IUP utilizes multi-factor authentication for users accessing IUP services. IUP uses Duo as the multi-factor authentication application.

Multi-factor authentication (MFA) is an authentication method that requires the user to provide two or more verification factors to gain access to a resource such as an application, online account, or a VPN. MFA is a core component of a strong identity and access management policy. Instead of asking only for a username and password, MFA requires one or more additional verification factors, which decreases the likelihood of a successful cyber attack.

The main benefit of MFA is to enhance IUP’s security by requiring that you identify yourself with more than a username and password, which can be vulnerable to brute force attacks and can be stolen by third parties. Enforcing the use of an MFA factor like a thumbprint or physical hardware key means increased confidence that your organization will stay safe from cybercriminals.

Download Duo Mobile

Tap the badge to download Duo Mobile to your device.Download on the App StoreDownload on the Play Store

How do I enroll?

The first time you log in to an IUP web service, like MyIUP, you will be prompted to enroll in Duo.

Before beginning the enrollment process, you must have downloaded the Duo Mobile app onto your device from the appropriate app store. Do not install any other multi-factor authentication app. Once you have the Duo Mobile application installed, go to your computer to begin.

Review the steps for self-enrollment

After completing the Duo enrollment, you can use the multi-factor authentication when logging in to IUP web services.

What should I do if my phone is unavailable?

If your phone is lost, stolen, broken, or if you get a new device and don't have access to the old device, you have a few options for getting Duo reconfigured: 

  • Send an email to it-support-center@iup.edu from your IUP email if you have it set up on an email client or a personal email address.

  • Call 724-357-4000 and speak to a technician or leave a message

Once staff has verified your identity, we will send an SMS message with a link to activate the Duo app. 

Note: If you have multiple devices, we recommend setting up each device to use Duo. That way, you can use a secondary device if your primary device is unavailable. See Using Duo for instructions on adding a second device.

How it Works

Now that you're enrolled in Duo, you will need to authenticate when logging in to IUP WebSO services (such as MyIUP, D2L, Email, etc.)

When you see the Duo prompt, you will have the option to select an authentication method. 

Screenshot of the Duo prompt with options highlighted

  • Click Send me a push (outlined in red) to send a notification to your phone to approve the sign-in. 
  • You can also click Enter a passcode (outlined in blue). To use this option, you will need to open the Duo app on your phone and click the Show button to reveal a six-digit code. Enter this on the Duo prompt, then click on Log In. This option will also work if your device is offline. 
  • It is helpful to check the Remember me for 1 day checkbox (outlined in green) as shown above.
    • Checking this box will decrease the frequency of seeing the Duo prompt. Once checked, you will not need to authenticate with Duo for 24 hours. Keep in mind, this only applies to that web browser on that computer. If you use a different computer and/or browser, you will need to authenticate with Duo again. 

Why Do I Need This?

Passwords are increasingly easy to compromise. They can often be stolen, guessed, or hacked—you might not even know someone is accessing your account.

Two-factor authentication adds a second layer of security, keeping your account secure even if your password is compromised. With Duo Push, you'll be alerted right away (on your phone) if someone is trying to log in as you.

This second factor of authentication is separate and independent from your username and password—Duo never sees your password.

When to Deny Pushes

Example of a Duo push with a location of San FranciscoWhen you receive a Duo push, the app will show the location (outlined in red on the screenshot) of the sign-in attempt.

If the location shown is not near where you currently are and you are not trying to sign in, push Deny. This will prevent the sign-in attempt. 

Note: Sometimes, the locations shown on Duo are not extremely accurate. If you are trying to log in and the location shown is near to where you are, it should be safe to accept the push. 

"Push Fatigue"

If an attacker obtains your password, they will need to get a successful Duo push before they can access your account. Some attackers will try several attempts in a row to get you to approve the push to make the notifications stop. Never accept a push if there have been multiple pushes within a short time and you are not trying to log in. This suggests that someone has obtained your password and is trying to sign in to your account. You should change your password as soon as possible. 

 

Using Duo

Setting up Duo for multi-factor authentication protects your IUP account and personal information. Once you are enrolled, level up with these tips!