The Effect of Duo Two-Factor Authentication on Onboarding New HSC Employees


The current plan replacing HitachiID with AD Self Service Plus (ADSS+) includes a design change that utilizes Duo two-factor authentication as the exclusive authentication for self-service password management. Using two-factor authentication instead of the historical questions-and-answers is a much more modern approach to verification that is more secure, less subject to social engineering, and improves customer experience (Questions-and-answers require a separate sign-up process and then are easily forgotten if not used).


Using two-factor authentication as the exclusive authentication method will require every future user - faculty, staff, student, and affiliate - to sign up for and utilize Duo to complete the initial account creation process. That is, every single user would need to have and use a smartphone (or tablet) and the Duo app.


Duo two-factor authentication is currently already required for VPN, PeopleSoft Self Service from off-campus, and Direct Deposit change, but the expansion of two-factor authentication to additional applications was always an expectation. In addition to self-service account management, future requirements for Duo two-factor authentication would include access to the next version of webmail.


New User Experience 

1.  New employee (or affiliate/volunteer) are entered into PeopleSoft via an ePAF by the departmental personnel coordinator.

2.  New employee receives first email from OUHSC (sender: with instructions, including:

3.   New employee receives a second email within 10 minutes of enabling account that instructs them to go to to reset the one-time-use password provided in the first message. The website will detect if they are not registered with Duo two-factor authentication and force them to do so before going any further.

  • If the new employee has a smartphone (Android or iOS), install the Duo application from the relevant app store. Once the device is registered, the employee will be prompted to perform a “push” notice to authenticate. Once authenticated with their two-factor device (smartphone), new employees must change their password (using the password in the original email as the “old password”) and create a new one following the guidelines provided.


Article ID: 2280
Wed 5/5/21 4:10 PM