Multi-Factor Authentication (MFA)

• Please see the instructions on requesting hardware tokens. 
• Hardware tokens are used in special circumstances and are not available for self-service enrollment. 
• Contact the IS Service Desk to enroll with a hardware token.

1A) Go to the MFA Enrollment Page

• In a web browser, preferably on a desktop or laptop, go to the U of R Enrollment Portal.
• You will see the DUO MFA Enrollment Page.

---

1B) Review Duo Mobile Privacy Information

• Click on the "Duo Mobile Privacy Information" to review Duo provided Privacy details. This will open in a new window.

---

1C) Agree and Continue Enrollment

• Check off the "I have reviewed and agree to the privacy information provided by Duo" checkbox after reading the Duo Mobile Privacy Information. 
• Click "Continue Enrollment".

• After pressing "Continue Enrollment", you will be taken to a Central Authentication Services (CAS) log in page.
• Please continue with step 2.

2A) Log In

• The next window will be the Central Authentication Services (CAS) log in page.  
• Please enter your uregina.ca username and password, and click the green "LOGIN" button.

---

2B) Start Setup

• Review the welcome screen, and press the green "Start Setup" button.

---

2C) Select Device Type

• Select "Mobile phone" and click the green "Continue" button.

---

2D) Enter your mobile device phone number

• Enter your mobile phone number in the space provided, and select the country if not a Canadian phone number.
• Confirm your the number you've entered is your correct mobile device number by checking the confirmation box.

NOTE: This is for your mobile phone, not your office landline.

• Next, click the green "Continue" button. 

---

2E) Select Device Type

• Select your mobile phone type, and click the green "Continue" button.

• After pressing continue, please continue to step 3.

3A) Review instructions on Installing Duo Mobile for Your Device Type

• Follow the steps on your screen to install the Duo Mobile app on your device type. This will require you to download and install the "Duo Mobile" app on your device.   
• Once you have completed installing the Duo Mobile app on your mobile device, you can click "I have Duo Mobile installed" on your computer.

---

3B) Install Duo Mobile For iOS (Apple iPhone)

• First, launch the App Store on your Apple device.

Note: Your device must be on a Duo-supported version of iOS.

• In the App Store, search for "Duo Mobile".
• Tap Get and then Install to download the app.

Note: You may be prompted to log in to your Apple account to install the Duo Mobile application

---

3B) Install Duo Mobile For Android

• On your Android smartphone, launch the Google Play Store app. 

Note: Your device must be on a Duo-supported version of Android

• On your Android device, launch the Google Play Store app.
• Search for "Duo Mobile".
• Tap Install to install the app.

Note: If you are prompted to add a credit card, you can dismiss that request. You may be prompted to log in to your Google Play account to install the Duo Mobile application.

---

3C) Complete Install Process

• Once you have completed installing the Duo Mobile app on your mobile device, you can click "I have Duo Mobile installed" on your computer, and continue with Step 4, below.

4A) Add Account on Duo Mobile

• Once the "Duo Mobile" application is installed on your device, you can open the Duo Mobile application for the first time.

Note: If the Duo Mobile app asks to send you notifications, ensure you click "Allow".  This is required as this is how MFA log in notifications will be sent to your phone.

• You will see a "Welcome to Duo Mobile" screen on your mobile device.
• Tap on the "ADD ACCOUNT" button.

Note: If the Duo Mobile app asks you for permissions to access the camera, please "Ok" or "Allow". Duo Mobile will use the camera on the device to enroll accounts using QR codes.

• Your computer screen should be displaying a QR code similar to the below.

• Point your mobile device camera at the QR code on the screen, and the device will be registered.

---

4B) Configure MFA Settings

• Now that your device is registered, you can choose your default authentication option.
• You now have the option between "Ask me to choose and authentication method" or "Automatically send this device a Duo Push."
• The recommended setting is "Ask me to Choose an Authentication Mechanism". This option will allow you to take advantage of the "Remember Me" functionality.  

