Two-Factor Authentication @ UNC Health - Getting Started

Before You Begin
Enroll in Duo
Logging in with Duo
Add & Manage Your Devices
About Two-Factor Authentication @ UNC Health
Frequently Asked Questions
Troubleshooting

Getting Started

Before You Begin

Be prepared to complete the process in its entirety, review the setup process and learn more about Two-Factor Authentication (2FA).
Have your mobile phone, or tablet with you.
- When prompted, allow Notifications and Camera permissions during app install!
  - Camera allows the phone to scan the activation QR Code during enrollment.
  - Notifications allows the phone to ask your permission during Two-Factor Authentication.
- We recommend that you enroll in both a primary and backup device for two-factor authentication.
For more information, consult the Duo Enrollment Guide

Enroll in Duo

You must have at least one device (mobile phone or tablet) to begin.

If you are not already enrolled in Duo:

Download the Duo Mobile app from your phones App Store.

Go to the Duo Enrollment and Device Management page.
Log in with your MyAccess ID and password.
Follow the on-screen instructions to complete the enrollment process.

1) Select Start Setup	2) Enter the phone number, including area code, of the mobile device

3) Download the "Duo Mobile" app from the AppStore on your phone	4) Open the Duo App, click the + at the top right, and hold your phones camera up to your screen to read the barcode

5) Enrolled! You can close the window OR click "Dismiss" to proceed to the Device Management screen	Optional: Add an additional device or rename/reactivate existing devices

You are now enrolled and may stop here! You will now be challenged for 2FA approval the next time you login to a 2FA Protected application, as shown in the "Logging in with Duo" section below.

Logging in with Duo

Via Duo Push (Preferred)

At Login	On Your Phone

Via Passcode

At Login	On Your Phone

Add & Manage Your Devices

After you have enrolled your first device, you can add more devices and manage your existing devices.

Please Note: At UNC Health, we do not currently support SMS Codes, Phone Callback or Hardware tokens for authentication.

To add or manage devices:

Go to the Duo Enrollment and Device Management page.
Log in with your MyAccess ID and password.
- To add devices, see Duo's Adding a New Device page.
- To manage devices, see Duo's Managing Your Devices page.

I need help recovering my existing device!

About Two-Factor Authentication

About Two-Factor Authentication @ UNC Health

To keep sensitive information (like PHI) safe, UNC Health uses a security method called “Two-Factor Authentication” With this method, you verify that “you’re you” before you see certain sensitive information or access certain applications.

A traditional form of verification is your username and password, but if your domain credentials get compromised, an unauthorized person could access your account.

Two-Factor Authentication adds a second step to the verification process. This can be something you have, such as an ATM card, or something that is part of you, such as a fingerprint. At UNC Health we use your mobile phone to provide the second step. Combining this second step with your MyAccess ID credentials adds security to your confidential information.

Frequently Asked Questions

I already enrolled my UNC-Chapel Hill ONYEN in Duo, Do I still need to enroll my UNC Health MyAccess ID?
- Yes, The Duo system for UNC Health and ePrescribe for Controlled Substance (EPCS) is separate than the university. Your Duo app WILL support multiple accounts on the same app/phone.
When do I have use Two-Factor Authentication (2FA) to login?
- At this time, 2FA will only be required when logging in from off-campus or when using EPIC ePrescribe (EPCS).
- Select applications allow users to remember their device for 5 days.
Does installing the Duo Mobile app give up control of my phone?
- No. Duo Mobile has no access to change settings on your phone. Duo Mobile cannot read your emails, it cannot see your browser history, and it requires your permission to send you notifications. Lastly, Duo Mobile cannot remotely wipe your phone. The visibility Duo Mobile requires is to verify the security of your device, such as OS version, device encryption status, screen lock, etc. We use this to help recommend security improvements to your device and you always are in control of whether or not you take action on these recommendations.
Why does the Duo Mobile app need access to my camera?
- Duo Mobile only accesses your camera when scanning a QR code during activation.
Can I use something other than a smartphone to authenticate?
- At this time UNC Health only supports iOS (iPhone, iPad and Apple Watch), Android (Phone and Tablet) and Windows Phone devices for Two-Factor Authentication.
I do not have or wish to use my smart device for Two-Factor Authentication, what are my options?
- (Not permitted for Epic EPCS) If you do not use a smartphone or tablet for the UNC Health Two-Factor Authentication, ISD has arranged an alternative Two-Factor Authentication procedure that does not use a device. When you are ready to login from a remote location, call the ISD Service Desk and request a DUO 2-Factor bypass code. Then when you reach the DUO 2-Factor screen while logging on, select "passcode" and enter the bypass code.
What if I don’t have a Wi-Fi connection or cellular reception? (Traveling)
- Your phone can generate a Duo Passcode even without an internet connection. Simply tap on the UNC Health logo in the Duo Mobile App. Duo PUSH will NOT work without an internet connection.

Troubleshooting

What if my push alerts aren’t coming through?

Try these easy troubleshooting steps for Apple iOS, Android, or Windows Phone.

I receive "Access Denied" when trying to login to an application.

Your account does not appear to be enrolled with a 2FA device. See the Enroll in Duo section above.

I replaced my 2FA device and cannot login.

If you replaced or factory-reset your phone, Duo will longer function. See scenarios below for more.

I have multiple devices enrolled on my account

For Apple iOS devices backed up to iCloud, Duo will restore your UNC Health account back to your Duo App and should be functional.
For Android devices backed up to Google Cloud, Duo will restore your UNC Health account back to your Duo App - but it will still need to be reactivated. (Demonstrated by the "Reconnect" text next to the account).

If you have more than one device enrolled, you can visit the Duo Enrollment and Device Management page and authenticate to Duo with your other functional device. The "manage your devices" portal will appear. Select manage next to the inactive device and click "Reactivate".

I have a new device, and it has the same phone number.

Open the Duo App on your phone and look for the UNC Health logo. (If you do not see the UNC Health logo proceed to "I have a new device, and it has a new phone number".
Select the "Reconnect" link to the right of the UNC Health logo.
Log in when prompted with your MyAccess ID and password.
At the Duo prompt, select the Enter a Passcode option, then tap Text me new codes on the blue bar at the bottom of the Duo window.
Enter the temporary passcode you were sent via text message into the passcode box within the Duo window and tap "Log In".
Reconnect should no longer show to the right of the UNC Health logo. The device is active!

I have a new device, and it has a new phone number.

Call the UNC Health Service Desk (984-974-4357 Option 2 Duo/password)
Ask to have your old mobile device removed from your account.
Enroll your new device at the Duo Enrollment and Device Management