Two Factor Authentication (TFA; 2FA) is a security process in which two methods of authentication are used to verify who you are.

Two Factor Authentication Two Factor Authentication (TFA; 2FA) is a security process in which two methods of authentication are used to verify who you are. For example, one method currently utilized within Infor is your network username and password. By introducing another method of authentication, such as a PIN code created within an app on your mobile phone, both your network password and the PIN would be used together to authenticate you. In short, two-factor authentication keeps logins secure by preventing access to Infor through password guessing or brute force dictionary attacks. The TFA vendor chosen by Infor is Duo Security. Duo Security Overview Most two factor solutions implement secondary authentication by a single method, providing a unique code (either via a soft or hard token). The employee is required to enter this code each time at logon. To make this process easier, Duo Security utilizes Duo Push. Authenticating with Duo Push is as easy as tapping a button on your phone. No phone calls to wait for or passcodes to type in. Duo Push is the easiest form of secondary authentication. Once Duo Mobile is installed and activated on your phone, you can authenticate with just one tap of a button. Page 1

TFA Device Options A TFA device is something you have, such as your smartphone, and provides the key (second factor) method beyond your Infor account and password. The device is uniquely registered/associated to your Infor account. Duo TFA works in conjunction with a number of different methods. The following is a list of those methods in their order of preference. Method Duo Push (Preferred Method) Duo Mobile SMS Code Voice Phone Hardware Token Description An application, Duo Mobile, is installed on your smartphone or tablet. An authorization request is made from Infor s VPN and the request for approval is then sent to your smartphone or tablet. If connected to Wi-Fi, no cellular data plan is needed/used; otherwise, cellular data will be used. Depending on your mobile data plan, additional charges may occur if you elect to use this method on a personal cell phone. Same application as above. When launching the application, you manually request a code. No connectivity (mobile or Wi-Fi) is needed for this method. Authorization request is made from Infor s VPN and a text message is sent from Duo to your smartphone or tablet. Depending on your SMS plan, additional charges may occur. A text message is not needed on each authentication as codes are sent in batches of 10. Please note that Infor will also incur charges if this method is used so we ask that you avoid using this option frequently if possible. Authorization request is made from Infor s VPN and a phone call is made to your smartphone or landline. Depending on your mobile voice plan, additional charges may occur. Please note that Infor will also incur charges if this method is used so we ask that you avoid using this option frequently if possible. A physical device that generates passcodes. Device purchase is required. Limited availability. TFA tokens will be supplied at the discretion of Infor s IT Department and will only be supplied if Duo Mobile, Push, SMS or Voice Phone are not feasible options or if they become too expensive due to the usage frequency. Registering/Adding/Enrolling a TFA Device Duo's self-enrollment process makes it easy to register and add devices for use with TFA. If you have a smart device, you can also install and activate the Duo Mobile application on your smartphone or tablet via this same process. Registering is as easy as logging into VPN via the links provided below. When you login you will be prompted to enroll in Duo TFA. Step: 1 Step: 2 Open a browser and navigate to the appropriate link below for your region. Note that this should be done from a computer and not the device (smartphone or tablet) that you are enrolling. Americas: https://vpn-am.infor.com EMEA: https://vpn-emea.infor.com APAC: https://vpn-ap.infor.com China: https://vpn-cn.infor.com Enter your Infor AD/network employee ID and password. Page 2

Step: 3 The Duo Welcome Screen will appear. Click Start Setup. Step: 4 Choose your primary (default) authenticator/device method for TFA (we recommend using a smartphone if you have one), then click Continue. Step: 5 Step: 6 Select your country and enter your phone number. Use the number of your smartphone, landline, or cell phone that you'll have with you when you're typically logging into the Infor network. You can enter an extension if you chose "Landline" in the previous step. Verify that you have entered the number correctly, check the box, and click Continue. Step: 7 For smartphone or tablet devices, choose the operating system for your device. Page 3

Please click on the appropriate platform link below for specific setup instructions: iphone Android BlackBerry Windows Phone Other Page 4

iphone Setup Instructions Step: 1 Step: 2 Step: 3 On the What operating system does this device run screen select the iphone option and click Continue. On your device, access the Apple Application Store and search for and install Duo Mobile. Once installed, check the I have Duo Mobile installed box and click Continue. Step: 4 Step: 5 Step: 6 Step: 7 Step: 8 Launch Duo Mobile on your device and tap Add Account. If prompted to allow Duo Mobile to send you notifications, click OK. Accept the License Agreement by tapping Accept. Tap Add Account on your mobile device. If prompted to allow Duo Mobile to access your camera, tap OK. Tap Scan Barcode on your device. Scan the barcode displayed on the Infor SSL VPN Service webpage. See example below: NOTE: Do not scan the bar code in this document. Page 5

