NetID+ enhances the security of your UA NetID by using technology from Duo Security which leverages your device (e.g., smartphone or tablet) to verify your identity. This prevents anyone but you from accessing applications and services secured with NetID+, even if they know your password.
You can complete the second step in the login process in many ways, including:
Passwords are becoming increasingly easy to compromise. They can often be stolen, guessed, and hacked — you might not even know who else has your password and is accessing your account. NetID+ adds a second layer of security to your account to make sure that your account stays safe, even if someone else knows your password — and you'll be alerted right away (on your phone) if someone does know your password and tries to log in with it. This second factor of authentication is separate and independent from your UA NetID username and password step — Duo Security never sees your password.
Just about all of them! iOS and Android devices, obviously, but also Windows Phone, Blackberry, and other platforms. See Supported Devices for information on installing and using the Duo Security app on various platforms.
There are many other methods available if you don't use a smart device (phone/tablet). One-time passcodes (OTP) can be sent to any phone capable of receiving SMS text messages, or an authentication phone call can be placed to any landline or cell phone. Additionally, Yubikey hardware tokens can be enrolled and used with NetID NetID+.
Search your device’s app store for "Duo Mobile". It is available on Android, iOS, Windows 7, Blackberry, Palm, Windows Mobile, and J2ME/Symbian platforms.
Duo Mobile is an app that allows you to generate passcodes that you can use for NetID+. It is available on Android, iOS, Windows 7, Blackberry, Palm, Windows Mobile, and J2ME/Symbian platforms. On Android, iOS, Windows 7 and Blackberry platforms, the Duo Mobile app can use Duo Push functionality. When you get to the second step in the NetID+ process, your Duo Mobile app will alert you that somebody is trying to log in with your UA NetID. You can approve or reject the login on your device.
Only certain websites require NetID+. However, if you enable Global NetID+, all of your WebAuth logins will require NetID+, adding a greater level of protection to your UA NetID and your identity.
You can configure phones that can be used as Lifeline devices when your regular devices are unavailable. A Lifeline phone usually belongs to somebody you trust and with whom you can easily communicate.
For example, if you lose your phone and need to use NetID+, you can log in to the NetID+ management site using just your NetID and password. After you log in, you will see an option to “Use a Lifeline”. When you choose the lifeline you would like to use (you may have more than one configured) , a verification code will be sent by text message or a phone call to that phone. The owner of that phone can communicate the code to you, and you can enter the code into this application to produce a list of ten bypass codes. Those bypass codes will allow you to complete NetID+. After completing NetID+ login, you can go to the “Manage your Account” page to manage your NetID+ devices. You can remove your lost phone and configure a new device for future logins. You can also print out more bypass codes.
Yes. You can register any number of devices via the NetID+ “Manage your Account” page (under “Add a Device”).
Any type of passcode can be used anytime you see a “Passcode” field on the NetID+ login page. Here are the type of passcodes available to you, and how they can be generated:
Downloading the Yubikey Personalization Tool:
You can retrieve the Yubikey Personalization Tool installer for Mac OS X, Windows and Linux from http://www.yubico.com/products/services-software/personalization-tools/use/ (under “Cross-Platform Tool”).
If you are already using this YubiKey with an existing service, the following steps will overwrite the stored secret for that service. You should also realize that every time you open the Yubico OTP tab, it generates a new Public Identity, Private Identity, and Secret Key, but that these are not written to the token unless you actually click Write Configuration. There is no way to read your existing Public Identity, Private Identity, and Secret Key off the token once it has been written.
Each YubiKey has two slots. The first slot is used to generate the passcode when the YubiKey button is touched for between 0.3 and 1.5 seconds and released. The second slot is used if the button is touched between 2 and 5 seconds. When the YubiKey is shipped its first configuration slot is factory programmed for the YubiCloud OTP service and the second configuration slot is blank.
To create or overwrite a slot’s configuration:
You can use the “Manage your Account” page to enable/disable Global NetID+, generate new printable single-use bypass codes, or register additional devices. You can also configure your self-service support or "lifeline" options. Access to the “Manage your Account” page is itself protected with NetID+.
We recommend that anyone who travels internationally, and needs to log into UA systems with NetID+, generate a list of NetID+ Bypass Codes and register at least one NetID+ Lifeline. NetID Bypass Codes are generated in batches of 10 via the NetID+ self-service site; each code is good for one login, and you can generate more at any time. Your last bypass code should be used to generate a new batch of bypass codes, if you do not have access to any other enrolled device.
Note: If you travel internationally and use SMS passcodes as your primary NetID+ authentication mechanism, the text messages you receive may incur substantial roaming charges. If you have a Google Voice account tied to an external Gmail account (i.e., @gmail.com, not @email.arizona.edu), you can set that up with NetID+ as an SMS-capable phone and configure it to deliver incoming SMS messages to your Gmail mailbox.
If you expect to travel internationally and cannot set up Duo Mobile as your NetID+ authentication method, bypass codes, a Yubikey hardware token, or the aforementioned Google Voice approach are your best alternatives.
Your password is reusable, so if someone steals it, they can keep using that password with your account over and over again. Bypass codes can only be used once and are easily invalidated if necessary. NetID+ is based on the idea of 1) something you know (your password) and 2) something you have (your smartphone or token, or your printed codes).
You should also store your bypass codes in your wallet. You're likely to always know where your wallet is and immediately notice when it's missing. That way, you can quickly invalidate your codes (by simply generating a new batch, via the “Print Bypass Codes” button on the “Manage your Account” page) if your wallet is stolen or lost. Also, even if it is lost, the person who steals or finds it only has your bypass codes, and can't log in without your password. Don't write down your password!
After reinstalling the Duo Mobile app, access the NetID+ “Manage your Account” page, using an SMS code or voice call to authenticate (since Duo Push needs to be re-activated). Once you’ve logged-in, click the yellow “Re-activate” button on the affected device, and follow the on-screen instructions.
Only some sites require NetID+ (and of those, some require it only for particular users/roles). WebAuth will dynamically prompt you for NetID+ for sites requiring it. If you wish to use NetID+ for all Webauth-protected sites, you should enable Global NetID+.
Typically, SMS messages are delivered within a few minutes, but delivery delays can happen depending on the cell carrier's infrastructure. You can always request more passcodes via the “send more” link (under the “Passcode” option on the NetID+ form). You can also generate a passcode via the Duo Mobile app on your device.
Passcodes must be used in the sequence in which they are presented. If you have previously received SMS passcodes, there should be a message under the “Passcode” option on the NetID+ form indicating the starting digit of the next passcode to use (e.g., “Next SMS passcode starts with 2 (send more)”). Also, be aware that requesting a new set of passcodes (via the “send more” link) automatically invalidates any previous passcodes you have received.
No, you can't use Google Authenticator with NetID+. However, you can store Google's two-step verification credentials (as well as any other site using TOTP, like GitHub, Dropbox, etc) in the Duo Mobile app.
Info on adding third-party accounts to Duo Mobile can be found at http://guide.duosecurity.com/third-party-accounts.