Note: Selecting "Automatically send this device a Duo Push" will not allow users to take advantage of "Remember Me" functionality and may result in a larger number of MFA authentication requests overall.   

• After you set this, click "Continue to Login"

---

4C) Test and Success

• You will see "Enrollment successful!" at the bottom of the screen. Congrats, your device is now registered in MFA.
• To test, press the green "Send Me a Push" button.

 

• A notification will be sent to and appear on the newly registered mobile device. On your mobile device, Tap on the notification and the Duo Mobile app will open.
• You can then approve the log in request on your phone by pressing "Approve".

• After testing your Duo Push, you will be taken back to the MFA Enrollment page where you can logout. Your device and your account are now enrolled in MFA.
• We highly recommend that you also create backup codes in the event your mobile device stops working, is lost or stolen.
• To create backup codes, please complete Step 5, below.

5A) Go to the Backup Code Page and Log In

• Go to the "Create Backup Codes" button on the MFA main page, or go to: https://novapp.cc.uregina.ca/perl/mfapasscode.cgi
• If prompted to login, please do so. You will also be presented with an MFA prompt. 
• Press "Send Me a Push".  

• A notification will arrive to your mobile device. Tap on the notification to open the Duo Mobile app.
• Tap "Approve" to log into the Backup Code Portal.

---

5B) Create Backup Codes

• Once your authentication is approved, you will now be logged in to create backup codes. Click "Get Codes".

• 10 Codes will be generated and shown on screen.

• Each code can be used to log in to a MFA protected application one time. They will expire after 1 year.
• Do not share these codes. They must be stored in a secure location. It is recommended that these codes be stored offline, such as printed and stored in a desk drawer. 
• You can generate new backup codes at any time.
• New backup codes will invalidate any old backup codes.
• The creation of backup codes is complete.
• You can now click "Logout". 

Once you enable MFA on your account, you may see an extra page after you sign into a UofR application.

• This page prompts you to authenticate on your default device, or to authenticate using another method on your device or using another device that you have previously set up.

How frequently you are asked to authenticate on your default device varies, depending upon:

• The website you're accessing (for added security, some sites always require a MFA).
• Your individual browser settings (whether or not you clear cookies).
• Whether or not you use more than one computer and web browser (MFA is requested at least every 7 days for each computer and each browser you use to access protected MFA applications).
• Whether you check the Remember me for 7 days box during the login process.

• The Uof R uses two different MFA authentication systems.
• The MFA method required is determined by the application.
• MFA project provides flexibility to use several different second factors authentication options.

To see how to authenticate with any of the supported second factors, see below guide for using MFA with each of the supported second factors:

• Microsoft Authenticator used for Microsoft security.
• Duo Mobile App for Push - if you chose Duo Mobile Push notifications, a push notification is sent to the mobile device, and you can review the request and tap Approve to authenticate. Internet or mobile access is required.
• Duo Mobile App for Passcode - launch the Duo app on your mobile device and click the down arrow to see your current six-digit passcode. Enter the passcode on the MFA screen to authenticate. Because this method is time-based, you don't need cellular service or internet access.
• Hardware Tokens - press a button on the token to obtain a passcode, then enter the passcode on the MFA screen to authenticate. This method is restricted to users with a justified business need for hardware token.
• Backup codes - requires users to generate backup codes which are stored offline (such as on paper) in your primary device (mobile device or hardware token) is unavailable. A code from the list of backup codes is entered on the MFA screen to authenticate.

For more details on second factors, please see second factor info.

By using the Duo Mobile authentication app, you can securely log in to your apps by approving a push notification send to your mobile device.

• Duo Push is the fastest and easiest way to complete two-factor authentication using your smartphones.
• It is the recommended method of authenticating as it is the most convenient and secure method of accessing your accounts with MFA.

You must already have enrolled mobile device in order to use Duo Mobile Push.
Here’s how it works:

• Enter your username and password into your login page.
• Choose 'Duo Push' as your second factor on the next screen prompt.
• Then, tap 'Approve' on the push notification sent to your phone.

