Multi-Factor Authentication (MFA) occurs when you are granted access after successfully presenting two or more pieces of evidence to validate your identity. On occasion, an org account may also be a shared account. This applies to both NetID-based mailboxes and Exchange-only mailboxes.
Shared Account with Delegated Permissions
If permissions have been delegated, there is no change. You and other delegated users accessing the shared resource would satisfy Duo requirements as you would normally with your primary account. Examples of shared accounts with delegated permissions are mailboxes with full-access/send-as/send-on-behalf permissions.
Shared Account with Shared Credentials
In a shared account with shared credentials multiple users access the account with the same login information. This is not recommended, and it is more complicated. In this scenario, there are several options for satisfying Duo MFA requirements.
- Transition to delegated permissions
As described above, this is the preferred option for accessing shared resources. For mailboxes, contact servicedesk@northwestern.edu with the mailbox identity as well as the individual users that need access to the mailbox.
- Add multiple devices to Duo
Once multi-factor authentication has been applied to the shared account, each user accessing the mailbox via the shared credentials will need to have their device added to Duo for this account. See below for specific instructions on managing this process.
- Utilize hardware tokens
Duo Hardware tokens can also be procured and used for authentication to a shared mailbox. Tokens can be assigned to the shared account as well as to the users who access the shared account. More information on Duo hardware tokens can be found in the following knowledgebase article:
Using Duo with a Hardware Token
Configuring Multiple Devices in Duo for Shared Accounts
The steps below describe how each users’ device can be sequentially added to a shared account. It is also possible to have devices pre-loaded into Duo. Please contact the Information Security Office (via servicedesk@northwestern.edu) for more information on this option.
Once multi-factor authentication has been applied to the shared account, the first person to use the account would go through the Duo registration process and add a phone number, device, etc.
Subsequent users needing to access the account with the same credentials, would need to coordinate with the first user to have an additional phone number or device added to Duo (currently limited to 100 devices). This is done by choosing “Other options” from the Duo Push pop-up:
Then choosing “Manage devices” from the bottom of the list:
And finally choosing “Add a device” and adding the device details:
After initial configuration of each users’ device details, they would need to be sure to choose their personal device utilizing “Other options” from the Duo push screen and selecting the appropriate device/option.
Removing a phone number when someone leaves
When it is necessary to remove a phone number/device from a shared account protected by Duo, anyone with current access to the shared account can make these changes in Duo from the Manage devices screens as described above.
Your feedback on this article is welcome, and we review comments regularly. However, if you have an issue or question requiring immediate attention or want to discuss your feedback on this article, please get in touch with the Northwestern IT Service Desk at 847-49
1-4357 (1-HELP) or
consultant@northwestern.edu.