Secure Access

Consider the extra security we all use when accessing our banking information online... rather than simply logging in with one password that could be compromised if someone knew it or hacked it, your bank and you take an extra step to ensure that the right person (you!) is logging in.

At SDCOE, your security key is that second factor that ensures that no one else can g​et into your apps. MFA is a proven approach in drastically reducing automated cybersecurity attacks, with research from both Microsoft and Google noting that MFA blocks 99% of all automated account takeover (ATO) attacks. Let's work together to keep our accounts and data safe!​​

1. Receive your security key. The ITS division will contact you when it is time to get started. We will mail home a package with your new security key and instructions.

2. ​Use our security key daily. Then, on a specified date everyone in your phase will begin using their security key on a daily basis. You will insert your security key into your computer every time you use it. When you launch a secured app, you will be prompted to tap your security key.

3. Use the Single Sign-On (SSO) portal (optional). A new Single Sign-On (SSO) tab has been added to your default browser alongside Common Ground tab. You need to use your Security key or optionally your mobile phone to authenticate into SSO. Once inside SSO, the first application you try to open will challenge you for MFA, but after that you should not be challenged if your browser is open and active.​

4. Safeguard your security key. You should treat your security key with care and ensure that no one else has access to it.​​​

1. Why is SDCOE requiring me to use a security key?
   Our organization is working hard to improve information security and to help protect student and employee data. Malicious parties are increasingly finding ways to steal employees' login information. By mandating a second factor of authentication, SDCOE will be able to keep our information systems more secure.
    
2. Is it mandatory that I use my security key?
   Yes. Alternative option is to use Duo Mobile instead of the security key.
    
3. Do I need to use the security key token every day?
   Yes. Please plan to use your security key every time you access your computer. You will need to have it to access the secured applications.
    
4. Will I need the security key to log in to my work computer?
   No, not at this time.
    
5. What happens if I lose/damage my security key token or I cannot get it to work?
   Please call 858-CYBER-00 (858-292-3700). If after hours, leave a message from 12:00 am to 7:30 am and someone will get back to you as soon as possible.
    
6. When I'm logging in, I get an error message saying that the request has timed out?
   For security reasons you have a limited amount of time to complete the log-in steps. Please ensure you press the security key or approve the push notification or enter the 5-digit code in a timely manner. Call 858-CYBER-00 (858-292-3700), if you need additional help.
    
7. May I attach a keytag to the security key with my name written on it?
   No. Anyone who finds the Security key would have an easier time breaking into your SDCOE account if they had your name and security key. We recommend adding a personal keychain if you want to easily be able to identify your security key.
    
8. Is the security key ADA compliant?
   If requested, we can enable a feature that will call your phone and give a 5-digit passcode that would be used to log-in. Call 858-CYBER-00 (858-292-3700).
    
9. What if I just want to use my mobile device for MFA?
   You may optionally use your personal mobile device as your primary MFA authentication and security key as a backup.
    
10. What is the difference between Duo Push Enrollment and SMS phone enrollment?
    Push Enrollment will send a push notification to the Duo Security app that is installed on your phone, this will pop-up in your phone’s notification bar and you will have to approve or deny the log-in request. SMS will send you a text message to your phone number with a 5-digit number that will need to be entered into the passcode prompt.
     
11. I handle a lot of sensitive data and am wondering if there is a better way to secure my account?
    There is an option of using a security key that would verify your fingerprint in order to access your SDCOE account. (Requires managerial approval) If you can access ServiceNow, please submit a support ticket at https://service.sdcoe.net > Report an Issue > I am having trouble with SDCOE Secure Access/Security Key.
     
12. Can I setup my security key to work with my personal accounts?
    Yes, you may use the security key for your personal accounts such as email, social networking, or banking. There is another empty slot available for use inside the security key, but SDCOE does not provide support for setting up your personal accounts to use the security key and use of SDCOE accounts on the security key takes precedence.
     
13. May I purchase a security key for personal use?
    You may purchase a security key from multiple companies. SDCOE is using Yubico for this purpose, but you can pick from other companies.
     
14. Can I register multiple devices?
    Yes. This is also a great way of having a backup authentication device. For example, both your smartphone and an authentication token. In the event that you lose one device, you will still be able to access protected systems using your secondary device.
     
15. What if I receive an unexpected login alert?
    If you receive a notification (a login alert on the Duo Mobile app or a batch of passcodes via text message) that you did not initiate via the login process, please contact the Cybersecurity team immediately at securinginfo@sdcoe.net.
     
16. What if I don't have a mobile phone or don't want to use it for MFA?
    All permanent SDCOE employees will be issued a security key for multi-factor authentication. Using your mobile phone is optional. However, if you choose not to use your mobile phone, you will not be able to access applications associated with your SDCOE account on your personal mobile phone.
     
17. What is an overview of the different Authentication Methods?
    SDCOE allows users three different Authentication method:
     
    1. Duo Push (Optional)
       Duo Push is the most commonly-used second factor of authentication, thanks to its simplicity and reliability. Users just download the Duo Mobile app and are automatically prompted to confirm each login attempt — all it takes is a single tap.
        
    2. SMS Passcodes
       Users without Internet connectivity or smartphones can still authenticate easily with Duo's SMS passcode.
        
    3. Security key
       A security key plugs into your USB port and when tapped it sends a signed response back to Duo to validate your login.
        
18. What do I get by using MFA?
    This service provides extra security for SDCOE Network accounts by adding a second method of identity verification when accessing protected applications, like Outlook and OneDrive.
     
19. Why do I want to use MFA?
    The extra layer of security provided by Duo two-factor authentication prevents unauthorized users from accessing your account, even if they know your password. SDCOE employees are required to use Duo two-factor authentication to secure their SDCOE Network accounts.
     
