Overview
USC requires the use of Duo two-factor authentication (2FA) when signing into shared organizational accounts. This guide explains how to add devices to Duo for shared organizational accounts accessed by direct login.
Direct login vs delegate access
If your department or unit signs into a shared org account directly using a passphrase specific to the org account, each member who needs access must enroll at least one device in Duo for authentication.
If, however, your department or unit uses delegate access to sign into a shared org account, you do not have to follow the guide below: each member who has access can continue using their individual USC NetID credentials to access the account.
Setting up Duo for a shared org account (instructions for the org account owner)
Step 1: Enroll the org account in Duo and add your own device
If you have never used Duo before to log into the org account:
- Open a private or incognito window in your browser. This will ensure you're editing the org account's Duo settings, and not your own USC account's Duo settings.
- Go to https://account.usc.edu/2fa/enroll.
- The Shibboleth login page displays. Log in using the shared org account username and passphrase.
- The Duo enrollment page displays. Follow the prompts to set up your device. We highly recommend using the Duo Mobile option to add a mobile device.
Step 2: Add others' devices to Duo
Once you've first added your own device to Duo for the org account, you can begin adding the devices or phone numbers of other department/unit members who need direct login access to the shared org account. We recommend performing these steps via a Zoom or Slack call with each person who needs direct login access, as they will need to provide verification on the device or phone number that is added.
Quick guide
- Open a private or incognito window in your browser. This will ensure you're editing the org account's Duo settings, and not your own USC account's Duo settings.
- Go to https://account.usc.edu/2fa/configure.
- Do not complete Duo authentication when prompted. Instead, click Other options.
- Click Manage devices.
- Select a verification method and complete Duo authentication.
- The Duo Device Management page displays. For each person who needs access to the shared org account, you will have to add their device:
- Click Add a device.
- Click the option that corresponds to the person's device:
- Touch ID, Windows Hello, or Face ID: While these options may appear, you will not be able to set them up on behalf of the other person, as these options rely on biometrics.
- Duo Mobile: Use this option for a smartphone or tablet.
- Phone number: Use this option for text messaging to a cell phone or setting up a landline phone.
- Follow the prompts. The person whose device or phone number you are adding will also need to provide verification on their end. Once you complete setup, the new option is added to the account's Duo Device Management page.
- Repeat these steps until you have added a device or phone number for each person who needs access to the shared org account.
Detailed guide (with screenshots)
- Open a private or incognito window in your browser. This will ensure you're editing the org account's Duo settings, and not your own USC account's Duo settings.
- Go to https://account.usc.edu/2fa/configure.
- Do not complete Duo authentication when prompted. Instead, click Other options.
- Click Manage devices.
- Select a verification method and complete Duo authentication.
- The Duo Device Management page displays. For each person who needs access to the shared org account, you will have to add their device:
- Click Add a device.
- Click the option that corresponds to the person's device:
- Touch ID, Windows Hello, or Face ID: While these options may appear, you will not be able to set them up on behalf of the other person, as these options rely on biometrics.
- Duo Mobile: Use this option for a smartphone or tablet.
- Phone number: Use this option for text messaging to a cell phone or setting up a landline phone.
- Follow the prompts. The person whose device or phone number you are adding will also need to provide verification on their end. Once you complete setup, the new option is added to the account's Duo Device Management page.
- Repeat these steps until you have added a device or phone number for each person who needs access to the shared org account.
Using Duo for a shared org account (instructions for members granted access)
Once the shared org account has been enrolled in Duo and all members' devices have been added, logging into the org account is straightforward:
Quick guide
- Open a private or incognito window in your browser. This will ensure you're logging in with the org account, not with your own USC account.
- Go to the login page (for example, if you want to access the org account's email, go to https://usc.edu/office365; if you want to access the org account's Google Drive, go to https://usc.edu/googledrive).
- The Shibboleth login page displays. Log in using the org account username and passphrase.
- The Duo authentication prompt displays. Select your device from the list and complete authentication.
- If you receive an error message stating that "Our records show you have not enrolled in Duo 2FA": Click No, I will enroll later.
Detailed guide (with screenshots)
- Open a private or incognito window in your browser. This will ensure you're logging in with the org account, not with your own USC account.
- Go to the login page (for example, if you want to access the org account's email, go to https://usc.edu/office365; if you want to access the org account's Google Drive, go to https://usc.edu/googledrive).
- The Shibboleth login page displays. Log in using the org account username and passphrase.
- The Duo authentication prompt displays. Select your device from the list and complete authentication. You can click the Device dropdown to filter the prompt options.
- If you receive an error message stating that "Our records show you have not enrolled in Duo 2FA": Click No, I will enroll later.
Removing a device from Duo
If someone whose device is enrolled in Duo no longer needs to access the org account (for instance, they are switching roles or leaving the department or USC), that person's device should be removed from the org account's Duo devices to ensure security:
Quick guide
- Open a private or incognito window in your browser. This will ensure you're editing the org account's Duo settings, and not your own USC account's Duo settings.
- Go to https://account.usc.edu/2fa/configure. Do not complete Duo authentication when prompted. Instead, click Other options.
- Click Manage devices.
- Select a verification method and complete Duo authentication.
- The Duo Device Management page displays.
- Locate the device you want to remove. Click Edit, and select Delete from the dropdown.
- Click Delete to confirm.
Detailed guide (with screenshots)
- Open a private or incognito window in your browser. This will ensure you're editing the org account's Duo settings, and not your own USC account's Duo settings.
- Do not complete Duo authentication when prompted. Instead, click Other options.
- Click Manage devices.
- Select a verification method and complete Duo authentication.
- The Duo Device Management page displays.
- Locate the device you want to remove. Click Edit, and select Delete from the dropdown.
- Click Delete to confirm.
Troubleshooting: "Our records show you have not enrolled in Duo 2FA"
Once the org account has been set up in Duo with the instructions above, it may take about a day or so for the changes to take place. If you try to log into the org account and receive an error message asking you to enroll again, simply click No, I will enroll later.
Contributor(s): Chris Huntley.