The second factor authentication using Duo Mobile Push can take just a few seconds; see how in the video for iPhone or Android, below.

 Need more details?  Feel free to follow along:

Step 1) From a supported browser, go to the login page of an MFA protected application.

• Enter your username, and password, and press login.

Step 2) If you have more than one device enrolled, you'll see a device selector.

• Select the device you want to use from the drop down list. If you only have one device enrolled, you will not have this option.

If you do not wish to see the MFA prompt for 7 days on the application you are trying to use, select, "Remember me for 7 days."

Step 3) Then, please choose the authentication mechanism Duo Push by pressing "Send Me a Push."

• The browser screen will indicate that a push has been sent to your device.
• A blue bar at the bottom of the Duo screen will say "Pushed a login request to your device..."

Step 4) You will receive a notification to the mobile device you selected.

• Tap on the notification or open the Duo Mobile App.

• Verify the MFA push to your phone by making sure you initated the authenication request by verifying the username, IP address, application name, and time that the push was requested are correct.
• If the push is valid, then press Accept.

• You will now be logged into the application.

Note: If you get a push that you did not initiate, ensure you tap the red "Deny" button. Never approve any authentication requests you did not initiate personally. 

If you select Duo Mobile App Passcode as your authentication method, you use a six-digit authentication code generated by the Duo Mobile app on your smartphone or tablet to authenticate.

• This code is read from your Duo Mobile app on your smartphone, and typed into the MFA prompt on in your browser to validate your identity.
• Internet or cellular access is not required. This is a great option to use when you are traveling and may not have wifi or mobile data.
• To use the Duo Mobile Passcode to authenticate, you must be already enrolled with at least one mobile device (smartphone or tablet).
• To authenticate, launch the Duo Mobile app on your device and then tap the key icon to get the authentication code.

Detailed step-by-step instructions for using Duo Mobile Push

Step 1) From a supported browser, go to the login page of an MFA protected application.

• Enter your username, and password, and press login.

Step 2) If you do not wish to see the MFA prompt for 7 days on the application you are trying to use, select, "Remember me for 7 days."

Step 3) Then, choose the authentication mechanism Duo Mobile Push by pressing "Enter a passcode."

A blue bar at the bottom of the screen will appear and state "Enter a passcode from Duo Mobile."

Step 3) Open the Duo Mobile app on your mobile device.

• In the Duo Mobile app, a "Duo Protected / University of Regina" section will appear.
• Tap the down arrow (circled in red) on the right side of the screen to expand the "Duo Protected / University of Regina" section.

• A six-digit passcode is displayed (circled in red).
• This is your Duo Mobile Passcode.

Step 4) Enter this code in the Duo Prompt on your computer screen, and click the green "Login" button.

• You will now be logged into the application. 

If you are a MFA user who has an enrolled hardware token, you can use the hardware token to generate passcodes for use with the U of R Duo MFA.

These same tokens can also be enrolled with Microsoft Authenticator.

Hardware tokens aren't recommended unless a user does not have a mobile device.  

To authenticate using a hardware token:

• Ensure that you have your hardware token handy.
• Enter your username and password into your login page.
• Choose 'Enter a Passcode' as your second factor on the next screen prompt.
• Press the green button on the Duo Hardware Token to generate a code.
• Type in the code into the space provided on the on-screen Duo prompt, and click Log In.

For more details, see the steps below to authenticate using a hardware token:

Step 1) From a supported browser, go to the login page of an MFA protected application.

• Enter your username, and password, and press login.

Step 2) If you do not wish to see the MFA prompt for 7 days on the application you are trying to use, select, "Remember me for 7 days."

Note: Using the "Device:" drop-down menu to select your token is not necessary before entering the passcode.

Step 3) Please choose the authentication mechanism Duo Passcode by pressing "Enter a passcode."

