Multi-Factor Authentication FAQs
Setup Multiple methods for MFA
Always setup at least Two Methods of Multi Factor (MFA) authentication. This way you always have a backup MFA method should one change or not be available momentarily when you need it.
Microsoft MFA:
- This includes the Microsoft Authenticator App (Push notification or one-time password code), SMS text messaging.
DUO MFA:
- This includes the Duo Authenticator App (Push notification or one-time password code), Backup Codes, Security Key (web Apps only).
MFA Troubleshooting
- You are encouraged to generate Duo MFA backup codes ahead of time so that you can access your accounts without your phone. Generating access codes is recommended to be completed at the same time you enroll in Duo MFA.
- To use DUO backup codes, see Authenticating with a backup code
- It is also recommended that you enroll multiple devices, such as a smart phone and a tablet to reduce the chances that you can not access a device in order to use MFA
- If you are unable to access your account, please call the IS Service Desk.
Recovering MFA on a new phone depends on what options you set up:
Microsoft Authenticator app
- The Microsoft Authenticator app has a backup and restore option. If you enabled backup on your previous phone, download the Authenticator app again on your new phone and restore it. For instructions, see this Microsoft article.
- You can enable the backup option on an old phone if you have not set this up yet and restore the Authenticator app on your new phone.
- If you did not back up your previous phone's Authenticator app and no longer have access to it, then visit https://aka.ms/mfasetup. You may be prompted for the Authenticator app, select "I can't use my Microsoft Authenticator app right now" from the sign in request screen. Select one of your backup phone numbers (or emails) and complete authentication.
- Without any backup phone numbers (or email), contact the IS Service Desk for assistance.
- You may remove your own device using the Device Management Portal. You will have to authenticate with a backup code, a secondary enrolled device, or hardware token.
- If you can not access the Device Management Portal (this may occur if you only have one method of using MFA set up), you should contact the IS Service Desk as soon as possible to remove the lost device from Duo.
- We encourage having backup codes and multiple devices added.
- You can download the DUO app on your new mobile device.
- In special circumstances, staff may use hardware tokens as an alternate.
- A single hardware token can be used for both DUO and Microsoft Authenticator (hardware tokens are only offered to employees in special circumstances).
- Contact the IS Sevice Desk for more info.
- You may remove your own device from Duo MFA using any web browser via the Device Management Portal. You will have to authenticate with a backup code, a secondary enrolled device, or hardware token. See how to remove devices.
- How to unenroll from Microsoft Authenticator (info coming soon).
- If you can not remove your own token contact the IS Service Desk as soon as possible to remove the lost device.
- Lost or stolen tokens can be replaced by contacting the IS Service Desk.
- It is the responsibility of the hardware token user to report any lost or stolen hardware tokens as soon as possible to ensure they are removed from your account.
- When visiting the IS Service Desk to receive a hardware token, remember your photo identification to provide proof of your identity.
- Hardware Token devices which are lost, stolen, or damaged repeatedly may have replacement costs billed to the user.
You will need to add your new phone and remove your old phone. There are several options to achieve this.
- If possible add your new mobile device to Authenticator and/or Duo while you still have access to your previous phone. This can be done, see Duo and/or Authenticator.
- If you are restoring your new phone from a backup, you can use Duo Restore, which allows you to migrate Duo from your old device to a new device. Please see: https://guide.duo.com/duo-restore. Alternatively, you can use a backup code to access to the Device Management Portal to add the new phone and remove the old one.
- This is how you get Authenticator back from your back up (info coming soon).
- First, press the red "Deny" button in the Duo app to block the request.
- Do NOT approve the request.
- Duo Mobile may ask why you are denying the request. If you suspect fraudulent activity, select "It seems fraudulent" to report it to Information Security. Select "It was a mistake" if you know it wasn't fraudulent.
- Secondly, change your password. If you are seeing a Duo prompt that you did not initiate, this indicates that someone else is using your password.
If you are receiving one or more prompts in the Duo app that do not correspond to a log in attempt initiated by you, then this indicates that someone has your password and is trying to use it.
- It is critical that you Deny any Duo prompt that is not expected.
- Do not approve any Duo Push Notifications that you did not initiate yourself.
- Ensure that you are sending the push to your device by pressing "Send Me a Push" when you are trying to authenticate.
- Ensure that your device is connected to the internet via WiFi or mobile data.
- The display of messages is device-dependent and differs between Android and Apple (iOS) devices. If Duo has sent a Push request to your mobile device but the message is not visible, swiping down on your home screen should display the request.
- Otherwise, you can tap open Duo Mobile and any pending authentication requests will display as bars near the top of the app.
Duo Mobile requires that your authentication device has a data connection to the Internet via Wi-Fi or your service provider’s cellular data network to receive push notifications.
To ensure that you have a connection, you can try the following:
- Restart your device.
- Ensure that the time and date on your device are correct.
- Enable airplane mode and then disable airplane mode to force the device to reconnect to a network.
- If you are connected to a weak wifi network, you can try disabling wifi to utilize your cellular data connection.
- To confirm a network connection, try visiting a website that you've never been to before (so it isn't cached on your device).
