CLASSE Duo: Two-Factor Authentication
In light of the increased threat posed by ransomware and account compromises, CLASSE is adopting the use of Duo two-factor authentication for enhanced security of web services and remote logins. CLASSE Duo uses the exact same app as
Cornell's Duo service (no new installation needed), although a separate CLASSE registration is required.
To enroll a new device or manage your existing two-factor devices, please log into the CLASSE Duo Device Manager with your CLASSE account:
- If your phone broke, as long as your number is the same, you can log in above using the "Call Me" setting one time to enroll your replacement phone.
Alternative Enrollment Methods
Enroll via Service Request
CLASSE IT can manually enroll one device in Duo for you if other options fail.
Submit a
ServiceRequest for assistance enrolling in CLASSE duo, including the phone number of the device you would like associated with your CLASSE account.
Enroll via SSH
CLASSE also supports using SSH to enroll your account with Duo.
Windows 10
- Open a terminal application, such as Putty or RunXMing, to open an SSH connection to the CLASSE Duo service.
- RunXMing is available on the desktop of all CLASSE managed computers.
- In the opened Window, enter
duo.classe.cornell.edu
into the "Host Name (or IP address)" field.
- Set the protocol to SSH
- Click Open on the bottom of the window.
- Click "Yes" to accept the RSA Key to continue logging in.
- Note that after logging in, you will actually be logged on to lnx6137.classe.cornell.edu.
- If prompted, enter your CLASSE ID and press enter.
- Enter your CLASSE password and press enter.
- The CLASSE Duo Service will see that your account is not enrolled and will provide a URL for enrollment.
- Copy the URL that is returned on the line "Please enroll at" and paste it into the address field in a web browser. This step is time sensitive. Do not save the URL for later use.
- Follow the instructions on the webpage to complete your enrollment.
- If you are prompted again for your password, you may enter it again (which will close your ssh session), or simply Ctrl-C to exit.
Mac OS/Linux
- Open a terminal application and SSH into
duo.classe.cornell.edu
*using your CLASSE ID*
(e.g., ssh YourCLASSEID@duo.classe.cornell.edu
)
- Type "yes" to accept the RSA Key to continue logging in.
- Note that after logging in, you will actually be logged on to lnx6137.classe.cornell.edu.
- If prompted, enter your CLASSE ID and press enter.
- Enter your CLASSE password and press enter.
- The CLASSE Duo Service will see that your account is not enrolled and will provide a URL for enrollment.
- Copy the URL that is returned on the line "Please enroll at" and paste it into the address field in a web browser. This step is time sensitive. Do not save the URL for later use.
- Follow the instructions on the webpage to complete your enrollment.
- If you are prompted again for your password, you may enter it again (which will close your ssh session), or simply Ctrl-C to exit.
Tips for Using Duo
- When upgrading or replacing your mobile device, it is considered a new device and will need to be enrolled to CLASSE Duo before two-factor authentication will work.
- When requesting a Duo phone call, please follow the instructions in the phone message and press any key on your phone to complete the process.
- Because the CLASSE VPN uses Duo, we recommend that, in the Pritunl software, you leave the "Autostart Off" setting untouched. Otherwise, you might receive spurious Duo prompts (e.g. in the middle of the night when your computer wakes up for updates). This Pritunl setting can be found below the "Connect" button for your VPN connection. If your setting says "Autostart On", you can change it by clicking on that button and selecting "Off".