ITS is in the process of enabling Duo two-factor authentication on departmental accounts, also known as shared accounts. This is the same Duo you are already using and will look and work the same way. This article describes how Duo will affect the management of and access to departmental accounts.
What Is a Departmental Account?
Departmental accounts are often used to communicate on behalf of a department, organization, or research study and accessed by multiple people to send or read mail. Each departmental account has a listed owner accountable for user access and how the account is used.
There are two ways to access departmental accounts:
- Direct login: Use the account’s username and password to log in, usually via Outlook in Office365. In addition to being able to read and respond to received emails, knowing the username and password also allows for the management of account information and settings, such as forwarding, setting of automatic replies, password resets, etc. Account owners and managers often access the account in this way.
- Delegated access: View the account within your Outlook email client. This allows you to read and send mail from the account in the same interface in which you read your own individual UTHSC email without having to log in with (or even know) the username and password. This method is effective for those who only read and respond to the mail.
How Does Duo Affect Access to a Departmental Account?
- Any users who log into the account directly using the username and password will need to be “enrolled” (i.e., associated with the account) in Duo. This will enable them to receive a Duo prompt that must be approved or denied during login.
- The account owner will be responsible for enrolling themselves and any other users who directly log in to the account on or after the date Duo is enabled. Users who are not enrolled will be unable to log in to the account with the username and password. (They still can be set up to use delegated access, however.) See instructions for Enrolling Users in Duo So They Can Directly Log In to a Departmental Account.
- Users who view the account using delegated access DO NOT have to be enrolled, and they will not receive Duo prompts. Nothing will change for them. (NOTE: This may be an ideal time to convert users from direct access to delegated access if they do not manage any account settings in order to reduce the number of necessary enrollments.)
- If there are multiple Duo-enrolled users, they may have to choose their phone number each time they directly log in to the account.
- Checking the “remember for 7 days” option will reduce the number of Duo prompts.
- If enrolled users get a Duo prompt that they did not request, they should deny it. It could mean that another enrolled user selected your phone number by mistake – or that someone is trying to hack the account. Either way, do not approve the prompt.