The University of Arizona

FAQs

Click here for the FAQ for Service Providers/Developers

What is UA's NetID+?

NetID+ enhances the security of your UA NetID by using technology from Duo Security which leverages your device (e.g., smartphone or tablet) to verify your identity. This prevents anyone but you from accessing applications and services secured with NetID+, even if they know your password.

You can complete the second step in the login process in many ways, including:

  • approving an alert sent to your smartphone or tablet
  • entering a passcode you received in a text message
  • entering a passcode you received through a phone call
  • pressing the button on a Yubikey hardware token
  • entering a bypass code that you printed out previously

Why do I need this?

Passwords are becoming increasingly easy to compromise. They can often be stolen, guessed, and hacked — you might not even know who else has your password and is accessing your account. NetID+ adds a second layer of security to your account to make sure that your account stays safe, even if someone else knows your password — and you'll be alerted right away (on your phone) if someone does know your password and tries to log in with it. This second factor of authentication is separate and independent from your UA NetID username and password step — Duo Security never sees your password.

What devices are supported?

Just about all of them! iOS and Android devices, obviously, but also Windows Phone, Blackberry, and other platforms. See Supported Devices for information on installing and using the Duo Security app on various platforms.

What if I don't have a smartphone or tablet?

There are many other methods available if you don't use a smart device (phone/tablet). One-time passcodes (OTP) can be sent to any phone capable of receiving SMS text messages, or an authentication phone call can be placed to any landline or cell phone. Additionally, Yubikey hardware tokens can be enrolled and used with NetID NetID+.

How do I download the Duo Mobile app?

Search your device’s app store for "Duo Mobile". It is available on Android, iOS, Windows 7, Blackberry, Palm, Windows Mobile, and J2ME/Symbian platforms.

What are Duo Mobile and Duo Push?

Duo Mobile is an app that allows you to generate passcodes that you can use for NetID+. It is available on Android, iOS, Windows 7, Blackberry, Palm, Windows Mobile, and J2ME/Symbian platforms. On Android, iOS, Windows 7 and Blackberry platforms, the Duo Mobile app can use Duo Push functionality. When you get to the second step in the NetID+ process, your Duo Mobile app will alert you that somebody is trying to log in with your UA NetID. You can approve or reject the login on your device.

What is Global NetID+?

Only certain websites require NetID+. However, if you enable Global NetID+, all of your WebAuth logins will require NetID+, adding a greater level of protection to your UA NetID and your identity.

What is a "Lifeline" and how is it used?

You can configure phones that can be used as Lifeline devices when your regular devices are unavailable. A Lifeline phone usually belongs to somebody you trust and with whom you can easily communicate.

For example, if you lose your phone and need to use NetID+, you can log in to the NetID+ management site using just your NetID and password. After you log in, you will see an option to “Use a Lifeline”. When you choose the lifeline you would like to use (you may have more than one configured) , a verification code will be sent by text message or a phone call to that phone. The owner of that phone can communicate the code to you, and you can enter the code into this application to produce a list of ten bypass codes. Those bypass codes will allow you to complete NetID+. After completing NetID+ login, you can go to the “Manage your Account” page to manage your NetID+ devices. You can remove your lost phone and configure a new device for future logins. You can also print out more bypass codes.

I have more than one phone (or other device). Can I use both?

Yes. You can register any number of devices via the NetID+ “Manage your Account” page (under “Add a Device”).

I’m confused...what is the difference between the different types of “passcodes” (i.e., “SMS passcodes” and “Bypass codes”)?

Any type of passcode can be used anytime you see a “Passcode” field on the NetID+ login page. Here are the type of passcodes available to you, and how they can be generated:

  • Duo Mobile passcodes – these are one-time-use passcodes generated within the Duo Mobile app; they can be generated by tapping the “key” button within the app.
  • SMS passcodes – these are sent to your registered device via SMS text message, and are always sent in a batch of 10. You can send a new batch anytime, via the “send more” link on the NetID+ login page, or via the NetID+ self-service site (each SMS-capable device will have a “send passcodes” button). SMS passcodes are single-use, and must be used in the order they are listed in the message you receive; the NetID+ site will prompt you to use the next code in the batch by providing the starting digit (e.g., “Next SMS passcode starts with 4”). Generating a new batch of SMS passcodes invalidates the previous batch.
  • Bypass codes – these are generated from the NetID+ self-service site and are intended to be used as a “rescue” mechanism, when you don’t have access to any of your registered devices. Bypass codes may be printed out and carried with you (e.g., in your wallet or purse) or stored in a secure location. Bypass codes are generated in batches of 10 and can be used in any order (unlike SMS passcodes, which must be used sequentially). Each bypass code is good for a single use and generating a new list of bypass codes will invalidate the previous list. Bypass codes are distinct and separate from SMS passcodes – generating a new batch of SMS passcodes will not affect your current list of bypass codes (and vice-versa).

What hardware tokens does UA NetID+ support?

You can use any of the Series 4 Yubikeys (Yubikey 4, Yubikey 4 Nano, or Yubikey 4C) with NetID+. Please follow instructions on the Yubico website for purchasing a Yubikey, downloading configuration software and configuring your Yubikey.

Downloading the Yubikey Personalization Tool:

You can retrieve the Yubikey Personalization Tool installer for Mac OS X, Windows and Linux from http://www.yubico.com/products/services-software/personalization-tools/use/ (under “Cross-Platform Tool”).

