Multi-Factor Authentication (DUO)
Scammers are becoming increasingly more sophisticated in their phishing attempts. Recently bad actors tried to impersonate KU Medical Center and The University of Kansas Health System employees with the intent of changing their bank routing numbers in the payroll system so employees' paychecks would be deposited into the scammer's bank account on payday. To defend against these types of cyberattacks, KU Medical Center and the health system will implement a Multi-Factor Authentication (MFA) process to provide an extra level of identification security.
What is MFA?
Multi-Factor Authentication (MFA) will require you to confirm your identity using your password along with verification from an app installed on your mobile phone (see Duo Mobile app info below) or a code entered from a registered hardware device before you can access your account. MFA creates friction for attackers with minimal disruption to legitimate users.
How does Duo Multi-Factor Authentication work?
MFA will be automatically applied to each system for which it is needed. Once MFA is applied, you will have to use MFA to access these systems. Using the free Duo Mobile app on your smartphone is the easiest and most convenient way to confirm your identify for MFA.
Steps to register your device and download the Duo Mobile app (view instructional screenshots)
- Registration must be initiated on your computer (not your phone) from the MFA Self-Service page.
- When you get to the computer screen "Install Duo Mobile…," search for "Duo Mobile" in your app store on your phone.
- Tap "install" to install the app.
- Open the Duo Mobile app.
- Go back to your computer and click "I have Duo Mobile installed."
- From the Duo Mobile app on your phone, the app will use your phone's camera to capture the QR code displayed on the computer page "Activate Duo Mobile…"
- Hit "Continue" on the computer screen.
- Now that you're enrolled, your smartphone can be set to receive push notifications or codes within the Duo Mobile app.
By enrolling your devices before MFA is implemented, you'll be able to easily log in when MFA is live and required for access.
Once your device is registered and MFA has been applied to application(s), log in as usual. After entering your KU Medical Center or health system credentials, you will be asked to choose an authentication method. The best option is a push notification to your phone. Your phone will show an alert , you will approve, and you'll be allowed to enter the system.
If the Duo Mobile app is not an option for you or if you prefer to use separate hardware devices that generate and display codes, read the FAQs or contact Customer Support at 913-945-9999, option 1 to reach the Health System Service Desk, option 2 to reach the University Service Desk; Wichita users should call 316-293-2605, option 1 to discuss your options.
Register Your Device from Your Computer
Watch instructional video below.
Guide to Multi-factor Authentication - Duo Security video
What are the benefits of MFA?
By requiring a second form of identification, MFA decreases the probability that an attacker can impersonate a user and gain access to computers, accounts, applications or other sensitive resources. Even if a bad actor gains access to a password, they won't have the second element required to authenticate.
Collectively as an institution and as individuals, we have a legal and ethical obligation to protect private, confidential, and sensitive data to the best of our ability. In an increasingly complex digital world, usernames and passwords alone are not enough to stop hackers and data thieves. Duo’s MFA process gives KU Medical Center and the health system an affordable and simple way to ensure all employees, students and affiliates can do their part to protect their own data as well as that of colleagues and other stakeholders.
MFA is recognized as an effective security control for preventing data breaches and is now required by the new State of Kansas Information Technology Executive Council (ITEC) policy.
FAQs and troubleshooting
DUO MOBILE APP
What should I do if I receive a push notification in Duo that I didn’t initiate?
Someone is trying to illegally access your account:
- Choose “Deny” blocking the request.
- Go to https://password.kumc.edu and reset your password.
- Email jayhawktech@kumc.edu or call Customer Support at 913-945-9999, option 1 to reach the Health System Service Desk, option 2 to reach the University Service Desk; Wichita users should call 316-293-2605 to report the attempt.
Is the Duo Mobile app accessible for people with disabilities?
- According to Duo, “its authentication and self-enrollment features are compatible with screen readers such as NVDA and VoiceOver on PCs and Macs. Additionally, Duo Mobile app is accessible to voiceover functionality on Apple and Android devices. Duo also has made all the authentication and self-enrollment features accessible by keyboard for people with limited motor skills.”
- If you have questions or concerns about accessibility or if you need an accommodation, email jayhawktech@kumc.edu or Customer Support at 913-945-9999, option 1 to reach the Health System Service Desk, option 2 to reach the University Service Desk; Wichita users should call 316-293-2605.
- Smartphones are the most popular choice for Multi-Factor Authentication because they’re convenient and most people seldom go anywhere without one.
- You probably already use your phone for a work-related purpose. General concerns about the use of a smartphone for your job, however, should be discussed with your supervisor. KU Medical Center and the health system considers the use of your phone for Multi-Factor Authentication incidental, much like the incidental use of a university computer for checking personal email or browsing the internet.
