BuckeyePass
BuckeyePass

BuckeyePass Integration Overview

The BuckeyePass service provides multi-factor authentication to University systems and applications to meet the University Information Security Control Authentication Requirements.

This overview is meant to provide system and/or application owners with all the steps necessary to add multi-factor authentication to their existing authentication process. To begin the integration process please complete the BuckeyePass Engagement Form.

Integration Methods

The BuckeyePass service supports integration with Duo through existing Web Single Sign-On integrations, and direct integrations. If Duo integration keys are required, the BuckeyePass team will deliver the keys via a Privileged Access Management secret.

Existing SSO Integrations

The preferred integration method for new applications is to utilize an existing Web Single Sign-On integration. Utilizing Web Single Sign-On allows an application owner to take advantage of the existing account life cycle processes, and pre-configured authentication assurance profiles. These integrations are often accomplished through the use of SAML2 or Entra/ADFS authentication methods.

Stand-alone Integrations

Applications not supporting single sign-on integrations or web-based logon, may be integrated directly with Duo. A list of Duo supported integrations can be found on the Duo Support site. Application developers may integrate directly with the Duo Universal Prompt using the Duo Web SDK. If an integration does not exist, possible methods include using the Duo LDAP or RADIUS proxy.

To inquire about additional options email buckeypass@osu.edu.

Supported Usernames

The BuckeyePass service supports MFA for university-managed identities, commonly a name.# account.

Supported User Identifiers

  • Name.#
  • Name.#@osu.edu
  • Name.#a
  • Medical Center ID
  • IDM ID
  • Employee ID
  • Workforce ID

Additional usernames may be supported through the use of username simplification. Usernames in the format 'domain\name.#' or 'name.#@domain.edu' will simplify to match the 'name.#' identifier.

Shared Accounts

The BuckeyePass service can support the usage of MFA on shared accounts through the use of shared OTP tokens stored in the Privileged Access Management system. To request enrollment of a shared account and token, email buckeypass@osu.edu or open a Service Now request assigned to BuckeyePass Admin.

Authentication Profiles

The BuckeyePass service supports three standard authentication policies.

Authentication Assurance Level 2

The Authentication Assurance Level 2 (AAL2) policy is the global default policy, and includes 7 day remembered devices.
Allowable Authentication factors are:

  • WebAuthn Passkeys and Security Keys
  • Duo Push
  • Duo Mobile OTP
  • Hardware token OTP
  • SMS OTP
  • Duo Bypass Codes

Authentication Assurance Level 3

The Authentication Assurance Level 3 (AAL3) policy enforces 1 day remembered devices.
Allowable Authentication factors are:

  • WebAuthn Passkeys and Security Keys
  • Duo Push
  • Duo Hardtoken OTP

REFEDS

The Research and Education FEDerations group (REFEDS) policy supports AAL2 authenticators, with no remembered devices.

User Registration

Initial device registration is limited to the Device Enrollment Portal at Buckeypass.osu.edu and University Web Single Sign-On integrations. Users will be prompted to enroll a device during their first authentication. Detailed service information for users is posted online.

After registration users can add, delete, or managed devices through any integration supporting the Duo Universal Prompt.