Step 4) Use HyperOTP hardware token to Generate Code
Press the green button on the Duo Token. A 6 character code will appear on screen.

• This code will remain on screen for 30 seconds.  
• Pressing the button again will generate a new code, and invalidate previously generated codes.

Step 5) Enter this code in the Duo Prompt on your computer screen, and click the green "Login" button.

• You will now be logged into the application. 

If you do not have access to your primary authentication device, you can use backup codes to authenticate.

• For example, if your mobile phone has a dead battery, you can use backup codes to authenticate until your phone is charged.
• Or if you normally use a hardware token, but have left it at home, you can use backup codes until you can retrieve your hardware token.

Instructions on how to create backup codes are found in the Enrollment Guide below under Step 5: Create Backup Codes.

• Backup codes must be generated in the backup code portal. Y
• ou are allowed to generate up to 10 codes at a time, and they are valid for 1 year.
• Each code can be used only once, and then it is invalid.

Before you can authenticate with a backup code, ensure that you have valid backup codes generated. The backup code is read from your list of backup codes, then typed into the MFA prompt on in your browser to validate your identity.

• These codes are not intended for daily use, rather they are designed for emergency 'backup' use.

To authenticate, you will need to:

• Ensure that you have backup codes handy.
• Enter your username and password into your login page.
• Choose 'Enter a Passcode' as your second factor on the next screen prompt.
• Then type in a valid backup code and press 'Login'.

Detailed step-by-step instructions for using Backup Codes

Step 1) From a supported browser, go to the login page of an MFA protected application.

• Enter your username, and password, and press login.

Step 2) If you do not wish to see the MFA prompt for 7 days on the application you are trying to use, select, "Remember me for 7 days."

Step 3) Then, please choose the authentication mechanism Duo Passcode by pressing "Enter a passcode."

Step 4) Find your previously generated list of backup codes.

• Codes should be generated proactively; preferably at enrollment time, but can be generated after enrollment as well.

These are generated in the backup code portal, and will appear as follows:

• Codes are valid for 1 use or 1 year, whichever occurs first.  
• To generate codes, please see the enrollment guide.

Step 5) Enter Backup Code into MFA Prompt

• Select an unused and unexpired backup code from your list of previously generated backup codes.
• Enter this code into the MFA prompt as circled, below. The code will be 9 digits.
• Then click the green "Log In" button.

• You will now be logged into the application. 

If you are using backup codes because you can not access your primary device and you will not be able to access this primary device (mobile phone, tablet, or hardware token), it is recommended you either add a new device to your account, or contact the IS Service Desk to ensure that your ability to authenticate is not interrupted.

Further Information

• Log in to the Bypass Code Creation Portal
• Use "Remember Me" Functionality

Learn about which second factor devices can be added to your MFA account.

We strongly recommend adding at least two devices to your MFA account in case you cannot access your primary device for any reason.

• Plan ahead by generating backup codes and enrolling a secondary mobile device so that you can always get into your account.
  • If you cannot access your primary phone and have no backup codes or secondary devices, contact ITSC.
• If you haven't already, ensure that you are an enrolled MFA user.
• To become an enrolled user, please complete the enrollment process.

To complete the add MFA device process, you must be an enrolled MFA user with one or more devices already added to MFA. 

Step 1)  Log Into the Device Management Portal

Go to the "Device Management Portal Login" at https://novapp.cc.uregina.ca/perl/mfamanagedevice.cgi

Enter your username and password, and click the green "Login" Button.

There are various reasons you may wish to remove a device from your Duo account. You may need to remove a device no longer in use, either because you have a new device or because the device is lost or stolen.  

• To reduce security risk, make sure you remove lost or stolen devices from your account immediately.
• If your lost or stolen device is University-owned, report it to the IS Service Desk as soon as possible.

If your new device is replacing the one you previously enrolled, you can remove the device you won't be using any more for authentication. For example, if you have a new phone added to your account, you can remove your old phone.