If you can t scan the barcode, click the click here link on the web page. You ll have the option to provide an email address to activate your device. You will need to open the email on the device you are adding. Step: 9 Once scanned, you ll receive a notification that the account was added successfully. Step: 10 Click Continue. You will see your added device. Note that the first device you add will be set as your default authentication device. Step: 11 If you need to enroll another device, click Enroll another device, otherwise click Done. The process of enrolling another device is similar to when you added your first device: 1) Click Enroll another device. 2) Select the type of device you wish to enroll. 3) Follow the prompts to complete the process of adding another device. Important: Infor requires that you enroll a secondary device to cover cases where your cell phone is unavailable, battery dies, etc. For instance, you can enroll your business direct dial or home phone number to ensure you have a backup method of access. You will need to utilize the second (backup) method in Duo for VPN access should there be an issue with or if you should lose your primary device. You can think of your secondary device as being similar to an extra set of keys you would have for your car. If you lose the primary keys, you have a backup. On the secondary method, make sure it is a completely different physical device since a Smartphone can have 4 methods (push, manual code, sms & phone call) of authentication. If you lose the smartphone, you need an alternative device such as a tablet or your desk phone. Page 6

If you need to make changes to an existing device or you wish to add another device, please see the Managing your Devices & TFA Account section of this document. NOTE: For IOS devices (iphone, ipad), you may want to change the notification style used by the Duo Mobile application so that the notifications appear more clearly on your device. To do so, follow the steps below. 1. Tap Settings. 2. Tap Notifications. 3. Scroll down and tap Duo Mobile. 4. In the Alert Style When Unlocked section, select Alerts. See below. Page 7

Android Setup Instructions NOTE: If you are located in China, please follow the steps located here: Android Duo Setup - China Step: 1 Step: 2 Step: 3 On the What operating system does this device run screen select the Android option and click Continue. On your device, access the Google Play Store and search for and install Duo Mobile. Once installed, check the I have Duo Mobile installed box and click Continue. Step: 4 Step: 5 Launch Duo Mobile on your device and tap Add Account. Scan the barcode displayed on the Infor SSL VPN Service webpage. See example below: NOTE: Do not scan the bar code in this document. If you can t scan the barcode, click the click here link on the web page. You ll have the option to provide an email address to activate your device. You will need to open the email on the device you are adding. Step: 6 Once scanned, you ll receive a notification that the account was added successfully. Page 8

Step: 7 Click Continue. You will see your added device. Note that the first device you add will be set as your default authentication device. Step: 8 If you need to enroll another device, click Enroll another device, otherwise click Done. The process of enrolling another device is similar to when you added your first device: 1) Click Enroll another device. 2) Select the type of device you wish to enroll. 3) Follow the prompts to complete the process of adding another device. Important: Infor requires that you enroll a secondary device to cover cases where your cell phone is unavailable, battery dies, etc. For instance, you can enroll your business direct dial or home phone number to ensure you have a backup method of access. You will need to utilize the second (backup) method in Duo for VPN access should there be an issue with or if you should lose your primary device. You can think of your secondary device as being similar to an extra set of keys you would have for your car. If you lose the primary keys, you have a backup. On the secondary method, make sure it is a completely different physical device since a Smartphone can have 4 methods (push, manual code, sms & phone call) of authentication. If you lose the smartphone, you need an alternative device such as a tablet or your desk phone. If you need to make changes to and existing device or you wish to add another device, please see the Managing your Devices & TFA Account section of this document. Android Note: Some Android tablets run highly customized versions of the Android OS. If there is no automatic notification pop-up, you need to manually launch the App and tap the Sync/Refresh button. This is typically due to the missing required Google Play Services that are not installed on your devices by the manufacturer. The App will display a warning. Page 9

Android Setup Instructions China Step: 1 As Google Play is not available for China Android users, please download & install Duo Mobile App using the following link from your mobile device. https://dl.duosecurity.com/duomobile.apk You can also install Duo Mobile by scanning the following QR code. Step: 2 You should see the following popup window on your mobile device. Click access to continue. Step: 3 Once the download process completes, the following installation window appears. Click install. Page 10

Step: 4 When the installation is complete, click open to run Duo Mobile. You can also find the following Duo Mobile Icon in applications list. Step: 5 Start with Step 3 from the link below to complete the setup process. Duo Mobile Setup Page 11

