Introduction

This article explains how a user can:

• Better protect their service, application, or platform,
• Implement additional security for their system, and
• Align their system with Virginia Tech’s implementation for 2-factor authentication.

Explanation

The Division of IT provides a Duo Integration Service that allows Virginia Tech faculty and staff to request a Duo integration to protect services or platforms within their environments. You can request this service through the IT Service Catalog by choosing one of the following options:

• Request a standard Duo Integration 
• Request a Duo Consultation 

Default Duo Integration Options

To streamline the provisioning process for Duo integration requests, the following default configuration options have been established.

• Application Name: Department Short Name + Integration Type
  The Application Name is the descriptive label for your Duo integration. By default, it will be named based on the short name of your department and the type of integration that you are requesting.
• Duo Group Name: Application Name + Role
  All Duo integration requests require the use of Duo Groups. Duo Groups are used to limit access of your Duo integrations to only the members of the groups. By default, Duo Groups are named based on the Application Name (described above) plus the role of the group. For example, you may have a Duo Group created for Admins and another one created for Users. You will be able to identify the Duo Groups as part of the batch import file you supply with your Duo integration request.

Global Policy Settings

The following settings are set globally for the VT Duo tenant and will automatically apply to Duo integration requests. If you require changes to any of these default settings, please be sure to indicate the changes you need as part of your integration request.

• New User Policy: Deny Access
  The default setting for the New User Policy is "Deny Access". This means that enrolled users will be prompted for their second factor while users not enrolled will be denied access. You will be providing a list of users requiring access to your Duo integration, e.g. list of enrolled users. This list can be updated at any time by submitting an updated batch file to IMCS.
• Group Access Policy: No Effect
  The group policy settings apply to all users in the groups accessing the integration. The default setting is "No Effect".
• Remembered Devices: No
  This setting determines how long Duo should remember a device after authentication before it prompts the user for their second factor again. By default, this option is set to “No” so users will be required to provide their second factor every time they authenticate.
• Authorized Networks: No
  When this option is set to “Yes”, users are only asked for their second factor when accessing the application from outside a specified list of IP addresses, IP ranges, etc. By default, this option is set to “No” so users will be required to provide their second factor every time they authenticate.
• Authentication Methods: Duo Push, Duo Mobile Passcodes, Phone Callback, and SMS Passcodes
  Methods selected will appear as options to users during the Duo Authentication process. By default, the following methods are allowed: Duo Push, Duo Mobile Passcodes, Phone Callback, and SMS Passcodes.
• Voice Greeting: Welcome to Duo
  The "Voice Greeting" is read to users at the beginning of the verification phone call before the Duo authentication instructions. The default setting is "Welcome to Duo".