to the campus VPN (virtual private network) will require two-factor authentication via Duo. Current VPN users will receive instructions via email on how to set up and use their Duo account with the VPN.

Phase 2 (Complete): In July 2016, access to the My Paycheck Profile, W-2 download, non-payroll bank routing information, and Emergency Loan applications will transition from Toopher to Duo.

Phase 3 (Complete): In November 2016, Toopher will be retired from use on campus.

Supported Authentication Methods

Two-factor authentication via Duo will be provided via the following methods:

  • "Duo Push" via the Duo application on smartphone, tablet, or other Internet connected smart device
  • One-time passcode provided via SMS
  • One-time passcode provided via phone call on mobile phone or landline
  • One-time passcode provided by "hard token" (keyfob-like device issued on request)

Enrollment

Click here: Duo Register to enroll your device. (You will need your chosen device handy to complete this process.) Detailed instructions for how to enroll your device can be found on the DUO web site.link to the external DUO enrollment site