New Authentication Device

The MOST common 'Boilerkey call/issue' of late are due to the user getting a new device.

Boilerkey credentials through the Duo Mobile are tied to the particular device that they were created on. They can not be copied onto a new device either by the user... or malicious actors, this is an intentional security feature.

NOTE: A 'broken' key on the Duo Mobile app is handled the exact same way. This can be the result of a factory reset, and in some cases an update to the phone's operating system. Duo Mobile 'thinks' it's a different phone than before...

Usually calls/tickets will begin along the line of:

"I got a new phone, and my Boilerkey stopped working."
"I factory reset my device, and now Boilerkey isn't working."
"Duo Mobile says Purdue University : Reconnect."
"The 'Issues with your Boilerkey?' link told me to contact ITaP."
"I need a activation/bar/QR code for DuoMobile/Boilerkey."

A this point we have 3 courses of action to resolve the issue.

A.) Instruct the user how to use their Boilerkey Self-Recovery Tool to set up their new device (assuming they enabled it)
B.) Remove all of the user's devices from their account, and use the "White 'Authentication Failed' screen" to get them into device setup.
C.) Issue a bypass code, enable SRT (Self-Recovery Tool), set up their new device.

In an ideal world, everyone would have their SRT set up and know how to use it, and we would never need to help anyone when they get a new device. However, SRT isn't a required part of the Boilerkey setup process, so they don't have it setup. Or if they do... they don't know how to use it.

NOTE: By this point, they've already contacted us about their new device issue, can't change that. My goal though, is to do my best to make sure that next time... they don't need to call. For that reason, when 'Option A' doesn't work, I prefer 'Option C' rather than 'Option B.'

New Device Activation : Option A - Using the Boilerkey Self-Recovery Tool

Once someone has identified themselves as having a new device, and Boilerkey is no longer working... ask them if they have already enabled their "Boilerkey Self-Recovery Tool"
1. "No" - Skip to option B or C
2. "I don't know" - Usually means they haven't... follow along to find out, or assume they don't have it enabled (usually the latter)
3. "Yes" - Continue to follow along below
Direct them to purdue.edu/boilerkey
Click on the link BELOW the login prompt that says "Issues with your Boilerkey?"
Have them fill out all three fields and click "Continue"
One of two things will happen:
1. They'll get a text message and be prompted to input the code into the next page
2. They'll be prompted to contact ITaP - Their self-recovery tool isn't enabled, skip to option B or C
Enter the code received into the next page
Once logged in, click on the option at the top to "Set up a new Duo Mobile Boilerkey"
1. Step 1: Make sure that they have the app installed
  1. Notifications SHOULD be enabled
2. Step 2: Confirm their PIN
3. Step 3: Device Management
  1. Remove any existing "Purdue University" keys on the device, they'll probably say 'Reconnect' next to it
    1. iPhones : Tap 'Edit' in top left corner, and the red icon to remove the key/account
    2. Andriod : Press & Hold on "Purdue University" to remove the key/account
    3. Others : Try both of the above methods?
  2. On the computer, they'll probably see their previous device listed with an option to remove. Assuming they're not still using it, remove the device. (It will just clutter things up)
  3. Have them enter in a new Device Name, it SHOULD be the model of the phone, iPhone8, GalaxyS7, etc (no spaces)
4. Step 4: Activate the device via scanning or link
  1. Option 1 : Registering a new device using a computer
    1. Tap the "Get started" or "Add account" option on the Duo Mobile App
    2. The app needs to access their camera so that it can scan the app
    3. Point the camera at the QR code on screen in order to scan it
    4. "Purdue University" with a dropdown arrow and a 6 digit code should appear
  2. Option 2 : Registering a device, using itself
    1. If the user is completing the registration process on the device itself,
    2. On Step 4, click the "Option 2" link below the QR code, and follow the on screen directions
5. Step 5: Testing your device activation
  1. The username will just be their regular Career Account Username
  2. The "Boilerkey Passphrase" will be either:
    1. PIN#, comma, 'push' (####,push)
      1. In this case they'll need to tap the "Approve" option on the notification that their phone receives WITHIN 15 seconds of clicking the "Test Boilerkey Authentication" button.
    2. PIN#, comma, 6-DIGIT-CODE (####,######)
      1. The code will come from the DuoMobile app (tap the dropdown arrow next to Purdue University)
      2. You MUST tap the refresh icon EVERY time BEFORE putting the code into the login prompt
      3. There are no spaces in the Passphrase or Code
      4. Some phones show the Refresh icon as a key and needs to be 'toggled' for a new code
  3. This Login page works like any other CAS login or test page, and can be troubleshooted in the same way
6. Step 6: The setup process is complete, their new device is setup for Boilerkey Authentication

New Device Activation : Option B - "Bypass Mode" and the "White 'Authentication Failed' screen"

NOTE: This is the same steps you would take for a user who has never attempted to set up Boilerkey before, but currently is required to use Boilerkey for CAS logins.