20. Who can get a security key?
    This service is available to all full-time staff who have a SDCOE network account.
     
21. How do I request a security key?
    SDCOE employees automatically receive access to the online Duo Portal once their SDCOE Network accounts have been provisioned If you can access ServiceNow, please submit a support ticket at https://service.sdcoe.net > Report an Issue > I am having trouble with SDCOE Secure Access/Security Key.
     
22. Can I use 2FA while traveling, or in a classroom without cellular or wireless service?
    Yes. Duo provides several authentication methods that can be used without cellular or wireless service. For more information, see the Using Duo Two-Factor Authentication without Cellular Service or While Traveling page.
     
23. How do I access the Duo self-service portal?
    To access the Duo self-service portal, click or tap either the My Settings & Devices or Add a new device link on any Duo authentication screen. You will need to authenticate via 2FA in order to access the self-service portal.
     
24. What if I lose my registered mobile device?
    If you lose your phone or tablet, you should remove it from your list of enrolled devices using the Duo self-service portal as soon as possible. You may also contact the ITS Computer Support Service at 858-298-2205 to disable the 2FA account connected to your missing device.
     
25. What if I want to add a new mobile device?
    You may add new devices via the Duo self-service portal. If you upgrade to a new smartphone or tablet, be sure to deactivate your old device and register the new one using the Duo self-service portal. You may also contact the ITS Computer Support Service at 858-298-2205 for assistance.
     
26. Can I register multiple devices?
    You may register as many devices as you wish, including smartphones, tablets, and authentication tokens. You may do this from the Duo self-service portal.
     
27. What if I do not have access to a supported device?
    All SDCOE employees will be issued a security key to access their SDCOE account.
     
28. How does MFA affect me?
    Chances are you are already using multi-factor authentication to log into your financial institution or social media. This second layer of protection combines something you know (your SDCOE username and password) with something you have (smartphone or security key), preventing anyone but you from logging into a system.
     
29. What data does Duo Mobile collect from my smartphone?
    Duo Mobile cannot see your user data like your contacts, it cannot read your text messages, it cannot access your photos (but it can use your camera to scan a QR code if you explicitly allow that permission), it cannot access your files, it cannot erase your device, it cannot see information about other applications on your device. Duo Mobile cannot track your location. In general, the only personal data that Duo Mobile knows about you are the service accounts that you explicitly add to Duo Mobile. However, we do not track any personal data about these accounts–only the name of the service. Duo Mobile cannot see your user data like your contacts, it cannot read your text messages, it cannot access your photos (but it can use your camera to scan a QR code if you explicitly allow that permission), it cannot access your files, it cannot erase your device, it cannot see information about other applications on your device. Duo Mobile cannot track your location. In general, the only personal data that Duo Mobile knows about you are the service accounts that you explicitly add to Duo Mobile. However, we do not track any personal data about these accounts–only the name of the service.
     
30. What happens if I don't have my smartphone, token/fob or tablet with me?
    Obtain a temporary passcode by calling the 858-CYBER-00 (858-292-3700). You will be asked some security questions to verify your identity.
     
31. What if the passcode generated by my token/fob doesn't work?
    Make sure the security key is correctly inserted into a USB slot. Call 858-CYBER-00 (858-292-3700).
     
32. How many times can I try to authenticate before my account gets locked?
    Your SDCOE account will be locked out after you incorrectly enter your SDCOE credentials wrong 3 times. Duo will lock you out after failing your second factor authentication after 10 attempts.
     
33. Why isn't the login/push notification working on my Android or iPhone?
    Verify that your phone has internet service by navigating to any webpage. Duo Push delivery issues are most often resolved by pulling down on the screen to check for notifications in the Duo Mobile app. Call 858-CYBER-00 (858-292-3700).
     
34. What is the best way to use MFA-Duo when traveling?
    You can request a single-use passcode directly from the Duo Mobile app, even when your smartphone or tablet is in airplane mode or lacks cell service. Simply open the app and tap the down arrow or key icon located at the upper right-hand corner of your smartphone next to "San Diego County Office of E..." This will generate a six-digit temporary passcode. Enter the six-digit code provided on your smartphone in the Multi-Factor Authentication portal to complete the authentication process.
     
35. How can I authenticate if I need to change my SIM card?
    Changing your Mobile phone SIM card will not affect the way you authenticate (even if it changes your phone number) because the Duo Mobile app is tied to your smartphone’s hardware security module (HSM). You should still be able to accept a push or generate a passcode from the Duo Mobile app (even when your smartphone is in airplane mode or lacks cell/wi-fi service).
     
36. What if I don't have cellular or wireless (Wi-Fi) service on my smartphone?
    You cannot authenticate using Duo Push without internet access. You cannot authenticate with SMS without phone service. You can request a single-use passcode directly from the Duo Mobile app, even when your smartphone or tablet is in airplane mode or lacks cell service. Simply open the app and tap the down arrow or key icon located at the upper right-hand corner of your smartphone next to "San Diego County Office of E..." This will generate a six-digit temporary passcode. Enter the six-digit code provided on your smartphone in the Multi-Factor Authentication portal to complete the authentication process.
     
37. What do I have to do when I change my phone or add another phone?
    You may add new devices via the Duo self-service portal. If you upgrade to a new smartphone or want to add a tablet as a 2nd device. Be sure to deactivate your old devices and register the new one using the Duo self-service portal. You may also contact the ITS Computer Support Service at 858-298-2205 for assistance.
     
38. What do I need to do before using my mobile phone with MFA?
    SDCOE Employees will require to fill out SDCOE Secure Access (MFA) for Personal Mobile Phone Form.
     
39. Do I need to use MFA-Duo to login to my workstation?
    Not currently, though some systems will require this in the future.