- If using a smartphone isn’t an option for you, see Alternative Devices below, email jayhawktech@kumc.edu or call Customer Support at 913-945-9999, option 1 to reach the Health System Service Desk, option 2 to reach the University Service Desk; Wichita users should call 316-293-2605 to discuss other options.
Yes. You can use the Duo Mobile app to display a code to log in. The app will work on a smartphone even if you have no cell service or Wi-Fi coverage. When you log in, choose “Enter a Passcode.” Then open the Duo Mobile app, tap the KU Medical Center/health system logo and enter the passcode shown.
What happens if I change SIM cards in my phone?
This won’t have any impact on the KU Medical Center/health system’s MFA.
What if I don't enroll my device(s) prior to MFA being applied to applications that I use?
You won't be able to access the applications onto which MFA has been applied. The application will prompt you to complete enrollment before access is granted.
How do I install Duo on a new phone or reinstall the app on my current phone if I already use Duo?
Ideally, it would be best to use your old phone to authenticate to the Duo registration site before you trade-in or otherwise dispose of it, so that you can register your new phone with Duo right away. However, if you’re unable to do this, you can contact Customer Support at 913-945-9999, option 1 to reach the Health System Service Desk, option 2 to reach the University Service Desk; Wichita users should call 316-293-2605, option 1. You’ll have to provide or answer the following:
- Proof of identity
- Is the phone number of the new device the same as the previous device?
- What is the OS of the new device?
Customer Support will then issue a one-time bypass code to be used to install Duo on your new phone or reinstall on your current phone, if necessary.
DUO MOBILE APP SECURITY AND PRIVACY
The Duo Mobile app does not give the university or health system access to content on your smartphone, nor does the app have any control over your smartphone. During the Multi-Factor Authentication process, the only information provided to the university/health system is confirmation the authentication was completed. For more information, see the Duo Mobile Privacy Information and the What data does Duo collect? articles on the Duo website.
No. The use of personal phones for work-related matters does not make the phone a university or health system phone. However, records on that phone of work-related matters would be subject to the Kansas Open Records Act (KORA), but those records would already be covered under KORA. A Duo Mobile code would not be something KU Medical Center or University of Kansas Health System would produce (or ask an employee to produce), any more than the university or health system would seek to obtain or reveal an employee’s password. The use of personal phones for Multi-Factor Authentication would do nothing to expand the reach of KU Medical Center’s open records obligations.
What should I do if I receive a push notification in Duo that I didn’t initiate?
Someone is trying to illegally access your account:
- Choose “Deny” in the Duo Mobile app blocking the request.
- Go to https://password.kumc.edu and reset your password.
- Email jayhawktech@kumc.edu or call Customer Support at 913-945-9999, option 1 to reach the Health System Service Desk, option 2 to reach the University Service Desk; Wichita users should call 316-293-2605 to report the attempt.
ALTERNATIVE DEVICES
Are there alternatives to using my smartphone?
Yes. You can use a separate hardware device that generates and displays codes for logging in. To obtain one of these devices, contact KUMC IT support by email at jayhawktech@kumc.edu or call Customer Support at 913-945-9999, option 1 to reach the Health System Service Desk, option 2 to reach the University Service Desk. Wichita users should call 316-293-2605 for more information.
Why should I use my smartphone instead of an alternative hardware device?
Using the Duo Mobile app is the recommended method to confirm your identity since we typically have our smartphones on hand. The alternative hardware devices, that generate and display codes, can easily be damaged or lost. It's also common for these devices to get “out of sync.” Each time the hardware device is pressed (even accidentally in your pocket or purse), it will generate a code. If the code isn’t used for login purposes, the device can get out of sync and stop working. If the hardware device stops working, you’ll only discover this when you need it to log in to a system. At this point, you’ll have to call the help desk for assistance.
U2F devices (e.g., Yubikey or Feitian MultiPass FIDO Security Key) are compatible with Duo Multi-Factor Authentication at KU Medical Center, but Customer Support does not provide these devices, nor do they provide technical support for these devices . For these reasons, we only recommend them for people who are capable of setting them up and maintaining them without technical support.
U2F devices may connect to your computer via USB, Bluetooth or NFC (Near Field Communication; a technology that allows devices to exchange information simply by placing them next to one another). When you connect the U2F device and touch a button, a code is generated and automatically entered as your second authentication factor.
Hardware devices that generate and display codes are issued and supported by Customer Support. These cannot be purchased or acquired outside of the KU Medical Center/health sytem and used for MFA purposes. They display a six-digit code that you type in when you authenticate using Duo. They are compatible with all services currently protected by Duo at KU Medical Center/health system, including the Anyconnect Virtual Private Network (VPN).
Can I share my U2F device or hardware device that generates and displays codes with a coworker?