BlackBerry Setup Instructions You will be required to use a BlackBerry World login to download and install the Duo Security app from BlackBerry World. NOTE: If you are using a Blackberry device with OS version 7.1 or earlier, you will automatically receive the Duo application from the Infor Blackberry Enterprise Server (BES). To check the OS version on your Blackberry, compose a new email message, enter myver (minus the quotes) in the message field and press return. For example: 9800/6.0.0.135 (the last set of numbers is your OS version). If you already have the Duo application installed, please skip to page 14 of this guide. If you don t have the Duo application installed, please follow the steps below. Step: 1 Step: 2 Step: 3 If you do not have a BlackBerry World login, follow the information below to obtain one. 1. Open a browser on your device and navigate to the following link and fill out the form appropriately. https://blackberryid.blackberry.com/bbid/registration/registration_eula.seam You will receive an email from donotreply@blackberry.com. You must click the link to confirm your email address within 72 hours of receiving the email. If you do not confirm your account, you will not be able to use BlackBerry World. Ensure you have the latest version of BlackBerry World installed on your device. To do so, follow the steps below: 1. Open a browser on your BlackBerry and navigate to the following site: http://appworld.blackberry.com 2. Select the Upgrade Today button. 3. Click Download, select your language and click Next. 4. Click Download and then Replace. You will need to reboot/restart your device. Start the Blackberry World application and search for Duo Mobile. Step: 4 Step: 5 Step: 6 Step: 7 Step: 8 Select Apps then select Duo Mobile. Select Download and agree to the License Agreement by clicking I Agree. Click Yes on the Application Permission screen. Click Open once the installation is complete. On the What operating system does this device run screen select the BlackBerry option Page 12

and click Continue. Step: 9 Select the BlackBerry OS version your device is running then click Continue. The setup instructions will be different depending on the BlackBerry OS version you are running. Please select the appropriate BlackBerry version for your phone from the choices below for the correct setup instructions. BlackBerry 7.1 or earlier BlackBerry 10 Page 13

BlackBerry OS version 7.1 or older setup instructions Step: 1 Check the I have Duo Mobile installed box and click Continue. Step: 2 Enter your Infor email address and click Send Email. Step: 3 On your Blackberry device, check your email for a message from Duo Security. Follow the link provided within the email. Step: 4 Click Continue. You will see your added device. Note that the first device you add will be set as your default authentication device. Page 14

Step: 5 If you need to enroll another device, click Enroll another device, otherwise click Done. The process of enrolling another device is similar to when you added your first device: 1) Click Enroll another device. 2) Select the type of device you wish to enroll. 3) Follow the prompts to complete the process of adding another device. Important: Infor requires that you enroll a secondary device to cover cases where your cell phone is unavailable, battery dies, etc. For instance, you can enroll your business direct dial or home phone number to ensure you have a backup method of access. You will need to utilize the second (backup) method in Duo for VPN access should there be an issue with or if you should lose your primary device. You can think of your secondary device as being similar to an extra set of keys you would have for your car. If you lose the primary keys, you have a backup. On the secondary method, make sure it is a completely different physical device since a Smartphone can have 4 methods (push, manual code, sms & phone call) of authentication. If you lose the smartphone, you need an alternative device such as a tablet or your desk phone. If you need to make changes to and existing device or you wish to add another device, please see the Managing your Devices & TFA Account section of this document. Page 15

BlackBerry OS version 10 setup instructions Step: 1 Check the I have Duo Mobile installed box and click Continue. Step: 2 Step: 3 Check the I have Duo Mobile installed box and click Continue. Scan the barcode displayed on the Infor SSL VPN Service webpage. See example below: NOTE: Do not scan the bar code in this document. If you can t scan the barcode, click the click here link on the web page. You ll have the option to provide an email address to activate your device. You will need to open the email on the device you are adding Step: 4 Once scanned, you ll receive a notification that the account was added successfully. Page 16

Step: 5 Click Continue. You will see your added device. Note that the first device you add will be set as your default authentication device. Step: 6 If you need to enroll another device, click Enroll another device, otherwise click Done. The process of enrolling another device is similar to when you added your first device: 1) Click Enroll another device. 2) Select the type of device you wish to enroll. 3) Follow the prompts to complete the process of adding another device. Important: Infor requires that you enroll a secondary device to cover cases where your cell phone is unavailable, battery dies, etc. For instance, you can enroll your business direct dial or home phone number to ensure you have a backup method of access. You will need to utilize the second (backup) method in Duo for VPN access should there be an issue with or if you should lose your primary device. You can think of your secondary device as being similar to an extra set of keys you would have for your car. If you lose the primary keys, you have a backup. On the secondary method, make sure it is a completely different physical device since a Smartphone can have 4 methods (push, manual code, sms & phone call) of authentication. If you lose the smartphone, you need an alternative device such as a tablet or your desk phone. If you need to make changes to and existing device or you wish to add another device, please see the Managing your Devices & TFA Account section of this document. Page 17