NOTE: Casey is going to hate me for this, but this is not my preferred method for registering a new device, it's up to you, but I prefer Option C myself.

Using this method, if you're on a Step for more than like 40 seconds, it will log you out.
Using option C, I can get them to enable their Self-Recovery Tool FIRST, then go set up the new device.
Using option C, I can teach them some self reliance by walking them through the process of removing a device and adding a new one rather than doing it for them.
HOWEVER.... this option is faster...

The user has identified themselves as recently getting a new device, and not able to use their Boilerkey
They either haven't set up their Self-Recovery Tool, or don't know if they have
Do a Purdue Person Search (PPS) Identity Verification
1. PUID
2. Username/Alias
3. Date of Birth (DOB)
4. Address on Record
5. First & Last Name
If they have not already done so, have them install Duo Mobile on their new device (the one with the GREEN icon)
Confirm that the app does not have any existing (broken) keys on the device, they'll probably say 'Reconnect' next to it
1. iPhones : Tap 'Edit' in top left corner, and the red icon to remove the key/account
2. Andriod : Press & Hold on "Purdue University" to remove the key/account
3. Others : Try both of the above methods?
Direct them to purdue.edu/boilerkey
Access the User's Boilerkey Profile Page
1. Go to your own Boilerkey homepage, purdue.edu/boilerkey
2. Click the link at the bottom "Manage customer BoilerKey"
3. Put their username in the search field
4. Remove all devices from their Boilerkey Profile
  1. You should see only one device listed, click the remove option
  2. If you see multiple devices, you should confirm you're only removing ones not in use
  3. If any listed devices say "No, blah blah blah..." under "Ready for use", they are broken, and should likely also be removed
  4. If they have any tokens listed... do NOT remove their tokens. You'll need to divert to Option C below, this method only works if you remove ALL devices (tokens count as devices)
5. Once all devices are removed, proceed
Have the user log into using their Career Account Username/Alias and Career Account password
They SHOULD arrive on a WHITE screen that says "AUTHENTICATION FAILED you are required to use Boilerkey"
Have them click on the button to 'Set up Boilerkey"
1. From here on out, they will only have ~40 seconds per page or they will be logged out, and will have to start over
It will prompt them for their username and password again.
Click the button to "Create a Duo Mobile Boilerkey"
They should arrive on Step 1 of 6,
1. Step 1: Make sure that they have the app installed
  1. Notifications SHOULD be enabled
2. Step 2: Confirm their PIN
3. Step 3: Device Management
  1. Have them enter in a new Device Name, it SHOULD be the model of the phone, iPhone8, GalaxyS7, etc (no spaces)
4. Step 4: Activate the device via scanning or link
  1. Option 1 : Registering a new device using a computer
    1. Tap the "Get started" or "Add account" option on the Duo Mobile App
    2. The app needs to access their camera so that it can scan the app
    3. Point the camera at the QR code on screen in order to scan it
    4. "Purdue University" with a dropdown arrow and a 6 digit code should appear
  2. Option 2 : Registering a device, using itself
    1. If the user is completing the registration process on the device itself,
    2. On Step 4, click the "Option 2" link below the QR code, and follow the on screen directions
5. Step 5: Testing your device activation
  1. The username will just be their regular Career Account Username
  2. The "Boilerkey Passphrase" will be either:
    1. PIN#, comma, 'push' (####,push)
      1. In this case they'll need to tap the "Approve" option on the notification that their phone receives WITHIN 15 seconds of clicking the "Test Boilerkey Authentication" button.
    2. PIN#, comma, 6-DIGIT-CODE (####,######)
      1. The code will come from the DuoMobile app (tap the dropdown arrow next to Purdue University)
      2. You MUST tap the refresh icon EVERY time BEFORE putting the code into the login prompt
      3. There are no spaces in the Passphrase or Code
      4. Some phones show the Refresh icon as a key and needs to be 'toggled' for a new code
  3. This Login page works like any other CAS login or test page, and can be troubleshooted in the same way
6. Step 6: The setup process is complete, their new device is setup for Boilerkey Authentication, continue below
Since they haven't already enabled their Self-Recovery Tool, they should do so now
1. Direct them back to the Boilerkey homepage, purdue.edu/boilerkey
2. Next to the ambulance icon, they should click "Enable BoilerKey Self-Recovery via text messaging"
3. Enter their cellphone number and send a verification code via text
4. Enter the code received into the next page
In the future, they can use the Self-Recovery Tool to set up a new device
1. The Self-Recovery Tool is allows a user to access a stripped down version of the Boilerkey homepage
2. The tool is accessed by clicking the "Issues with your Boilerkey?" link below the normal login prompt

