DUO Two-factor Authentication

Do you have a BNL domain account?

Yes No

Do you have the Duo App installed?

Yes No

Go to BNL Duo Federal Enrollment

Select a device:

Note: Installing and using the mobile device app is the preferred method.

Mobile Device USB Token

STEP 1:
Select an operating system (OS) to find and install the latest version of the Duo Mobile App. Then come back and complete STEP 2.

• iOS (iPhone, iPad): App Store
• Android (smartphone, tablet): Google Play
• Windows Phone (smartphone, tablet): Microsoft Store

STEP 2:
Go to BNL Duo Federal Enrollment from your computer once you have installed the Duo Mobile app on your device.

View the Duo Frequently Asked Questions for more information.

Since a project and activity number is required to cover the $38.40 cost of each YubiKey4 token, using the mobile app is the preferred method. Please submit a Service Now request if you still would like a token.

YubiKey Token User Guide - Find information on how to remove, reset and use the token with Windows or Mac OS X systems.

Please note, you must have a BNL domain account to enroll and use Duo security.

• Request a BNL domain account
• How can I find out if I have a BNL domain account?
  Please contact the ITD Helpdesk via email at itdhelp@bnl.gov or call 631-344-5522 for assistance.

Overview, How it Works

Two-factor authentication (also known as 2FA) is an extra layer of security that requires not only a password and username but also verifies your identity using a second factor (mobile device, tablet or USB token) that you physically have in your possession. Using two-factor authentication prevents anyone but you from logging in, even if they know your BNL username and password.

Step 1

Login with your BNL username and password

Step 2

Verify your identity by using a mobile device or USB token

Step 3

You are securely logged in

Note: Duo lets you link multiple devices to your account.

Using Duo at Brookhaven Lab

Duo two-factor authentication can be used with the following BNL services:

1. Brookhaven Lab Virtual Private Network Client (VPN)
   Download Client | Login Instructions
   Using DUO to log into VPN
   Example BNL Domain Credentials: Username: jdoe | Password: 123456 | Passcode: 987654

   ---

   Select the Duo Two-factor authentication you set up in your profile.

   Push (smartphone)
   Passcode (Duo App)
   Passcode (YubiKey4 token)

   When prompted, enter your username "jdoe" and password "123456" then click [OK]. The login panel will disappear and you will get a push notification sent to your smartphone. Select [Approve] to authenticate.
   
   Note: Push is the default and recommended authentication method. However, you may have to use the passcode authentication method if you do not have cell service.

   When prompted, enter your username "jdoe" then open your Duo App on your smartphone. Tap the key icon to get a one-time passcode for login.
   
   Enter your password plus a comma and passcode from your Duo App "123456,987654" then click [OK] to authenticate. The login panel will disappear.

   When prompted, enter your username "jdoe" and password plus a comma "123456," then insert your token into an open USB port and press (1 second) the token button to authenticate (passcode will be inserted automatically after the comma). The login panel will disappear.
   
   Note: You may have to wait for your token to install any hardware (if new) before you can authenticate.
   
   YubiKey Token User Guide - Find information on how to remove, reset and use the token.
2. SSH Gateways

Using VPN with Cisco AnyConnect

Some of the Lab's online resources, such as PeopleSoft and SBMS, require an additional layer of security. That means logging in with a Virtual Private Network (VPN). The Lab uses the application Cisco AnyConnect for this purpose. Note: to access the AnyConnect download page, you must have DUO Two-factor Authentication already installed and configured.

• Get the Cisco AnyConnect VPN client
• Configuration instructions