EUSD Duo Multi-factor Authentication Guide for Staff

Introduction

Duo is a security tool that helps keep your information safe. It will ask you to prove that it's really you trying to access your email or other resources like the district network. This can take the form of approving a mobile app notification (option 1) or pressing the button on a hardware token issued to you by the district and typing the code in when prompted (option 2).

EUSD requires the use of Duo when accessing email and other critical resources.

Enrolling and using Duo via the mobile app (option 1)
  1. During initial email login, you will be directed to the following screen. Press the "Next" button:
    Duo enrollment "Welcome" screen
  2. Press "Next" again:
    Duo enrollment "Did you know?" screen
  3. Press "Next" once more:
    Duo enrollment "What can you do?" screen
  4. Select Duo Mobile:
    Duo enrollment "Select an option" screen
  5. Enter the phone number of the device you will be approving your logins from. The EUSD Information Systems and Technology department strongly recommends the use of a personal phone for convenience and consistency because most people always have them close by:
    Duo enrollment "Enter your phone number" screen
    Note that you may alternatively select "I have a tablet" and follow the subsequent instructions if you would like to use your iPad, but this is not recommended because it is more challenging to keep a large device with no cell service close by at all times in the event that you need to approve your login.
  6. Download the Duo Mobile app from your authentication device's App Store (i.e. your personal phone or district iPad depending on your choice), then press "Next" on the enrollment screen:
    Duo enrollment "Download Duo Mobile" info screen
  7. Scan the QR code on the enrollment screen by opening the Duo app on your authentication device and tapping "Add" at the top right of the screen:
    Duo enrollment QR code screen

