Multi-Factor Authentication (MFA), How to Use

This article explains the devices and sign-in methods available for MFA.

Phone or Tablet

You can use the Duo Mobile app to authenticate securely and easily. It is free and available in the Apple App Store and Google Play Store.

The Duo Mobile app allows you to authenticate by:

  • Duo Push - will send a push notification to the registered smartphone allowing you to approve or deny the request.
  • Duo Mobile Passcode - can be used to generate passcodes even while offline.

You can set your device up as a tablet if it does not have a phone number, or if you do not want to share your phone number for your smart phone.

Security Key

Security keys support MFA sign-in using WebAuthn/FIDO2 authentication standards.In order to use a security key with Duo Universal Prompt you must use a supported browser and a compatible Webauthn/FIDO2 security key.

NOTE: The AITS Duo iFrame does not support the use of WebAuthn/FIDO2 security keys, so you must add the key via the Manage Devices at the Duo Universal Prompt. It will not appear in your list of devices at the NetID Center nor will it be available for use as an authentication method at an AITS Duo prompt. 

Token

If you cannot use a phone, tablet, or security key, you may request a hardware token through the University WebStore. Additional department charges may apply.  See Multi-Factor Authentication (MFA), Hardware Tokens and Security Keys for more information.

Since the token is associated with an account, tokens cannot be shared. They can be re-assigned/transferred by following the same process as registering a token for the first time.

Methods

If you are using the Duo Universal Prompt, the default authentication method will either be your last used method or the most secure method you have registered. If you are using the AITS Duo iFrame you can choose a default method via the NetID Center. More information available here: MFA, How to set default device & automatic authentication method.

If you'd like to choose a different authentication method you can do so, by clicking on 'Other options' at a Duo Universal Prompt or the drop down arrow at an AITS Duo prompt, as indicated by the screenshots below:

Screen shots side by side of Duo Push and Authenticate screens.

Duo Universal Prompt window highlighting the other options button

 

authentication

 

 

 

Duo Push

Duo Universal Prompt: Choose the Duo Push option.

 Screenshot showing that a duo push notification was sent to the mobile device

AITS Duo Prompt: Verify the device to authenticate with, select Send me a Push.

Duo Push

It should now send a login request to your phone or tablet. If you do not see it, you should open the Duo Mobile app directly. Review the request and tap Approve to log in. For information on specific devices see Duo Mobile section.

duopush

   Troubleshooting

You may have trouble receiving push notifications if there are network issues between your phone and the DUO service. Phones will have trouble determining whether to use WiFi or data when checking for push requests. Turning the phone to airplane mode and back to normal again can often resolve this type of issue if a reliable internet connection is available.

If you are expecting a notification and it hasn't arrived, open the DUO mobile app and pull down on the screen to check for pending notifications. Notifications expire after 60 seconds.

Make sure the Mobile app has permissions to show notifications on your device. Go to Settings > Notifications >Duo Mobile and validate that Alert Style is Banners or Alerts and Sounds as well as Show on Lock Screen are enabled.

Duo Mobile Passcode

You can use the Duo Mobile app on your smartphone to authenticate, even if your phone has no network connectivity. A six-digit passcode will be generated and be valid for 30 seconds. After the 30 seconds is up, a new passcode will automatically be generated for you.

Screenshot showing a passcode in the Duo Mobile app

More information available here: Multi-Factor Authentication (MFA), Troubleshooting

Security Key (WebAuthn/FIDO2)

NOTE: Instructions for Duo Universal Prompt only. The AITS Duo Prompt does not support this authentication method.

Choose the security key option at the Duo Prompt.

You will then see a pop-up from your operating system and/or browser with instructions on how to continue.

Screenshot showing the duo prompt waiting for you to use your securty key

Yubikey Hardware Token Passcode

Place your Yubikey in a USB port. Upon selecting security key, place your cursor in the passcode field and press the gold button on your Yubikey.

Duo Universal Prompt: 

Screenshot showing the duo prompt waiting for yubikey passcode

AITS Duo Prompt: 

yubikey

Temporary Bypass Code

If you do not have your MFA device with you, you can request a temporary bypass code Temporary passcode: NetID Center.

More information can be found here: Multi-Factor Authentication (MFA), Troubleshooting.

Please note:

  • The bypass code you receive is designed for short-term occasional or emergency use. Each passcode expires after 3 days or 100 uses, whichever comes first. You can request a temporary passcode a maximum of 24 times a year.
  • Make sure to update your registered MFA devices via the NetID Center or Duo Universal Prompt after receiving the passcode to avoid having to use bypass codes in the future.

See Also


Keywords:
MFA, Multi-Factor Authentication, Duo mobile app, Passcode, Yubikey, Hardware token, FIDO2, Webauthn methods 
Doc ID:
138345
Owned by:
Identity and Access Management G. in University of Illinois Technology Services
Created:
2024-07-11
Updated:
2026-05-22
Sites:
UI Gies College of Business, University of Illinois Technology Services
Clean URL:
https://answers.uillinois.edu/illinois/mfa-methods