Skip navigation

Duo Security is now a part of Cisco

About Cisco

Documentation

Duo Identity (ID) Proofing

Last Updated: April 3rd, 2019

Overview

Duo has partnered with Inflection EPCS, an identity verification provider, to validate your Duo end users' identity. Identity Proofing (or ID Proofing) requires that users answer a series of questions during enrollment as identity verification.

To experience Duo's Identity Proofing, contact your Duo account executive or Customer Success manager. You'll also need to enter into a services agreement with Inflection EPCS for the verification platform.

Duo's ID Proofing is available for our Epic EPCS application.

Account Setup

Your Duo sales or customer success team will assist you with the account preparation and configuration needed to deploy ID Proofing. This includes creating a new subaccount to your current Duo account and adding the ID Proofing feature there.

Once that's done, you'll need to make some configuration changes to the new subaccount (described below), and then enroll the users who need to use the verification process in the subaccount (as well as in the parent account).

Configure Authentication Methods

Duo's Identity Proofing requires that all authentications use FIPS 140-2 compliant methods. Our one-time passcodes (OTP) options are validated to meet FIPS 140-2 Level 1 per the table below:

OTP Method for Epic Meets EPCS compliance for FIPS 140-2 Level 1?
Hardware Token Verify compliance with your token vendor
Duo Mobile Passcodes (iOS 6+) Yes
Duo Mobile Passcodes (Android) Yes with Duo Mobile for Android 3.12 and later; specify a minimum Duo Mobile version with a Duo Mobile App policy.
Duo Mobile Passcodes (Windows Phone) Yes with Duo Mobile for Windows Phone 2.0 and later
Duo Mobile Passcodes (BlackBerry) No - Disable BlackBerry use with an Operating System policy
SMS Passcodes No - Disable SMS use with an Authentication Methods policy
Duo Bypass Codes No - Do not issue bypass codes to EPCS users. Consider preventing your Help Desk admins from creating bypass codes for users.

Deploying Duo's ID Proofing automatically disables use of the following Duo authentication methods that don't meet the FIPS 140-2 requirement with the Epic application.

  • SMS Passcodes
  • Phone callback
  • WebAuthn Security Keys and Touch ID

This leaves Duo Push, Duo Mobile generated passcodes, Yubikey and other hardware tokens, and bypass code factors available for authentication.

If your compliance team determines that Duo Push doesn't adequately satisfy EPCS guidelines for FIPS 140-2 Level 1 then you'll need to create a policy preventing use of Duo Push with your Epic application.

To do this:

  1. Log into the Duo Admin Panel, locate your Epic application, and view its properties page.

  2. Click the Apply a policy to all users link to assign the policy to all users of that application.

  3. Click the Or, create a new Policy link instead of selecting a policy to apply from the drop-down list.

  4. In the Policy Name field name the policy something that easily identifies what the policy is for, such as "FIPS 140-2 Policy".

  5. Click on Authentication Methods located under the "Authenticators" section in the policy builder.

  6. Deselect the Duo Push method, leaving Duo Mobile, and Hardware tokens checked.

  7. Click on Operating Systems located under the "Devices" section of the policy editor.

  8. Scroll down to "Blackberry" and select Block all versions.

  9. Click the Create Policy button at the bottom of the policy editor.

  10. The application page shows the new FIPS 140-2 policy assignment.

See our Policy documentation for more information.

Enable Identity Proofing

Inflection EPCS will email you a "Billable Account ID" once your service agreement is in place. When you have this information, use it to turn on the Identity Proofing feature on your account.

  1. Access your Duo Admin Panel and go to the Settings page.

  2. Scroll down to the Identity Proofing setting and check the box next to "Require identity verification before enrollment."

    If you do not see this option please contact your Duo account executive or Customer Success manager to have this setting enabled for your account.

  3. Enter the Billable Account ID you received from Inflection EPCS in the space provided.

  4. Scroll to the bottom of the page and click Save Changes.

Add First and Last Names to Users

Duo's Identity Proofing requires legal first and last name validation. The information provided to Duo must be the full legal first and last name; any other name forms (like nicknames e.g. "Bill" instead of "William") fails identity verification.

Specify user first and last name information via manual entry in the Admin Panel, or import first and last name for many users via synchronization with Active Directory (AD), CSV file import, or programmatically using the Admin API.

AD Sync

Duo's AD Sync imports the AD attribute givenName as the user's first name and the AD attribute sn as the last name. Ensure that the source Active Directory is populated with your users' legal first and last names in these attributes for legal name verification.

CSV Import

Add the columns firstname and lastname to your source CSV import file, populated with your users' legal first and last names.

Send Enrollment Emails

Only email based enrollment is supported with ID Proofing. Inline enrollment is NOT supported.

Send enrollment emails to users either by clicking the "send enrollment email" button on the user, enable the enrollment email option in AD sync so that emails with enrollment links get automatically sent to users imported with email addresses, or via bulk enrollment.

Suggested email template (enter on the bulk enrollment page or at the bottom of the Settings page if using AD sync):

Hello!

HospitalName is rolling out Duo Security to enable you to prescribe controlled
substances online.

You’ll need to verify your identity in compliance with Department of Justice
guidelines for Electronic Prescription of Controlled Substances and create a
Duo Security account. The whole process takes about 10 minutes.

Our verification partner, Inflection EPCS, will guide you through the three-step
identity verification process. You’ll need your mobile phone to complete the
process.

To begin, click the link below:

<enrollment_link>

Once you’ve verified your identity, you’ll enroll a mobile device to use for
two-factor authentication, which helps protect your online prescription
privileges from unauthorized use.

Learn more about:
 - Two-Factor Authentication: https://duo.com/product/trusted-users/two-factor-authentication
 - Duo Security Enrollment: https://guide.duo.com/enrollment
/li>

Troubleshooting Identity Verification

If a user has issues verifying their identity during the enrollment process, verify that the user's first and last names were correctly populated in Duo before enrolling.

If the user information in Duo is correct but the verification process still fails, please contact Inflection EPCS Support at 855-496-1546.

Ready to Get Started?

Sign Up Free