    Tap "Add" at the top of the Duo Mobile app on the authentication device (your phone or iPad) and scan the QR code back on the enrollment screen
  8. On your authentication device, you will be prompted to name your account and then tap "Save". You can leave it as Escondido Union School District, you can rename it to "username @ EUSD", or enter whatever text you prefer:
    Update the account name if you choose, then tap "Save"
  9. Press "Continue" in the enrollment screen:
    Duo enrollment "Added Duo Mobile" screen
  10. Setup is complete! You can close the Duo enrollment browser tab:
    Duo enrollment "Setup completed!" screen
  11. You are finished with enrollment! When logging into EUSD email you should see the following on the device that you are logging into:
    Screen displayed when waiting for a Duo approval
  12. And on your authentication device, you should receive a notification to Approve or Deny the request. This action will be often be required when you log in to Gmail or other Google apps with your district account. Duo uses risk-based safety mechanisms to reduce the frequency that you are prompted to login if you are using a known secure device from a common location. Note that if you ever receive a notification unexpectedly, that could mean that someone else is trying to log in to your account, and you should press Deny and contact the Help Desk at 760-432-2150 for assistance.
    Duo app waiting for login approval
  13. TIP: If you have notifications enabled, you never have to open the Duo app: simply press and hold the notification until it pops open to show "Approve" and "Deny" buttons for you to choose from:
    Typical Duo notification prompt
Using Duo via a district-issued hardware token (option 2)
  1. Press the green button on the hardware token to get a 6-digit code:
    Duo hardware token photo
  2. Enter the code into the Duo prompt that is displayed after you login to Gmail (note that this screenshot may not be exactly what you see depending on updates to Duo's web interface, but the action taken will be the same):
    Duo prompt on login device waiting for code
  3. That's it!
    Duo prompt successful after code entered
Troubleshooting and FAQs
  • What is multi-factor authentication anyway?
    Multi-factor authentication provides improved information security because it requires more information than a username and password. The types of authentication are traditionally described as:
    • Something you know (traditional credentials, e.g. username and password, security questions)
    • Something you have (a hardware token, smart card, or a phone with an MFA app like Duo)
    • Something you are (biometrics such as retina or fingerprint)
  • Am I required to use my personal device for district business?
    • This does not mean you are accessing your EUSD applications from your personal device. The Duo app is simply generating a code for use in accessing your EUSD applications.
    • Duo has a very clear privacy policy. The Duo app cannot access any of your contacts, photos, text messages, or other personal information on your personal device.
    • Alternatively, physical tokens are available for distribution.
  • Can my device be subpoenaed if I use it for this purpose?
    Personal devices are exempt from any Public Records Act (PRA) requests
  • How do I switch authentication methods between the mobile app and the hardware token?
    Please create a Web Help Desk ticket under the category "Duo Assistance" with a description of your request, and our team will assist you.
    Web Help Desk "Duo Assistance" category location
  • Can I have multiple devices enrolled in Duo, such as my phone and my district iPad, or my phone and a Duo hardware token?
    This is possible, and can be done from the Duo screen displayed before approving the notification to log in:
    1. From a Duo screen accessed during login to email, choose "Other options"
      Duo notification screen, choose "Other options" to manage devices.
    2. Choose "Manage devices":
      Choose "Manage devices"
    3. Approve the Duo notification to access your Duo devices:
      Choose your regular option to send a new Duo notification (must be approved to access the next screen)
    4. Tap or click "Add a device"
      Choose "Add a device"
    5. Choose the "Duo Mobile" option (if you are trying to add a hardware token, this must be done by request through the IS&T department--please call 760-432-2150 for assistance):
      Choose "Duo Mobile"
    6. Follow the initial Duo setup instructions for Option 1 described at the top of this article:
      From here, follow the standard setup instructions outlined as "Option 1" at the top of the article.
  • I have an additional email account that I manage as part of my duties. Can I use my authentication device with this additional account?
    This is possible, but it requires additional setup by EUSD IS&T staff. Please create a Web Help Desk ticket using the category shown above with details about your request.
  • What if I don't have my phone or token and I'm prompted for Duo when I log in?
    If you need urgent access to your account, you can call the Help Desk at 760-432-2150 and they will provide a one-time bypass code to use in the Duo prompt.
    1. Select Other to choose add'l Duo MFA options
    2. Choose "Bypass code"
    3. Enter code provided by Help Desk personnel
  • What happens when I get a new phone and Duo no longer seems to work?
    If you have replaced your phone, please create a ticket using the "Duo Assistance" category in our Web Help Desk system. You will receive a new invitation via email to reenroll the new device with Duo. If you need urgent access to your account, you can call the Help Desk at 760-432-2150 and they will provide a one-time bypass code to use in the Duo prompt (this process is shown in the question above this one).
    Web Help Desk "Duo Assistance" category location
  • I'm not getting notifications from Duo! What happened?
    The most likely explanation is that you've disabled notifications in your phone settings. Keeping Duo notifications active is strongly recommended for convenience. You will only receive notifications when you are actively trying to log in to a district service such as email. The location of these settings are different between platforms (i.e. iOS vs Android) and even between different versions of the same platform, but the links provided should be helpful, and Google can help if your settings look different.
  • I lost my hardware token! What do I do?
    Please create a Web Help Desk ticket and a new one will be issued to you, either via pickup from the District Office, through interdepartmental mail, or from a small stock provided to your office manager (note that the token must be assigned to your account before taking one from an OM, so a call to the Help Desk is still necessary). Please take note that these tokens currently have a cost of $20/ea, so be careful to keep track of this district-issued equipment.
  • Can I use my district-issued iPad to approve Duo prompts?
    Yes, it can, but it is not recommended unless you iPad goes everywhere with you.
  • Does this policy apply to substitute staff?
    Yes, Duo is required for all users with EUSD email access.
  • I'm a VPN user, and I can't get logged in. What do I do?
    Due to limited integration between the district's firewall and Duo, the Duo mobile app must be used, and there is no prompt after entering your password in the FortiClient VPN application to remind you to look for the Duo push notification on your device. You must remember to approve the Duo notification, or the authentication attempt will time out after 60 seconds and you will be left at the login screen wondering why it's taking so long. It's easy to forget this due to the lack of a notice from the system, so please remember to check for the Duo notification. If you continue to have problems, please contact the Help Desk during business hours for assistance at 760-432-2150.