NCSA offers the Duo multi-factor authentication solution as a method of protecting and securing NCSA's resources.

Duo at NCSA accounts are available to all NCSA Kerberos account holders.

IMPORTANT: You must enroll with Duo using either a mobile app or a security key before attempting to log in. Keep reading below for details.

Enrollment

The enrollment process enables Duo multi-factor authentication for your NCSA account.

Prerequisites

Prior to beginning Duo enrollment for your NCSA account, first take care of the following prerequisites.

• Know your NCSA Kerberos username and password.
  • If you need a password reset, use the NCSA Identity service: https://identity.ncsa.illinois.edu/
• Install the Duo mobile app on your iOS/Android device or obtain a security key.
  • To install on iOS, find Duo Mobile in the App Store.
    
    • For more information about Duo on iOS, see: https://guide.duo.com/iphone
  • To install on Android, find Duo Mobile in Google Play.
    • For more information about Duo on Android, see: https://guide.duo.com/android
  • To purchase a security key, visit: https://www.yubico.com/product/security-key-by-yubico
    • For more information about Duo's support for security keys, see: https://guide.duo.com/security-keys

Enrollment Steps

With the above prerequisites satisfied, follow these steps to enroll using your iOS/Android device or security key.

• Open https://duo.security.ncsa.illinois.edu in your web browser.
  • If using a security key, be sure to use one of the web browsers that support U2F (e.g., Chrome).
• Log in with your NCSA Kerberos username and password.
  
  • If you have trouble logging in with your username and password, visit https://identity.ncsa.illinois.edu/ or contact help+its@ncsa.illinois.edu.
• Select Launch Device Management Portal.
• Follow the Duo process for enrollment. See https://guide.duo.com/enrollment for details.

 WAIT! YOU'RE NOT DONE YET! After you complete the enrollment process for your primary device, please follow the instructions below to configure at least one additional access method in case your primary device is unavailable. Otherwise, recovering access to your NCSA account may be impossible!

Recovery

Be prepared with multiple access methods in case you lose your primary device.

• You can add additional devices (phones, tablets, security keys) at https://duo.security.ncsa.illinois.edu/portal. Click the "Add another device" link and follow the instructions.
• You can generate and save 2 non-expiring backup codes.
  • Visit https://duo.security.ncsa.illinois.edu/ and select Manage Backup Codes and Tokens. Then select Generate replacement backup codes.
  • Write down the codes and place them in a safe location or store them in your password vault.
• In some cases, NCSA can provide a Duo hardware token for you.
  • NCSA employees: contact help+duo@ncsa.illinois.edu.
  • Industry Partners: contact your Industry program representative.
  • LSST Staff: contact your project manager.
  • Others: please purchase a security key instead (e.g., https://www.yubico.com/product/security-key-by-yubico). 

FAQ

How do I use a backup code to recover access?

To use a backup code to add a new device/token:

• First complete the Prerequisites listed above to prepare your new device/token.
• Next, visit https://duo.security.ncsa.illinois.edu.
• Select Launch Device Management Portal.
• Click the "Enter a Passcode" button
• Enter your backup code and then click "Login"
• Click the "Add another device" link and follow the instructions.

How do I transfer my Duo setup to a new phone?

• First, install the Duo mobile app on your iOS/Android device.
  • To install on iOS, see: https://guide.duo.com/iphone
  • To install on Android, see: https://guide.duo.com/android
• Next, visit https://duo.security.ncsa.illinois.edu.
• Select Launch Device Management Portal.
• Log in with one of the following options:
  
  • If you still have your old phone, use the "Send me a Push" or "Enter a Passcode" option with your old phone.
  • If you have a security key, use that to log in.
  • If you have a backup code, use that to log in.
• Set up your new phone using one of the following options:
  • Select "Device Options" to "Reactivate Duo Mobile" on your new phone.
  • Delete your old phone from the list, then select "Add another device" to add your new phone.

Can I use SMS as a Duo authentication method?

No, NCSA has disabled the SMS authentication method for our Duo deployment due to the security weaknesses of that method. See NIST is No Longer Recommending Two-Factor Authentication Using SMS for references on this topic.

Where can I get additional help?

Send your questions, comments, suggestions, etc. to help+duo@ncsa.illinois.edu.

Corrections and suggestions for improvement to the above documentation are very welcome!