Versions Compared

Old Version 38

changes.mady.by.user Adam Harding

Saved on

compared with

New Version 39

changes.mady.by.user Genevieve Johnson

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.
Comment: Clarifying based on https://jira.its.uiowa.edu/browse/ITSRS-9684

About two-factor authentication & Duo

...

In order to use Duo on the HPC systems you must enroll in the Duo service and register a device. If you are an external collaborator, you will not be able to enroll in Duo until after you are granted access to the HPC systems. The most convenient method for managing Duo, particularly on the HPC systems, is via Duo's app for smartphones and tablets (no phone number required and the app can be used internationally with or without Internet). The remainder of the documentation will refer to smartphones but information is also applicable to the Duo app on tablet devices unless phone calls or SMS messages are involved. There is support for all, or most, types of smartphones and other mobile devices; see this page for more information. Please see the following page for setting up a smart phone for Duo:

...

Info

Registering with Duo for the HPC system will enable Duo for all campus services that use Duo such as Employee Self-Service.

...


There is an ITS Two-Step Login with Duo Security | Information Technology Services page that has all of the information that you will need for using Duo. Please direct all questions regarding enrollment to the ITS Help Desk, whose contact information is listed on the above page.

...

In the above, I have two devices registered, a phone and a tablet. The phone is set to be the primary device. The above requires interaction which in most cases is probably not a huge burden. Of course, there are some commands that do not present dialog prompts at the console. This would be things such as scp and FastX. For these types of commands, Duo will autopush the request to your out-of-band authentication method. If you have the app on a smartphone then the request will go there. If not, then a phone call will be made to the registered number. Clearly, the app on a smartphone is a much better way to handle that. There will be no prompt in your terminal window so you must remember to check your smartphone for the pushed request. However, it is also possible to send an authentication key as part of the command and that is particularly useful for those without a smartphone. Passing a key on the command line is probably easier than authenticating with a phone call. See the Advanced Setup section below for more information.

...