Duo 2-Factor Authentication for TAMUQ VPN Connections

From TAMUQ Research Computing User Documentation Wiki
Jump to navigation Jump to search

Adoption of 2FA for VPN connections

Before October 4, 2020, our users had been able to access raad2 by first establishing a VPN connection from their computers to the TAMUQ network. That VPN connection required only a set of credentials (username and password) which we established for them when their raad2 account was first approved. From October onward, however, in addition to these credentials our VPN service started requiring the use of 2-factor authentication (2FA) as well.

How 2FA works

2FA authentication means that in addition to soliciting those credentials, the VPN client (“Cisco AnyConnect”) now also sends a notification to the user's mobile phone on each such login attempt. The user must then positively acknowledge that notification in any given login attempt in order to successfully connect with the VPN service. The user must use a freely available smartphone app both to receive and to acknowledge these special notifications. However, each user's installation of this smartphone app will first have to be “enrolled” with the 2FA service for this enhanced authentication mechanism to work as intended. In the case of TAMUQ, we rely on a 2FA service from a vendor called “Duo”, and the name of their smartphone app is also called "Duo" (or "Duo Security").

Why 2FA authentication is important

2FA (more generally called MFA for “Multi Factor Authentication”) is an increasingly common security mechanism being adopted by online services worldwide. This mechanism protects access to important online resources even in the event that a user’s conventional account password is somehow compromised. Without possession of the user’s 2FA registered device, an intruder cannot gain access to her 2FA protected resources even if he knows her account password.

When does Duo 2FA enrollment happen?

When a user's account is first approved, our on-boarding process guides her through the 2FA enrollment as part of the procedure that creates her account credentials. Instructions for this process are sent to the new user via email. Those who were not yet enrolled for 2FA before October 4th, 2020 may enroll at any time by following the set of instruction we provide below.

How to perform Duo 2FA enrollment

Detailed instructions to download and enroll your smartphone Duo app with our VPN service are found in the document referenced below. We recommend you use the https://tamuq.onelogin.com/ website to perform the enrollment process. Note that external, non-TAMUQ users do not have access to the alternate website -- for enrollment purposes -- that is mentioned in these instructions.


Enrollment only needs to happen once, unless you change your smartphone. When the user does change their device, it is best to enroll the new device before parting with the old one. It is also possible to enroll multiple devices for a single user.