Duo has partnered with Inflection EPCS, an identity verification provider, to validate your Duo end users' identity. Identity Proofing (or ID Proofing) requires that users answer a series of questions during enrollment as identity verification.
To experience Duo's Identity Proofing, contact your Duo account executive or Customer Success manager. You'll also need to enter into a services agreement with Inflection EPCS for the verification platform.
Duo's ID Proofing is available for our Epic EPCS application.
Your Duo sales or customer success team will assist you with the account preparation and configuration needed to deploy ID Proofing. This includes creating a new subaccount to your current Duo account and adding the ID Proofing feature there.
Once that's done, you'll need to make some configuration changes to the new subaccount (described below), and then enroll the users who need to use the verification process in the subaccount (as well as in the parent account).
Duo's Identity Proofing requires that all authentications use FIPS 140-2 compliant methods. Our one-time passcodes (OTP) options are validated to meet FIPS 140-2 Level 1 per the table below:
|OTP Method for Epic||Meets EPCS compliance for FIPS 140-2 Level 1?|
|Hardware Token||Verify compliance with your token vendor|
|Duo Mobile Passcodes (iOS 6+)||Yes|
|Duo Mobile Passcodes (Android)||Yes with Duo Mobile for Android 3.25.0 and later|
|Duo Mobile Passcodes (Windows Phone)||Yes with Duo Mobile for Windows Phone 2.0 and later|
|Duo Mobile Passcodes (BlackBerry)||No - Disable BlackBerry use with an Operating System policy|
|SMS Passcodes||No - Disable SMS use with an Authentication Methods policy|
|Duo Bypass Codes||No - Do not issue bypass codes to EPCS users. Consider preventing your Help Desk admins from creating bypass codes for users.|
Deploying Duo's ID Proofing automatically disables use of the following Duo authentication methods that don't meet the FIPS 140-2 requirement with the Epic application.
This leaves Duo Push, Duo Mobile generated passcodes, Yubikey and other hardware tokens, and bypass code factors available for authentication.
If your compliance team determines that Duo Push doesn't adequately satisfy EPCS guidelines for FIPS 140-2 Level 1 then you'll need to create a policy preventing use of Duo Push with your Epic application.
To do this:
Log into the Duo Admin Panel, locate your Epic application, and view its properties page.
Click the Apply a policy to all users link to assign the policy to all users of that application.
Click the Or, create a new Policy link instead of selecting a policy to apply from the drop-down list.
In the Policy Name field name the policy something that easily identifies what the policy is for, such as "FIPS 140-2 Policy".
Click on Authentication Methods located under the "Authenticators" section in the policy builder.
Deselect the Duo Push method, leaving Duo Mobile, and Hardware tokens checked.
Click on Operating Systems located under the "Devices" section of the policy editor.
Scroll down to "Blackberry" and select Block all versions.
Click the Create Policy button at the bottom of the policy editor.
The application page shows the new FIPS 140-2 policy assignment.
See our Policy documentation for more information.
Inflection EPCS will email you a "Billable Account ID" once your service agreement is in place. When you have this information, use it to turn on the Identity Proofing feature on your account.
Access your Duo Admin Panel and go to the Settings page.
Scroll down to the Identity Proofing setting and check the box next to "Require identity verification before enrollment."
If you do not see this option please contact your Duo account executive or Customer Success manager to have this setting enabled for your account.
Enter the Billable Account ID you received from Inflection EPCS in the space provided.
Scroll to the bottom of the page and click Save Changes.
Duo's Identity Proofing requires legal first and last name validation. The information provided to Duo must be the full legal first and last name; any other name forms (like nicknames e.g. "Bill" instead of "William") fails identity verification.
Specify user first and last name information via manual entry in the Admin Panel, or import first and last name for many users via synchronization with Active Directory (AD), CSV file import, or programmatically using the Admin API.
Duo's AD Sync imports the AD attribute
givenName as the user's first name and the AD attribute
sn as the last name. Ensure that the source Active Directory is populated with your users' legal first and last names in these attributes for legal name verification.
Add the columns
lastname to your source CSV import file, populated with your users' legal first and last names.
Only email based enrollment is supported with ID Proofing. Inline enrollment is NOT supported.
Send enrollment emails to users either by clicking the "send enrollment email" button on the user, enable the enrollment email option in AD sync so that emails with enrollment links get automatically sent to users imported with email addresses, or via bulk enrollment.
Hello! HospitalName is rolling out Duo Security to enable you to prescribe controlled substances online. You’ll need to verify your identity in compliance with Department of Justice guidelines for Electronic Prescription of Controlled Substances and create a Duo Security account. The whole process takes about 10 minutes. Our verification partner, Inflection EPCS, will guide you through the three-step identity verification process. You’ll need your mobile phone to complete the process. To begin, click the link below: <enrollment_link> Once you’ve verified your identity, you’ll enroll a mobile device to use for two-factor authentication, which helps protect your online prescription privileges from unauthorized use. Learn more about: - Two-Factor Authentication: https://duo.com/product/trusted-users/two-factor-authentication - Duo Security Enrollment: https://guide.duo.com/enrollment
If a user has issues verifying their identity during the enrollment process, verify that the user's first and last names were correctly populated in Duo before enrolling.
If the user information in Duo is correct but the verification process still fails, please contact Inflection EPCS Support at 855-496-1546.