What is 2FA, and why do I need it?
Answer: 2FA, short for Two Factor Authentication, is a method to secure a login to a device or website, by sending a code or approving that login on a separate device, at time of login, after entering your normal username and password.
Hackers find ways to easily breach passwords. Passwords by themselves are not secured anymore, and all cyber security professionals recommend using 2FA when possible.
Almost all insurance providers require 2FA to be set up and enforced, for the added security.
Why are we going to use DUO for our 2FA solution?
Answer: Gallop Technology Group spent months of research and development, testing and case studies to come up with the best solution for our clients. DUO is priced right, has GREAT support, is known to be VERY futuristic yet stable and reliable, and is very easy to set up, deploy and remove as your company needs’ change.
What is the process to enable DUO 2FA for our company?
Answer: Gallop Technology Group will collect information from you regarding your company needs (amount of users, billing information, workaround for users who are not willing to install the DUO App on their cell phone, etc.). Once we collect the needed information, we set it up on the DUO admin portal for your company, and set up all the users, policies and permissions required. You don’t need to worry about any of that. We will then choose a “focus group” of users to test this with on your end, and from there- deploy it for the rest of your team once you approve.
How do the users set up 2FA once Gallop Technology Group enables it for our company?
Answer: Upon enabling the service for each user, the users will receive a “welcome email” from Duo with a link, asking them to register and enroll in their Duo account. At the end of that process, they would have an active account.
Once the account is active, we can continue with enforcing DUO on the user’s devices and cloud accounts we discussed with you.
Will users be locked out once Duo is implemented?
Answer: The first step is for the users to create an account, by following the steps they received on the DUO “welcome Email”. Then, during the initial implementation phase, 2FA will not be enforced until you approve that enforcement phase, and after we tested that there are no issues with any of the devices of the test group.
Once all users are enrolled (or when we receive approval to proceed), we will enforce the policy, and by that- preventing users from logging into their system if they did not enroll as of that point. Our support staff would be able to assist users who did not complete the enrollment in finishing the process so they can log in. It’s a quick and simple process on our end to assist those users, but we of course recommend that all users set up their account and enroll in the process before the enforcement date.
What services are affected?
Answer: The initial implementation of Duo is for both RDP (stands for “Remote Desktop Protocol”, used by users who remote into their office computer or cloud server remotely when traveling or working from home) and for Local PC access, and for Azure Active Directory sign-on (with Azure Active Directory, Duo will also replace the Microsoft Authenticator so there is no need for multiple applications).
What settings are being configured on this 2FA?
Answer: By default, to ensure compliance with cyber insurance requirements we set that phones who reach end-of-life cycles and are no longer being supported by their manufacturers are being blocked from using DUO.
This is because when a device becomes end-of-life, updates are NO LONGER being made, and any vulnerabilities found on that device are not being fixed. Causing this device to be at a high risk of being hacked, rendering the 2FA ineffective. The options in such a case would be to either use a Yubikey as the solution for that employee OR you can sign a waiver where we remove that policy making end-of-life devices usable – this is not recommended as it heightens your risk.
One (or more) employees does not agree to install the Duo app on their personal cell phone. What options do we have?
Answer: It is going to be MUCH easier for your users to simply install the DUO app on their phone. It is secure, safe, and very lightweight. However- If a user does not want to install it on their cell phone, you will be required to purchase an “USB Authentication hardware key” device called “YubiKey”, and our team will have to configure it (one time for your company) and mail it to you.
This YubiKey device will be used by that user by plugging it into the computer at the time of login and will have to be removed immediately after and NOT kept by the computer when the user is away (for security reasons). This device can also be used for authenticating / 2FA login on mobile devices (cell phones/ tablets), but those devices must have NFC capabilities. Please contact our team for more information about mobile device 2FA access.
What happens if a user forgets their authentication device? (phone/hardware key etc..) how would they be able to log in?
Answer: Our engineers can provide a user with a Bypass code which will be valid for a set duration depending on the situation after confirming their identity through our normal procedures.
Why not use the Microsoft Authenticator app? It’s free and we most likely have it already on our phones.
Answer: The short answer is that the Microsoft Authenticator app that is used for 2FA to log in to your MS cloud services, does NOT work as a 2FA device on physical computers login protection. We’re working hard to make it easier to manage and have everything unified with less solutions to manage and support and train your employees on. Duo can integrate into the Microsoft platform, but not the opposite. Therefore, we recommend utilizing the Duo authentication to replace the Microsoft Authenticator once you set up 2FA for physical computers local login security.
Is it true that I won’t be able to use a fingerprint or a PIN anymore to log into my computer once we install 2FA?
Answer: Unfortunately, at this point- that is correct. After months of research and testing/ discussion with many 2FA providers, we found that there is no 2FA solutions that support “Windows Hello” (Windows Hello is how Microsoft calls their PIN, Biometric, fingerprint and other login methods that replace the good-old password).
Therefore, all users will have to enter their account password in order to log in to their computers once the DUO 2FA is implemented. For users who currently use Windows Hello as part of their sign-in (PIN/Biometrics), we ask that they confirm they know their “fill computer password” prior to enforcement of the DUO 2FA.
Please make sure your team confirm they know their password (since most people only use PIN code instead of their password, they forget their actual password in some cases) by following these instructions HERE: https://www.