Note: Before removing a device, ensure that you have added a new device to replace it, or will have at least one MFA authentication device on your account remaining. 

• You should remove a device from Duo after adding a new device to your account or if you have a backup device connected. If you delete all of your devices, you may be unable to authenticate, and will need assistance from the Information Technology Support Centre.

Note: While it is possible to remove a device from your MFA Device options, it is not possible to remove your account from MFA after enrolling as a user.

Step 1) Log Into the Device Management Portal 

• Go to the "Device Management Portal Login" at https://novapp.cc.uregina.ca/perl/mfamanagedevice.cgi
• Enter your username and password, and click the green "Login" Button.

• The MFA Hardware tokens produce a new passcode each time the button is pressed, and can be used to authenticate by entering the passcode into the MFA prompt. See, Duo instructions on how to use a hardware token to authenticate to an application.
• See, Authenticator set up and hardware token instuctions.

Backup codes are important to create in advance, in case your hardware token stops working, is lost, or is stolen.  
Step 1) Go to the Backup Code Page and Log in

• Go to the "Create Backup Codes" button on the MFA main page, or go to: https://novapp.cc.uregina.ca/perl/mfapasscode.cgi
• If prompted to login, please do so. You will also be presented with an MFA prompt. 
• Press "Enter a Passcode"  

• To reduce security risk, make sure you remove lost or stolen hardware tokens devices from your account immediately.
• Report all lost or stolen hardware tokens to the IS Service Desk as soon as possible; Service.Desk@uregina.ca

You are requested to return your Hardware Token if it is broken or no longer in use.

• To return your token, visit the IS Service Desk for unlinking and disposal. 

Alternatively, you can send it by interoffice mail to:
Information Technology Support Centre
Main Campus, University of Regina
3919 University Drive South
Education Building
Room ED 137
*Include a note with your name and whether the token is defective or you are staff leaving the University.

• Microsoft Authenticator info

Duo Remember info

When logging into an application, and you are presented with a MFA screen, if the "Remember me" function is available for this application, you will see a "Remember me for 7 days" check box.

• Checking this box will remember the web browser for 7 days, and MFA prompts will not be required on this application from within the same web browser for 7 days.
• This applies only to the computer and browser that you are currently using.
• If you check the box on your work computer, your home computer won't remember you.
• If you change web browsers on the same computer, use private browsing mode (such as Incognito) or clear your cookies in the web browser, you will be required to authenticate again as the remember me functionality is specific to a web browser on a specific device, and uses cookies.

Note: You should be prepared to authenticate with MFA with any login. "Remember me" functionality is done for convenience only. Please ensure you have your device handy to use with MFA in the event "Remember me" has forgotten you!

Note: You can check "Remember Me" on any computer that you use regularly and that you trust. Don't use the "Remember me" function on a public or shared computer!

Duo MFA "Remember me" settings

• Ensure that that you have set up Duo MFA to "Ask me to Choose an Authentication Mechanism."
• If you have selected "Automatically send this device a Duo Push" it will not allow users to take advantage of remember me, and may result in a larger number of MFA authentication requests overall.
• If your device automatically receives a Duo Mobile push notification at login, you must disable this function temporarily in order to view and click the checkbox.
  • To temporarily disable an automatic push, when the MFA screen appears click the blue "Cancel" button in the bottom right.
  • Click the "Remember me for 7 days" checkbox, then click the "Send Me a Push" button to complete your login.

Duo MFA

• "Remember me" functionality is supported on SAML and CAS applications (UofR web based applications).
• Applications which use thick clients or LDAP authentication do not support "Remember Me" functionality.
• Additionally, certain high security applications may not have this functionality enabled, which will require MFA to be used on each authentication.
• The "Remember Me" functionality works on an application by application basis.
  • This means that "Remember Me" functionality applies to each individual MFA enabled service.
  • Subsequent access of the same application will not require MFA after the first authentication, but if you access a different application protected by the MFA, then you will have to approve a MFA login request again for the second application for the life of that session (7 days).