Windows Phone Setup Instructions Step: 1 Step: 2 Step: 3 On the What operating system does this device run screen select the Windows Phone option and click Continue. On your device, access the Windows Application Store and search for and install Duo Mobile. Once installed, check the I have Duo Mobile installed box and click Continue. Step: 4 Step: 5 Launch Duo Mobile on your device and tap Add Account. Scan the barcode displayed on the Infor SSL VPN Service webpage. See example below: NOTE: Do not scan the bar code in this document. If you can t scan the barcode, click the click here link on the web page. You ll have the option to provide an email address to activate your device. You will need to open the email on the device you are adding. Step: 6 Once scanned, you ll receive a notification that the account was added successfully. Page 18

Step: 7 Click Continue. You will see your added device. Note that the first device you add will be set as your default authentication device. Step: 7 If you need to enroll another device, click Enroll another device, otherwise click Done. The process of enrolling another device is similar to when you added your first device: 1) Click Enroll another device. 2) Select the type of device you wish to enroll. 3) Follow the prompts to complete the process of adding another device. Important: Infor requires that you enroll a secondary device to cover cases where your cell phone is unavailable, battery dies, etc. For instance, you can enroll your business direct dial or home phone number to ensure you have a backup method of access. You will need to utilize the second (backup) method in Duo for VPN access should there be an issue with or if you should lose your primary device. You can think of your secondary device as being similar to an extra set of keys you would have for your car. If you lose the primary keys, you have a backup. On the secondary method, make sure it is a completely different physical device since a Smartphone can have 4 methods (push, manual code, sms & phone call) of authentication. If you lose the smartphone, you need an alternative device such as a tablet or your desk phone. If you need to make changes to and existing device or you wish to add another device, please see the Managing your Devices & TFA Account section of this document. Page 19

Other Mobile Device Setup Instructions Select the appropriate link for the device you have. Windows Mobile (previous Version) J2ME/Symbian Palm For other cell phones (non-smart phones), continue with these steps below to receive SMS passcodes. Step: 1 On the What operating system does this device run screen select the Other option and click Continue. The device will be added. Step: 2 If you need to enroll another device, click Enroll another device, otherwise click Done. The process of enrolling another device is similar to when you added your first device: 1) Click Enroll another device. 2) Select the type of device you wish to enroll. 3) Follow the prompts to complete the process of adding another device. Important: Infor requires that you enroll a secondary device to cover cases where your cell phone is unavailable, battery dies, etc. For instance, you can enroll your business direct dial or home phone number to ensure you have a backup method of access. You will need to utilize the second (backup) method in Duo for VPN access should there be an issue with or if you should lose your primary device. You can think of your secondary device as being similar to an extra set of keys you would have for your car. If you lose the primary keys, you have a backup. On the secondary method, make sure it is a completely different physical device since a Smartphone can have 4 methods (push, manual code, sms & phone call) of authentication. If you lose the smartphone, you need an alternative device such as a tablet or your desk phone. If you need to make changes to and existing device or you wish to add another device, please see the Managing your Devices & TFA Account section of this document. Page 20

Managing your Devices & TFA Account Device management allows you to easily edit and add new devices. To manage your devices, log onto one of the Infor VPN URL s listed below: Americas: https://vpn-am.infor.com EMEA: APAC: China: https://vpn-emea.infor.com https://vpn-ap.infor.com https://vpn-cn.infor.com Once connected, follow the instructions below. Step: 1 Step: 2 Select the device you want to use to authenticate you. Be sure to have the device with you. Duo Push is the recommended and default method. Click Manage devices. Check your device for the login request approval. See example below: Step: 3 Step: 4 Tap Approve and then Confirm. You can choose to enroll another device or click the Actions dropdown to select the appropriate action. For example, you can change/set your default device from the Action dropdown menu. If you choose to add a new device, the process will be similar to when you added your first device. 1) Click Enroll another device then select the type of device you wish to enroll. 2) Follow the prompts to complete the process of adding another device. Page 21