No. Your hardware device that generates and displays code or U2F device will be associated with your account only. Just like your password, it cannot be shared with other users. Either device will work for your account on any computer where you log in with your KU Medical Center/health system username and password.
How do I use a hardware device for MFA?
- Press the red button on the left to generate a passcode.
- A six-digit passcode will be displayed here. Enter it in the passcode box to log in.
- These bars indicate a countdown for how long the displayed passcode is valid. If the passcode is not entered before all six bars run out, you will need to press the button again to generate a new one.
- Note: If the button is pressed 20 times without using any of the passcodes generated, the hardware token will fall out of sync with Duo. If this occurs, you can resync your token by entering three correct passcodes in a row the next time you are prompted for one at login.
If you need any further assistance with your Duo hardware token, please email jayhawktech@kumc.edu or call Customer Support at 913-945-9999, option 1 to reach the Hospital Service Desk, option 2 to reach the University Service Desk; Wichita users should call 316-293-2605 to report the attempt
USING DUO
What kinds of applications require MFA?
Most enterprise applications at KU Medical Center and the health system will require Multi-Factor Authentication, including Workday, Enroll & Pay, myKUMC, email, VPN and others.
If you are a KU Lawrence/Edwards employee and have a dual appointment on the KU Medical Center campus, or for other reasons access campus systems, you will be required.
As a health system user, If I currently use MS Authenticator, will I be required to enroll in DUO?
Yes, both organizations will use DUO. MS Authenticator will be retired at the Health System.
Will I have to use Duo every time I log in?
There will be different MFA session timelines for various systems. It will also depend on whether you’re using a managed device or personal device, as well as if you are on campus or remotely located. Some systems, such as KU Medical Center VPN and health system Citrix and VPN, will require MFA every time while other systems MFA sessions may last for 12 hours. It’s also likely that these MFA session timelines may change over time, and we will update this page with more details as available.
I will be using a temporary phone or other communication device while traveling. What should I do?
You will need to register your temporary device yourself through the Duo self-enrollment portal (MFA Self-Service) to register the device before you depart. If you have questions, please contact KUMC IT support by email at jayhawktech@kumc.edu or call Customer Support at 913-945-9999, option 1 to reach the Health System Service Desk, option 2 to reach the University Service Desk. Wichita users should call 316-293-2605 for more information.
My smartphone is enrolled with Duo, but I deleted the app or it’s not working. What do I do?
If this happens, and you have no other device registered with Duo for MFA, you will need to contact Customer Support at 913-945-9999, option 1 to reach the Health System Service Desk, option 2 to reach the University Service Desk; Wichita users should call 316-293-2605, option 1 to obtain a one-time passcode and then reinstall the Duo Mobile app.
How do I register multiple devices?
You can register multiple devices, such as smart phones or tablets, yourself through the Duo self-enrollment portal (MFA Self-Service). However, if you choose to use a hardware device, you can only have one that is active and assigned to your user count. Please contact KUMC IT support by email at jayhawktech@kumc.edu or call Customer Support at 913-945-9999, option 1 to reach the Health System Service Desk, option 2 to reach the University Service Desk. Wichita users should call 316-293-2605 for more information.
I don’t work near the Kansas City campus. What should I do if I need assistance?
Contact Customer Support at 913-945-9999, option 1 to reach the Health System Service Desk, option 2 to reach the University Service Desk; Wichita users should call 316-293-2605, option 1 to discuss your options.
If I use Duo at KU-L or another organization, do I need to register at KUMC?
Yes, you will need to register here, as well, using KUMC’s registration portal (MFA Self-Service). If you use the PUSH notification (recommended), the Duo Mobile application will automatically know which organization's application you’re attempting to access. However, if you use the PASSCODE option, you’ll have to select the correct Duo account in the Duo Mobile application. If you use a token, you will have to use separate tokens for each organization.
Though this may change with future applications, at this time, we will have a 12-hour “remember me” option for the applications that have already been scheduled. However, because VPN requires MFA every time, there is no "remember me" option, which means that you'll have to use MFA to access those other applications.
What if I forget to bring my mobile device or token?
Customer Support can issue you a one-time bypass code you can use for MFA. Contact Customer Support at 913-945-9999, option 1 to reach the Health System Service Desk, option 2 to reach the University Service Desk; Wichita users should call 316-293-2605, option 1. You’ll have to provide proof of identity each time you request a one-time bypass code.
I'm not getting the prompt for Duo. What do I do?
Make sure your notifications are on for Duo in your device settings. View Recommended Duo Mobile App Settings.
Register Your Device from Your Computer
Contact information
For all questions about multi-factor authentication, please contact Customer Support at 913-945-9999
- option 1 to reach the Health System Service Desk
- Health System users may also open a ticket through MYIT.
- option 2 to reach the University Service Desk
- Wichita users should call 316-293-2605, option 1.