If you are already using this YubiKey with an existing service, the following steps will overwrite the stored secret for that service. You should also realize that every time you open the Yubico OTP tab, it generates a new Public Identity, Private Identity, and Secret Key, but that these are not written to the token unless you actually click Write Configuration. There is no way to read your existing Public Identity, Private Identity, and Secret Key off the token once it has been written.

Each YubiKey has two slots. The first slot is used to generate the passcode when the YubiKey button is touched for between 0.3 and 1.5 seconds and released. The second slot is used if the button is touched between 2 and 5 seconds. When the YubiKey is shipped its first configuration slot is factory programmed for the YubiCloud OTP service and the second configuration slot is blank.

To create or overwrite a slot’s configuration:

  1. Start the YubiKey Personalization Tool.
  2. Insert the YubiKey into a USB port.
  3. Wait for the Personalization Tool to recognize the YubiKey.
  4. Click “Yubico OTP” Mode.
  5. Click “Quick”.
  6. Select “Configuration Slot 1” (or “Configuration Slot 2” if Slot 1 is already being used by another service).
  7. Click “Regenerate”.
  8. Uncheck “Hide Values”.
  9. You will need the Serial Number (in decimal format), Private Identity, and Secret Key to configure the YubiKey with NetID+. You may also want to save this information, along with the Public Identity, somewhere safe since you will need them if you use this YubiKey with other services in the future.
  10. Click Write Configuration (make sure to do this or your Yubikey won’t work with NetID+)
There is no need to click Upload to Yubico. We are able to confirm the passcodes generated independently of their service. However you may do this if you wish to also use the YubiCloud OTP service.

What can I manage about my enrollment in NetID+?

You can use the “Manage your Account” page to enable/disable Global NetID+, generate new printable single-use bypass codes, or register additional devices. You can also configure your self-service support or "lifeline" options. Access to the “Manage your Account” page is itself protected with NetID+.

How can I use NetID+ while on international travel?

We recommend that anyone who travels internationally, and needs to log into UA systems with NetID+, generate a list of NetID+ Bypass Codes and register at least one NetID+ Lifeline. NetID Bypass Codes are generated in batches of 10 via the NetID+ self-service site; each code is good for one login, and you can generate more at any time. Your last bypass code should be used to generate a new batch of bypass codes, if you do not have access to any other enrolled device.

Note: If you travel internationally and use SMS passcodes as your primary NetID+ authentication mechanism, the text messages you receive may incur substantial roaming charges. If you have a Google Voice account tied to an external Gmail account (i.e., @gmail.com, not @email.arizona.edu), you can set that up with NetID+ as an SMS-capable phone and configure it to deliver incoming SMS messages to your Gmail mailbox.

If you expect to travel internationally and cannot set up Duo Mobile as your NetID+ authentication method, bypass codes, a Yubikkey hardware token, or the aforementioned Google Voice approach are your best alternatives.

Why can I print my bypass codes but not my NetID password?

Your password is reusable, so if someone steals it, they can keep using that password with your account over and over again. Bypass codes can only be used once and are easily invalidated if necessary. NetID+ is based on the idea of 1) something you know (your password) and 2) something you have (your smartphone or token, or your printed codes).

You should also store your bypass codes in your wallet. You're likely to always know where your wallet is and immediately notice when it's missing. That way, you can quickly invalidate your codes (by simply generating a new batch, via the “Print Bypass Codes” button on the “Manage your Account” page) if your wallet is stolen or lost. Also, even if it is lost, the person who steals or finds it only has your bypass codes, and can't log in without your password. Don't write down your password!

If I upgrade my phone (i.e., I have a new device with the same number), or reset my phone (so that all data is wiped), how do I get Duo Push to work again?

After reinstalling the Duo Mobile app, access the NetID+ “Manage your Account” page, using an SMS code or voice call to authenticate (since Duo Push needs to be re-activated). Once you’ve logged-in, click the yellow “Re-activate” button on the affected device, and follow the on-screen instructions.

I have enrolled in NetID+, but some sites request only my NetID and password--I’m not being prompted to complete NetID+.

Only some sites require NetID+ (and of those, some require it only for particular users/roles). WebAuth will dynamically prompt you for NetID+ for sites requiring it. If you wish to use NetID+ for all Webauth-protected sites, you should enable Global NetID+.

I requested a passcode be sent via text message (SMS) to my phone and it still hasn't arrived. When I can expect it?

Typically, SMS messages are delivered within a few minutes, but delivery delays can happen depending on the cell carrier's infrastructure. You can always request more passcodes via the “send more” link (under the “Passcode” option on the NetID+ form). You can also generate a passcode via the Duo Mobile app on your device.

I previously received a batch of passcodes via text message (SMS), why aren’t they working?

Passcodes must be used in the sequence in which they are presented. If you have previously received SMS passcodes, there should be a message under the “Passcode” option on the NetID+ form indicating the starting digit of the next passcode to use (e.g., “Next SMS passcode starts with 2 (send more)”). Also, be aware that requesting a new set of passcodes (via the “send more” link) automatically invalidates any previous passcodes you have received.

Can I use Google Authenticator with NetID+?

No, you can't use Google Authenticator with NetID+. However, you can store Google's two-step verification credentials (as well as any other site using TOTP, like GitHub, Dropbox, etc) in the Duo Mobile app.

Info on adding third-party accounts to Duo Mobile can be found at http://guide.duosecurity.com/third-party-accounts.