- If you are able to authenticate to the Device Management Portal, you can try to reactivate your device.
- Should none of these actions help, see the Duo Knowledge Base for additional iOS and Android troubleshooting steps.
- If you've tried the suggestions here but can't get Duo Push working or reactivate your device yourself, please contact the IS Service Desk.
- A grey box with no options instead of the Duo Prompt.
- The message "Session Expired".
- The following error appears: "You cannot browse this page at "duo.com" because it is restricted."
- Make sure that JavaScript is enabled in Safari on your macOS or iOS device.
- Disable content restrictions on the device.
- "Your account has been locked out due to excessive authentication failures. Please contact your administrator.
- This error may result from any code being entered incorrectly multiple times, or attempting to use an invalid code (previously used, or expired). This could be a backup code, a bypass code, a code from a hardware token, or a code from Duo Mobile
- If you do not have a valid code or device for authentication, please contact the IS Service Desk to gain access to your account
- If you have a valid means to gain access to your account such as via Duo Mobile Push, you can try to use this. Your account will remain locked for a period of time after which it will become unlocked and you will be able to authenticate
- If your account is/was locked and you did not initiate the MFA authentication requests (you did not submit the incorrect codes), please contact IS Service Desk as this indicates your password is known to an unauthorized third party.
- "Access is not Allowed because you are not enrolled in Duo."
- When authenticating using Duo Mobile Push, authentication attempts sent to your mobile device will expire after 60 seconds if you don't respond. This timeout is not configurable.
- If you receive a "Login timed out" error within your web browser while, you should send your device another push and respond within 60 seconds, or enter a passcode.
- This error will state "Request expired: Duo Mobile was unable to authenticate you because your request timed out. Please try again." in the Duo Mobile app. Please send another push to your device, or use a passcode.
- When a user successfully enters their username and password, and then is prompted by Duo within the web browser to send a push or enter a passcode, but performs no action, the session may expire after a period of time.
- Please refresh the browser page, and log in again with your username and password. You will once again be presented with an option to either send me a push or enter a passcode. A response will be required within a few minutes to avoid the session expiring.
How to Authenticate
- Duo Mobile push instructions on Android.
- Duo Mobile push instructions on iOS
Duo Mobile Passcode instructions on iOS.
- Using a backup code instructions.
- Backup codes are created ahead of time using the Backup Portal.
- Instructions on how to create backup codes.
- Using a hardware token code instructions.
MFA Devices FAQs
- Why? In case you forget your mobile phone at home.
- You may add as many phones/devices as you like on the manage device portal.
- After this, you can choose which device Duo will send the authentication request to, when you are logging in.
- You can use any number or combination of mobile devices (i.e. both Android and Apple devices on your account, or just Apple or just Android).
- When you are ready to add additional devices, you can log into the device management portal.
- By logging into the the device management portal, users can add additional mobile devices to their MFA accounts
- Detailed instructions are available in the Device Management Guide.
- Duo provides flexibility in offering several second factors, and you do not need a smartphone to use it.
The recommended smartphone/mobile device option makes multi-factor authentication extremely convenient, but other easy options exist as well.
Those who do not have a smartphone can be issued a hardware token to generate codes.- These codes can then be ready from the hardware token display and typed into the prompt the application login screen on your computer
Whenever possible, smartphones should be used as they provide the best user experience.
In exceptional circumstances, hardware tokens can be delivered via interoffice mail, and enrollment completed with the IS Service Desk over the telephone.
- Hardware tokens should be used only when smartphones are not available to a user, and not as a preferential second factor.
-
Users who opt to use a hardware token must visit the IS Service Desk to pick up your hardware token. They will complete the enrollment process for you when you pick up your hardware token.
- See details on how to request a hardware token
The University of Regina MFA project provides flexibility to use several different second factors authentication options.
The supported second factors include:
- Duo Mobile App for Push
- Duo Mobile App for Passcode
- Backup codes
- Hardware Tokens for those without a mobile device
- Duo only collects information required to provide and improve the service. Please see Duo Mobile Privacy Information for further info.
- Users of the University of Regina Duo MFA Service are required to review and agree to this document prior to enrolling in the service.
- The Enrollment Guide provides details on how to review and agree to the privacy information.
- The Duo smartphone app provides options that work without a data plan, a texting plan, or even a connection, if necessary.
- The Duo app can generate a code and it can do so anywhere in the world without a WiFi connection, a cell signal, or a data plan.
- See use the Duo Mobile App with Passcode info to authenticate without data or WiFi.
- Mobile phones are the most popular choice for MFA because of their convenience.
- Most users are already using their mobile devices for email or other work-related tasks. This is because users recognize the convenience of using a personal device rather than a separate device for University tasks.
- If using a mobile phone isn't an option for you, please contact the IS Service Desk or read about the other options available in the selecting a device for use as a second factor
- You can discuss concerns about using a mobile phone for your job with your supervisor.
- It is important to note that the "Bring Your Own Device Standard" supports using personal devices for MFA
- In most cases, the cost of using MFA on a Mobile device will be zero. Information about privacy can be reviewed prior to enrollment by going to the enrollment portal login.