Q&A:
- What is 2FA, and why do I need it?
Answer: 2FA, short for Two Factor Authentication, is a method to secure a login to a device or website, by sending a code or approving that login on a separate device, at time of login, after entering your normal username and password. Hackers find ways to easily breach passwords. Passwords by themselves are not secured anymore, and all cyber security professionals recommend using 2FA when possible. Almost all insurance providers require 2FA to be set up and enforced, for the added security. - Why are we going to use DUO for our 2FA solution?
Answer: Gallop Technology Group spent months of research and development, testing and case studies to come up with the best solution for our clients. DUO is priced right, has GREAT support, is known to be VERY futuristic yet stable and reliable, and is very easy to set up, deploy and remove as your company needs’ change. - What is the process to enable DUO 2FA for our company?
Answer: Gallop Technology Group will collect information from you regarding your company needs (amount of users, billing information, workaround for users who are not willing to install the DUO App on their cell phone, etc.). Once we collect the needed information, we set it up on the DUO admin portal for your company, and set up all the users, policies and permissions required. You don’t need to worry about any of that. We will then choose a “focus group” of users to test this with on your end, and from there- deploy it for the rest of your team once you approve. - How do the users set up 2FA once Gallop Technology Group enables it for our company?
Answer: Upon enabling the service for each user, the users will receive a “welcome email” from Duo with a link, asking them to register and enroll in their Duo account. At the end of that process, they would have an active account.
Once the account is active, we can continue with enforcing DUO on the user’s devices and cloud accounts we discussed with you.
- Will users be locked out once Duo is implemented?
Answer: The first step is for the users to create an account, by following the steps they received on the DUO “welcome Email”. Then, during the initial implementation phase, 2FA will not be enforced until you approve that enforcement phase, and after we tested that there are no issues with any of the devices of the test group.
Once all users are enrolled (or when we receive approval to proceed), we will ENFORCE the policy, and by that- preventing users from logging into their system if they did not enroll as of that point. Our support staff would be able to assist users who did not complete the enrollment in finishing the process so they can log in. It’s a quick and simple process on our end to assist those users, but we of course recommend that all users set up their account and enroll in the process BEFORE the enforcement date. - What services are affected?
Answer: The initial implementation of Duo is for both RDP (stands for “Remote Desktop Protocol”, used by users who remote into their office computer or cloud server remotely when traveling or working from home) and for Local PC access, and for Azure Active Directory sign-on (with Azure Active Directory, Duo will also replace the Microsoft Authenticator so there is no need for multiple applications). - What settings are being configured on this 2FA?
Answer: By default, to ensure compliance with cyber insurance requirements we set that phones who reach end-of-life cycles and are no longer being supported by their manufacturers are being blocked from using DUO.This is because when a device becomes end-of-life, updates are NO LONGER being made, and any vulnerabilities found on that device are not being fixed. Causing this device to be at a high risk of being hacked, rendering the 2FA ineffective. The options in such a case would be to either use a Yubikey as the solution for that employee OR you can sign a waiver where we remove that policy making end-of-life devices usable – this is not recommended as it heightens your risk. - One (or more) employees does not agree to install the Duo app on their personal cell phone. What options do we have?
Answer: It is going to be MUCH easier for your users to simply install the DUO app on their phone. It is secure, safe, and very lightweight. However- If a user does not want to install it on their cell phone, you will be required to purchase an “USB Authentication hardware key” device called “YubiKey”, and our team will have to configure it (one time for your company) and mail it to you. This YubiKey device will be used by that user by plugging it into the computer at the time of login and will have to be removed immediately after and NOT kept by the computer when the user is away (for security reasons). This device can also be used for authenticating / 2FA login on mobile devices (cell phones/ tablets), but those devices must have NFC capabilities. Please contact our team for more information about mobile device 2FA access. - What happens if a user forgets their authentication device? (phone/hardware key etc..) how would they be able to log in?
Answer: Our engineers can provide a user with a Bypass code which will be valid for a set duration depending on the situation after confirming their identity through our normal procedures.
- Why not use the Microsoft Authenticator app? It’s free and we most likely have it already on our phones.
Answer: The short answer is that the Microsoft Authenticator app that is used for 2FA to log in to your MS cloud services, does NOT work as a 2FA device on physical computers login protection. We’re working hard to make it easier to manage and have everything unified with less solutions to manage and support and train your employees on. Duo can integrate into the Microsoft platform, but not the opposite. Therefore, we recommend utilizing the Duo authentication to replace the Microsoft Authenticator once you set up 2FA for physical computers local login security. - Is it true that I won’t be able to use a fingerprint or a PIN anymore to log into my computer once we install 2FA?
Answer: Unfortunately, at this point- that is correct. After months of research and testing/ discussion with many 2FA providers, we found that there is no 2FA solutions that support “Windows Hello” (Windows Hello is how Microsoft calls their PIN, Biometric, fingerprint and other login methods that replace the good-ol password).
Therefore, all users will have to enter their account password in order to log in to their computers once the DUO 2FA is implemented. For users who currently use Windows Hello as part of their sign-in (PIN/Biometrics), we ask that they confirm they know their “fill computer password” prior to enforcement of the DUO 2FA.
Please make sure your team confirm they know their password (since most people only use PIN code instead of their password, they forget their actual password in some cases) by following these instructions HERE: https://www.