Using Duo 2FA Once you ve completed the initial enrollment and successfully logged in via the VPN URL, all future VPN connections can be done by launching the Cisco AnyConnect client already installed on your computer. Step: 1 Step: 2 Launch AnyConnect as you normally would and select the appropriate region for your location, such as Americas. Click the Connect button. You will see an additional (Second) password field. Step: 3 Step: 4 Enter your Infor network password in the first password field. In the Second Password field, you have the following methods to authenticate with Duo: Method One (Preferred): To receive a Push notification on your default Duo device, enter push (without the quotes) in the Second Password field and click OK. Check your device for a Duo notification and tap Approve then Confirm to connect to VPN. Method Two: Using your default Duo device, open the Duo Mobile app and tap the key icon (see below) to generate a pass code. Enter this code in the Second Password field and click OK. Method Three: To receive an SMS text message on your default device, enter sms (without the quotes) in the Second Password field and click OK. The AnyConnect login process will fail, but you will be prompted again to log in. Check your default device for an SMS text from Duo. The SMS text from Duo will provide a batch of 10 passcodes that you can use. You can use any of the provided codes. Page 22

Note that these passcodes do not expire but each can only be used once. Once you have used all 10 codes, you would need make another SMS request for additional codes. Method Four: To receive a phone call on your default device, enter phone (without the quotes) in the Second Password field and click OK. Answer your default device. When prompted, press 1 on your phone to approve the authentication and log in. Method Five: Using an Infor provided hardware token you can generate a passcode. Enter the passcode displayed. Device purchase is required. Limited availability. Note: You can also add a number to the end of these method options if you have more than one device registered. For example, entering push2 (without the quotes) will send a login request to the second device you setup, such as another smartphone or tablet. Entering phone3 (without the quotes) will cause your third phone to ring, etc. Page 23

Issues/Troubleshooting Q. I made a mistake or missed the mobile application setup process and need to make an adjustment A. You can manage your account yourself. Just go to the provided VPN web URL. Choose phone as the authentication option, Duo will call you to complete TFA on the number you provided and then you can add other methods or change it. After you login via the VPN URL, pick Manage Devices. Your device(s) will be listed. To Activate Duo Mobile, under actions to the right, click and then select Activate Duo Mobile. The GUI will walk you through the process. Q. I am not receiving the phone call or SMS message on my device A. Check for the correct number, outside of a typo, the likely cause is that the call or SMS is being blocked to your phone provider. We ve seen this case in India via the DoNotCall List and we found that registering will block outside messages (via http://ndnc.in) Q. I didn t receive a push notification on Duo Mobile? A. You may need to refresh Duo to check for the notification. Here s how: 1. Open Duo Mobile on our smartphone. 2. Once opened, swipe down to refresh the screen. Click on the link below to see an example. Screen Refresh Q. Does it cost me anything to use the service via my personal mobile phone? If so, will I be reimbursed by Infor? There is no cost for the Duo Mobile smartphone app. If you are not using the Smartphone App, text messages and voice calls are sent only when you request them, and they would be billed by your carrier in the same way that any other text message or call would. Any expenses associated with Duo will be covered under Infor s current expense rules. Q: I'm often in a location where I have poor cell coverage; how can I use the service? A: In cases where cell coverage is not available, use the Duo Mobile App to generate a passcode by selecting the key icon next to Infor" service in the list. Use the passcode as your second factor. If you're not using a smartphone (and therefore do not have access to the app), generate passcodes in advance via SMS. Q: I have Duo Mobile installed on my iphone, but I can t scan the barcode (the scan window is black) A: It s possible that when you initially installed Duo Mobile that you didn t allow Duo to access your camera. To resolve this, on your iphone, go to Settings and scroll to the bottom of the list and find Duo Mobile. Tap Duo Mobile, Privacy, and then slide the dial to the left (so that it shows green) to allow Duo to access your camera. Try scanning the barcode again. Q: I have Duo Mobile installed on my iphone, but I m not receiving a notification on my phone when I try to log into VPN Page 24

A: It s possible that when you initially installed Duo Mobile that you didn t allow Duo permissions to send you notifications. To resolve this, on your iphone, go to Settings and scroll to the bottom of the list and find Duo Mobile. Tap Duo Mobile, Notifications, and then slide the dial to the left (so that it shows green) to allow Duo to send you notifications. You will need to restart your phone to start receiving Duo notifications. Q: I had to re-register my smartphone within the Duo Mobile application. Now I see Infor listed twice. How do I remove the old entry? A: To remove the old entry, simply long press the entry and select Remove Account. Page 25