Multi-Factor Authentication (MFA), Troubleshooting
Requesting a Temporary Passcode
Should you lose, misplace, or forget your MFA device and cannot authenticate, you can request a temporary passcode. These can also be requested if you are going to a testing center and will not have access to your device.
- Passcodes are good for 3 days or 100 uses, whichever comes first. You can request 24 passcodes per year, so these should not be relied upon as a primary authentication method.
The instructions below assume that you know your password. If you do not know your password, please contact your Help Desk.
You need to request a passcode in advance (i.e. you currently have your device)
- Visit the NetID Center.
- Select Temporary passcode at the bottom of the page.
- Click "Yes, I have my device".
- Authenticate like normal using the device.
- Your passcode will then be displayed along with the expiration date.
You do not have your device and need a passcode now
- Visit the NetID Center.
- Select Temporary passcode at the bottom of the page.
- Click "No, I don't have my device".
- Authenticate using your password.
- An email with a passcode will be sent to your password recovery email. The email will be from noreply@uillinois.edu and subject will be UI Verify Temporary Passcode.
If you do not have recovery options set up or cannot access your recovery options, you will need to call your University Service Desk to get a temporary passcode.
Once you receive a temporary passcode, please visit https://identity.uillinois.edu to set up your recovery email under the Recovery Settings.
For instructions on setting up recovery options, see NetID Center, Set and modify your recovery options.
How to use a temporary passcode
Duo Universal Prompt (Microsoft365 (Outlook, Word, Excel, etc.), Shibboleth (Canvas, Box, Zoom, Moodle, etc.), or the NetID Center):
- Go to the application you are trying to access that requires MFA and login with your NetID and password.
- Select the Bypass code option.
- Enter the code and click Verify.
AITS Duo Prompt (some AITS Applications such as Banner, HR Reporting, My UI Info, Direct Deposit, etc.):
- Go to the application you are trying to access that requires MFA.
- Select Temporary Passcode from the drop down
- Enter the passcode and click Enter.
Cancel Temporary Passcode:
If you no longer need to use the temporary passcode you requested, you can cancel it for security.
- Visit the NetID Center at https://identity.uillinois.edu, select Manage my 2FA under 2-Factor Authentication
- Under My Devices & Settings select the next to Temporary Passcode and then the trash can to delete/expire the code.
Other Topics
Duo Remembered Devices Feature not working
If you choose for Duo to remember you or trust your browser, a trusted session will be created for 24 hours between you, your browser, and the endpoint you are logging into. This involves using a browser cookie. If you have restrictive cookie settings in your browser, you may run into issues utilizing this feature. This Duo documentation page has more details: https://help.duo.com/s/article/2189?language=en_US.
- Remember: Do not trust the browser when using a public or shared computer! This could leave your Duo session available to other users. Trust the browser only when you access applications from your own computer.
If the above didn't work, try the following troubleshooting steps:
- Clear your browser's cache/cookies (Browsers, Clearing Cache and Cookies).
- Try using a different browser for a few hours.
If these steps do not solve the issue, please send the following information to your campus Help Desk:
-
Operating System (Android, iOS, Windows, Mac etc.).
-
What browser you use (Chrome, Firefox, Safari, etc.).
-
The last site where you experienced this problem (Canvas, Outlook, etc.).
-
Any browser plugins/extensions you have.
-
If you are using the VPN and which campus (UIC, UIS, UIUC, AITS).
I don't have internet access (no mobile phone connectivity)
There are several options for authenticating when your smartphone does not have a network connection. The following options are perfect for traveling when you may not have internet access on your mobile phone, or if you do not have access to your typical device.
- The Duo Mobile app for smartphones allows you to generate a passcode to login, even if your phone is not connected to the internet. This is a free and easy way to authenticate wherever you are regardless of network connection. Instructions on using this method can be found here: Multi-Factor Authentication (MFA), Device Management.
- Hardware tokens work without an internet connection. This means you can use them anywhere in the world to log into your account. More information can be found here: Multi-Factor Authentication (MFA), Hardware Tokens and Security Keys.
- As mentioned at the top of the article, you can get a temporary bypass code here.The bypass code will last for 3 days and can be used 100 times. You can request a temporary passcode a maximum of 24 times a year.
Notifications from Duo When Adding/Removing Devices
To help protect your Duo account from unauthorized activity, you will receive a Duo push and an email notification when you add or remove an authentication device in Duo.
More information available here.
Duo prompt display issues
Please see this article for assistance: Multi-Factor Authentication (MFA), Duo Prompt Display Issues.
Duo says my account has been locked out
You will see one of two error messages:
- "Account disabled. Your Duo account is disabled and cannot access this application. Please contact your IT help desk."
- "Your account has been locked out due to excessive authentication failures. Please contact your administrator."
This is triggered after 10 failed login attempts. You will need to wait 5 minutes after the last attempt before trying again. If you need assistance with managing your devices, please see this article: Multi-Factor Authentication (MFA), Device Management.
I am being prompted to use MFA with Microsoft instead of Duo
We have seen some reports wherein a user is being prompted to use MFA with Microsoft instead of Duo. The issue seems to be pretty rare, and the exact cause is hard to pin down.
However, from what we have gathered so far, this can sometimes happen when:
- The Microsoft Authenticator app is already installed (for example, if you need it for your personal Microsoft account)
- The user is attempting to add their University email account to the Outlook iOS app.
- They may already have another account added to Outlook (for example, their personal email account)
You may see a screen like the one below (click to expand):
Solution: Users have been able to resolve this issue by uninstalling the Microsoft Authenticator app, then adding the University email account into Outlook. They are then prompted to use MFA with Duo as expected. Afterwards, the Microsoft Authenticator app can be reinstalled.
- NOTE: Before uninstalling the Microsoft Authenticator app from your phone, please make sure to review any accounts that you have set up in there (the Authenticator tab in the app). You will want to make sure these are backed up (check the app's settings) and that you have an alternative MFA method for these accounts in case the restore process does not go smoothly. Tech Services is not responsible for users getting locked out of non-University accounts.
See Also
- Multi-Factor Authentication (MFA), Introduction
- Multi-Factor Authentication (MFA), How to Use
- Multi-Factor Authentication (MFA), Enrollment
- Multi-Factor Authentication (MFA), Device Management
- Multi-Factor Authentication (MFA), Troubleshooting
- Multi-Factor Authentication (MFA), Hardware Tokens and Security Keys