New Device Activation : Option C - Bypass code and Self-Recovery Tool Setup

NOTE: This is approximately the same steps you would take for a user who has never attempted to set up Boilerkey before, and they're NOT currently required to use Boilerkey for CAS logins. They would just use their career account password to log in initially instead of PIN#,9-DIGIT-BYPASS

NOTE: This is the preferred method for setting up a new device, as it doesn't have a timeout on pages, it enables SRT, and shows them how to set up their new devices in the future.

Using this method, you can take as much time as needed for each step, with some users, this is important.
Using this option, you can get them to enable their Self-Recovery Tool FIRST, then go set up the new device, hopefully reducing future calls.
Using this option, you can teach the user some self reliance by walking them through the process of removing a device and adding a new one rather than doing it for them.
HOWEVER.... this option is slower... but if it reduces future calls... kind of worth it.

The user has identified themselves as recently getting a new device, or an issue with their device, and not able to use their Boilerkey
They either haven't set up their Self-Recovery Tool, or don't know if they have (assume they haven't if they're not sure)
YOU will need to do a Purdue Person Search (PPS) Identity Verification
NOTE: October 2019, only 3 of the 5 data points are required. Bolded ones are preferred.
1. PUID
2. Username/Alias
3. Date of Birth (DOB)
4. Address on Record
5. First & Last Name
Direct them to open purdue.edu/boilerkey in a browser (computer PREFERRED... but not REQUIRED)
YOU will need to access YOUR Boilerkey page
1. Go to purdue.edu/boilerkey
2. Click the "Manage" button in the middle with the gears
3. Click the link near the bottom "Issue Duo Bypass codes to customers"
4. Put in their PUID & username, and check the checkbox
5. You'll receive a 9-DIGIT-BYPASS code (server generated pass codes can be identified by their 9 digit nature)
If they're not already there, direct them to open purdue.edu/boilerkey in a browser (computer PREFERRED... but not REQUIRED)
1. DO NOT have them click on it, but draw their attention to the "Self-Recovery" button below the "Manage" button, we will refer back to it later.
2. Have them click the "Manage" button in the middle with the gears
They will be at a CAS login prompt, have them log in with their username,
1. Their password should be of the form PIN#,9-DIGIT-BYPASS (####,#########)
  NOTE: If their PIN has been reset at some point, can be checked on Catbert, they should instead use the form Career-Account-Password, a comma, 9-DIGIT-BYPASS (PW,#########)
Once logged in, direct them to set up their Self-Recovery Tool setup
1. Next to the ambulance icon, they should click "Enable BoilerKey Self-Recovery via text messaging"
2. Enter their cellphone number and send a verification code via text
3. Enter the code received into the next page
  NOTE: There have been some issues lately where this fails, about 80% of the time it works the second time, if it still doesn't work by the third time skip this step and send the ticket to ITAP_IDENTITIY_MGMT
  Check the 'Potential Problem ?" checkbox and document the reason for escalating.
4. They should get the message "The changes to your cell phone settings have been saved"
In the future, they can use the Self-Recovery Tool to set up a new device
1. The Self-Recovery Tool is allows a user to access a stripped down version of the Boilerkey homepage
2. Explain to them how the tool is accessed by clicking the "Self-Recovery" button back on the Boilerkey landing page
3. The Self-Recovery Tool setup should have opened in a new tab, if they close out of it, they should be back on the Boilerkey homepage
Once they're back on the Boilerkey homepage,
1. Tell them that this is the EXACT process that they will use in the future to set up a new device (once they've authenticated with SRT)
2. Have them click on the option at the top to "Set up a new Duo Mobile Boilerkey" (next to the green square Duo icon)
3. Step 1: Make sure that they have the Duo Mobile app installed on their new device (GREEN icon, not the BLUE one)
  1. If it prompts for it, notifications SHOULD be enabled
4. Step 2: Confirm their PIN
5. Step 3: Device Management
  1. Remove any existing "Purdue University" keys on the device, they'll probably say 'Reconnect' next to it
    1. iPhones : Tap 'Edit' in top left corner, and the red icon to remove the key/account
    2. Android : Press & Hold on "Purdue University" to remove the key/account
    3. Others : Try both of the above methods?
  2. On the computer, they'll probably see their previous device listed with an option to remove. Assuming they're not still using it, remove the device. (It will just clutter things up)
