Originally posted July 15, 2015
As you may be aware of, IS&T announced on July 14th, 2015 that starting September 30th 2015, two factor authentication will be mandatory to access MIT apps like Atlas, Stellar, MITSIS, VPN, etc. This was in response to numerous high profile data breaches that hit the news and thefts of MIT credentials. The IS&T instructions and options have changed several times in recent weeks so please check back for the latest updates. As of Tuesday August 25th, these are the latest instructions.
For general info on what Duo Authentication is, go here:
http://kb.mit.edu/confluence/display/istcontrib/Two-Factor+Authentication+with+Duo
WHAT YOU NEED TO DO:
————————————-
I) CHOOSE the options that work for you. There are 5 options available. (NOTE: You can register more than one device. IST recommends registering at least TWO devices)
A) Landline (including MIT VOIP phones) or NON smart cell phone. Landline is the easiest option.
ALERT: Please note that if you need to be mobile in your job, a landline won’t work. Also if you share a landline with multiple people, this also won’t work.
B) Mobile SMART Phone (iPhone, Android phone, Windows phone, etc). This involves uses an App on your phone (if you trust the service range of your cell phone on campus AND off campus). This option doesn’t work if you travel overseas or your cell service signal is not strong. If you have WiFi, the PUSH option will work (gives you a green and red button screen to approve or deny). This is the same function that works for Option E.
C) D100 Hardware token (like what some banks use with random numbers displayed on this little plastic battery powered device you can attach to your key chain) As of Friday August 21st, IS&T’s Help Desk has stopped issuing D100 Hardware tokens.
D) Yubikey token (usb dongle you plug into the usb of your Mac when you access secure MIT sites like Atlas, VPN, Websys, MITSIS, Stellar, etc) which at a press of a button prints out a long random string in the “second password” line. These require some extra work to set up from us or IS&T. We will then need to train you how to use the keys. Also, if you select this option and you have an iMac, you will need to purchase a USB extension cable to make the key assessible for you to easily use. These keys will not work plugged into the Apple aluminium wired keyboards because the keyboard itself blocks the contact button from being touched/pressed.
E) iPad or iPod (iOS devices with or without a cell service plan). Any WiFi enabled iOS device will work with a Duo PUSH functionality.
II) SET UP
IF YOU CHOOSE option A:
1) For LANDLINE and MIT VOIP phones register here:
2) For non-smart phone, scroll down on the page to the mobile instructions beneath the landline instructions.
NOTE: As it turns out, land line is one of the simplest verification systems if you are the only person who uses your landline phone. Once it’s set up, your landline phone will ring whenever 2-factor authentication is triggered and all you need to do is button mash anywhere on the key pad to accept and then hangup the landline phone.
IF YOU CHOOSE option B or E:
1) Download the Duo App on your smartphone or iOS device with or without cell service from the Apple iOs App Store.
2) On your computer, go to https://duo.mit.edu/ to enroll.
Select “Register a new phone” for iPhone or “Register a new tablet (iPad) or other device (iPod)” for iPad or iPod to enroll in duo authentication. For iPads and iPods you will need to use your cameras to capture the QR barcode to enroll your devices.
IF YOU CHOOSE options C OR D:
1) To request either a D100 hardware token or a YubiKey token call the IST Help Desk at 3-1101 to make sure they are available. As of Friday August 21st, 2015, IS&T is sadly no longer issuing D100 hardware tokens. For those users who need to travel and have iPods or iPads, you should use your iPod or iPad or a Yubikey.
2) Pick up said D100 token or YubiKey token from the IST service desk at E17-110 (this location may change so make sure you ask and confirm). For the UBS Yubikeys, IST may set up and register the Yubikey there with you there so you can type in your kerbreros credentials. If they don’t, we can also set up the Yubikeys for you and show you how to use them.
3) If you are able to get a D100 hardware token register it at https://duo.mit.edu/
4) If you get a Yubikey, please contact us to have us set it up for you.
III) USE
FINALLY, once you’re all set up, instructions on how to login to MIT Services that use “Duo” two-factor authentication can be found here:
http://kb.mit.edu/confluence/pages/viewpage.action?pageId=151109106
Please let us know if anyone has any questions!