Multi-Factor Authentication with Duo

Multi-Factor Authentication (MFA) adds a layer of security to your authentication process. In addition to your account password, you can add another factor to your login process such as a telephone number, smartphone, physical token, or other device that is similarly unique to you. With a such a device paired to your XSEDE account using MFA, it becomes much more difficult for another person to gain access to your account, files and data than is the case with Single-Factor Authentication.

 

XSEDE users may currently opt-in to using this security feature on the XSEDE Single-Sign-On Hub. Note that other service providers (e.g. TACC, SDSC, PSC) will certainly be implementing MFA on their resources in the very near future.

Duo Mobile logo

 

XSEDE has chosen Duo as its MFA partner.

How to Setup Duo for Your XSEDE User Portal SSO Account

Follow these simple steps to begin using MFA with the XUP Single-Sign-On Hub.

  1. Install the Duo app on your smartphone or other device
  2. Enroll your XSEDE Portal account in Duo
  3. Pair your Duo-enabled device with your XUP account

Duo is available from iTunes and Google Play. Search for "Duo Mobile" from your mobile device. You can identify the Duo Mobile app by its green logo.

Duo Mobile logo

Do not confuse this with Google Duo, which has a blue logo.

Enroll Your XSEDE User Portal Account

 

XSEDE User Portal (XUP) and visit your XSEDE Profile page (MyXSEDE->Profile).

  1. Login to the

Enroll in Duo screen on XUP

 

Figure 1. Enroll in Duo from XSEDE Profile page

  • The "Duo Enrollment Details" form will pop up. If you do not see this form, please ensure your browser settings will allow pop-ups from `xsede.org`. Read the "Duo Enrollment Details" form and click on "Enroll" to continue.

DUO Enrollment Details image

 

  • Enter your XUP password and you will be taken to the "Protect Your XSEDE Account" screen

Start Setup screen on XUP

 

From this screen, do the following:

  • Click on the "Start Setup" button
  • Enter your phone number
  • Click the checkbox to confirm
  • Click "Continue"

Make sure the Duo App is installed on your Android or iOS device. If not, go back to Step 1 and install the app before proceeding.

 

Pairing with Duo

You will see the "Add a new device" screen in your XUP session.

Select your device type and click "Continue". You will then see the confirmation page where you must indicate that you have Duo Mobile installed on this device.

Click "I have Duo Mobile installed".

On the next screen, point your device camera at the barcode on your web browser. If your device doesn't have a camera, press the "No barcode" button and click "Skip this step" in the portal session.

If you have not opened the app immediately after installing it, you may be presented with a License Agreement on your device. Tap "Accept" on your device to continue and then tap "Continue".

Open the Duo app on your device.

In your XUP session, click "Continue to login". When this is done, you should see a message in the upper right corner of the XSEDE Portal saying "DUO Enrollment" Successful.

Click "Send me a Push"

Tap the green bar at the top named "Request waiting: Tap to respond". You should now be enrolled.

Connecting to XSEDE resources

To use DUO to connect to an XSEDE machine, ssh to login.xsede.org as you would normally. After entering your password, you will be prompted by a message presenting several authentication options. Choose Duo Push by entering the corresponding number on your keyboard.

Duo login prompt for ssh to login.xsede.org

You should receive an update via your app saying "Request waiting: Tap to respond." Tap this, then tap the "Approve" prompt on the next screen.

You should now be logged into the XSEDE Portal and able to GSISSH to an XSEDE system.

Duo SSO Login screenshot

Last update: October 3, 2016