  3. Have them enter in a new Device Name, it SHOULD be the model of the phone, iPhone11plus, GalaxyS7, etc (no spaces, no special characters)
6. Step 4: Activate the device via scanning or link
  1. Option 1 : Registering a new device using a computer
    1. Tap the "Get started" or "Add account" option on the Duo Mobile App
    2. The app needs to access their camera so that it can scan the app
    3. Point the camera at the QR code on screen in order to scan it
    4. It will briefly pop up a message about adding account
    5. Once added, "Purdue University" with a dropdown arrow and a 6 digit code should appear
  2. Option 2 : Registering a device, using itself
  1. 1. If the user is completing the registration process on the device itself,
    2. On Step 4, click the "Option 2" link below the QR code, and follow the on screen directions to open the link in the app
7. Step 5: Testing your device activation
1. 1. The username will just be their regular Career Account Username
    1. The "Boilerkey Passphrase" will be either:
      1. PIN#, comma, 'push' (####,push)
        In this case they'll need to tap the "Approve" option on the notification that their phone receives WITHIN 15 seconds of clicking the "Test Boilerkey Authentication" button.
      2. PIN#, comma, 6-DIGIT-CODE (####,######)
        The code will come from the DuoMobile app (tap the dropdown arrow next to Purdue University)
        You MUST tap the refresh icon EVERY time BEFORE putting the code into the login prompt
        NOTE: There are no spaces in the Passphrase or Code
        NOTE: Some phones show the Refresh icon as a key and needs to be 'toggled' for a new code
    2. If a user fails to authenticate, only ONE error message is displayed in response "This is not the correct Boilerkey passphrase"
      It LIES, regardless of why it failed, this is always the message it displays,
      This Login page works like any other CAS login or test page, and can be troubleshooted in the same way
2. Step 6: The setup process is complete, their new device is setup for Boilerkey Authentication
Send them on their way, and finalize your ticket for the call.
NOTE: Ideally when you get off the phone with the user, your ticket should be ready to save. Try to work on it any time you're waiting on the user.
NOTE: If the user mentioned at all that they already had an open ticket, locate it. If it is still open, update it and resolve it, otherwise, make a new ticket.
1. Ticket header
  1. Title : "Boilerkey - New Device"
  2. Ticket Type : "Service Request"
  3. Submission Method : "Phone" or "Walk-in"
    NOTE: If this was an existing ticket, leave this as it was.
  4. Status : "Resolved" (assuming you resolved it)
  5. Resolution Code : "Completed Successfully" (assuming you did)
  6. Schedule Date : Set for 1 week, 7 days, from now
    NOTE: Do not EVER use the "Current date and time" checkbox, EVER!
2. Contact Information Tab
  1. User ID: Fill in their username
  2. Press 'Enter' key to auto-fill the rest of the fields on this tab
3. Issue Information Tab
  1. Category : "Security"
  2. Service : "Identity & Access Management"
  3. Service Offering : "Boilerkey"
  4. Another dropdown should appear when you select "Boilerkey",
    1. Assuming you followed the above process, you should Ctrl+Click to select AT LEAST:
      1. "Boilerkey-Bypass Code"
      2. "Boilerkey-New Device"
    2. If any other issues came up, you'll want to also select them, and elaborate in your tech notes
  5. Urgency : "Scheduled" (should auto-fill)
  6. Impact : "Minimal" (should ALWAYS be selected, Moderate is 40+ people)
  7. Tech Notes : Anything irregular about the call, anything of note. These are a pretty 'standard' call by this point, so usually left blank.
4. Customer Note
  1. These are a pretty standard and frequent call by this point, you should probably have a Customer Note made up for just this type of call.
  2. Consult with your Supervisor if you don't know how to make a note, or aren't sure what to include in it.
5. Assignees and Notifications
  1. Assign the ticket,
    1. Using the dropdowns,
    2. Find your team,
    3. Find yourself within that team,
    4. Double-click to assign
  2. Check the "Contact" checkbox on the right so that the user receives your Customer Note
  3. If you feel like the call went well, or above average, check the "Send Survey to Customer" box also
Save the ticket, prepare for your next customer

New Authentication Device

The MOST common 'Boilerkey call/issue' of late are due to the user getting a new device.

Boilerkey credentials through the Duo Mobile are tied to the particular device that they were created on. They can not be copied onto a new device either by the user... or malicious actors, this is an intentional security feature.

0 Comments