- iOS (Apple iPhone, iPad, and iPod) version 11 or above.
- Android version 8 or above. Duo recommends upgrading to the most recent version of Android available for your device. We cannot ensure compatibility of Duo Mobile with custom variants or distributions of Android.
Backup codes are unique code which can be used in the future for MFA should your mobile device be unavailable (lost, stolen, or dead).
- It is important to create backup codes as you may need to access a site or service which requires MFA and your device may be unavailable and the IT Support Centre is closed.
Backup codes will allow you to access your applications until a new device can be added or ITSC can assist you.
- Backup codes can be created by logging into the Backup Code Portal, and saved offline.
- We suggest printing the list and keeping it somewhere safe, such as a locked desk drawer. See instructions on how to create backup codes.
- You can use a backup code to authenticate by entering the code from your list when prompted to enter a 'Passcode' by Duo.
- Users who enroll in MFA but who do not create backup codes will receive email reminders to create backup codes
- The email will ask you to see the instructions on how to create backup codes, and then log into the backup portal
- This is a reminder to create backup codes so that you are fully enrolled in MFA. Creating backup codes is the final step in the enrollment process.
Using MFA
- Yes. Passwords are still required when using MFA.
- Passwords will continue to be used, providing better security on your account when coupled with MFA
- Passwords are something you know, and MFA is something you have. This combination is much stronger than a password alone.
- Password + Proof = Secure Access.
- First step is to review MFA Enrollment Guide.
- If you are ready to enroll in MFA, have your mobile device handy to start using the Duo Mobile App, then go directly to the enrollment portal.
- If you don't have a mobile device, you will need to request a hardware token.
- Once you are signed up for MFA, there is no option to opt out.
- MFA will be required to access some UofR applications, so you will be required to use MFA.
- First, you will be asked to provide your uregina.ca username and password.
- Next, you will be asked to pick a method of providing or being contacted for your second factor. This second factor can be a smartphone app (Push), a pre-generated list of off-line codes (backup codes), or an enrolled hardware token.
- If your code or push is accepted, you will be logged in as requested.
- For instructions on how to log in with MFA on various devices, see Using MFA Guide.
- You should be prepared to use Duo whenever you log in to an MFA enabled application, however, depending on the application, you may have an option to "remember me" for up to 7 days.
- The "remember me" feature makes MFA more convenient by reducing the number of times that you'll be prompted by MFA on the same device using the same browser.
- See Remember Me info for how to use this option.
- A recent version of a web browser is needed.
- Recommended browsers are Chrome, Firefox, Safari, and Edge.
- Older versions of Chrome, especially those with the LastPass extension, may prevent the Duo interface from loading. To fix this problem, try installing the most current version of Chrome.
- If Duo does not display on a supported browser, sometimes clearing your browser's cache and cookies will resolve the issue.
- Yes, Duo Mobile is an "authenticator application" that supports a number of web based accounts, such as Facebook, Google/Gmail, Amazon, and many more services that have multifactor login enabled.
- Search the support pages on the web service you wish to enable "multifactor factor authentication" or "two-factor authentication," and follow the instructions to add your Duo Mobile authenticator application.
- Duo provides instructions on how to do this at https://guide.duo.com/third-party-accounts
- Data is only used with the Duo Mobile App push authentication and almost no data is used.
- 500 pushes to your device will use 1 MB of data in total. This is roughly equivalent to loading one webpage on your smartphone.
- No data is used when connected to WiFi or when using Duo Mobile App code, hardware tokens, or backup codes.
Yes, Duo will work internationally.
- It is recommended that the Duo Mobile app passcode be used as this method of MFA does not use data on your mobile device or require a wi-fi connection. This allows you to authenticate without an internet connection on your mobile device.
- It is also recommended that backup codes be created prior to your departure and safely stored so that you can gain access in the event your device is lost or stolen.
- Hardware tokens also will allow MFA access while traveling without data connectivity, but are not the preferred method of authentication.
- The list of applications which use MFA is growing! Please see our list of MFA Enabled Applications for a current list.
- New applications are being added often.
- If you have an application or system which is not currently using MFA, and you would like it added to the MFA service, please contact IS Service Desk with your request.
- See info about Microsoft Authenticator (add link)
- Info about Duo MFA is available at how to get enrolled in MFA, manage your devices, and use MFA to authenticate.
- If you require assistance, or have questions about MFA, please contact the IS Service Desk.
MFA Info
- MFA is open for use by U of R employees, which includes staff, faculty, researchers, instructors, IT administrators, contractors and consultants.
- MFA is currently being introduced to registered students.
- The Duo and MS Authenticator service is free to the user and funded by Information Services.
- The push method for the App, if you are connected by WiFi, is free.
- The push method, using very little data, is effectively free via cellular data depending on your data plan.
- Generating a list of one-time codes from the Multi-Factor setup page is free.
To see all of the options for authentications devices, please see MFA Second Factor Options.
Note
- Users of hardware tokens that become lost or damaged repeatedly may incur a fee for replacement.
- Users of U2F devices/Security Keys such as Yubikey or Feitian Security must supply their own device.