Multi-Factor Authentication (MFA), How to Use
Devices
What kinds of devices can I use?
Phone or Tablet
You can use the Duo Mobile app to authenticate securely and easily. It is free, and available in the Apple App Store (link) and the Google Play Store (link).
The Duo Mobile app allows you to authenticate in a couple different ways:
- Duo Push technology - will send a push notification to the registered smartphone allowing you to approve or deny the request.
- Duo Mobile Passcode - can be used to generate passcodes even while offline.
You can set your device up as a tablet if it does not have a phone number, or if you do not want to share your phone number for your smart phone.
If you do not have a compatible smart phone, you can utilize the text method. Do will send a passcode via SMS that can only be used one time on a login page.
Security Key
The Duo Universal Prompt supports the use of WebAuthn security keys. You may also see WebAuthn referred to as "FIDO2".
NOTE: The AITS Duo iFrame does not support the use of WebAuthn/FIDO2 security keys, so you must add the key via the Manage Devices section at the Duo Universal Prompt. It will not appear in your list of devices at the NetID Center nor will it be available for use as an authentication method at an AITS Duo prompt.
- In order to use a security key with Duo Universal Prompt you must use a supported browser and a compatible Webauthn/FIDO2 security key.
Token
- If none of the above are viable options you can request a token for authentication from the Webstore (for an additional cost to your department). See Multi-Factor Authentication (MFA), Hardware Tokens and Security Keys for more information.
- Since the token is associated with an account, tokens cannot be shared. They can be re-assigned/transferred by following the same process as registering a token for the first time.
- The Yubikey (USB-A & USB-C) and OTP C100 purchased through the WebStore are the only University of Illinois supported tokens.
Methods
If you are using the Duo Universal Prompt, the default authentication method will either be your last used method or the most secure method you have registered. If you are using the AITS Duo iFrame you can choose a default method via the NetID Center. More information available here: [Link for document 86211 is unavailable at this time].
If you'd like to choose a different authentication method you can do so, by clicking on 'Other options' at a Duo Universal Prompt or the drop down arrow at an AITS Duo prompt, as indicated by the screenshots below:
Duo Push
Duo Universal Prompt: Choose the Duo Push option.
AITS Duo Prompt: Verify the device you will use to authenticate with, select Send me a Push.
It should now send a login request to your phone or tablet (If you have Duo Mobile installed and activated on your iPhone, Android, or BlackBerry device). If you do not see it, you should open the Duo Mobile app directly. Review the request and tap Approve to log in. For information on specific devices see Duo Mobile section.
Troubleshooting
You may have trouble receiving push notifications if there are network issues between your phone and the DUO service. Phones will have trouble determining whether to use WiFi or data when checking for push requests. Turning the phone to airplane mode and back to normal again can often resolve this type of issue if a reliable internet connection is available.
If you are expecting a notification and it hasn’t arrived, open the DUO mobile app and pull down on the screen to check for pending notifications. Notifications expire after 60 seconds.
Make sure the Mobile app has permissions to show notifications on your device. Go to Settings –> Notifications –>Duo Mobile and validate that Alert Style is Banners or Alerts and Sounds as well as Show on Lock Screen are enabled.
Duo Mobile Passcode
You can use the Duo Mobile app on your smartphone to authenticate, even if your phone has no network connectivity. A six-digit passcode will be generated and be valid for 30 seconds. After the 30 seconds is up, a new passcode will automatically be generated for you.
More information available here: Multi-Factor Authentication (MFA), Troubleshooting
Security Key (WebAuthn/FIDO2)
NOTE: Instructions for Duo Universal Prompt only. The AITS Duo Prompt does not support this authentication method.
Choose the security key option at the Duo Prompt.
You will then see a pop-up from your operating system and/or browser with instructions on how to continue.
Yubikey Hardware Token Passcode
Place your Yubikey in an available USB port. Upon choosing the correct option, place your cursor in the field and press the gold button on your Yubikey.
Duo Universal Prompt: Choose the YubiKey passcode option.
AITS Duo Prompt: Select your Yubikey from the drop down.
OTP Hardware Token Passcode
Upon choosing the correct option at the Duo prompt, press the red button on the C100, and enter the 6 digit code into the text field.
Duo Universal Prompt: Choose the Hardware token option.
AITS Duo Prompt: Choose your C100 hardware token from the drop down.
Text Message Passcode
Upon selecting the correct option, you will be sent a text message with the passcode.
Enter the generated passcode that was sent to your mobile device into the passcode field.
Duo Universal Prompt: Select the Text message passcode option.
AITS Duo Prompt: If using a mobile phone, select Text me from the authentication screen.
Temporary Bypass Code
If you do not have your MFA device with you, you can request a temporary bypass code here.
More information can be found here: Multi-Factor Authentication (MFA), Troubleshooting.
Please note:
- The bypass code you receive is designed for short-term occasional or emergency use. Each passcode expires after 3 days or 100 uses, whichever comes first. You can request a temporary passcode a maximum of 24 times a year.
- Make sure to update your registered MFA devices via the NetID Center or Duo Universal Prompt after receiving the passcode to avoid having to use bypass codes in the future.
See Also
- Multi-Factor Authentication (MFA), Introduction
- Multi-Factor Authentication (MFA), How to Use
- Multi-Factor Authentication (MFA), Enrollment
- Multi-Factor Authentication (MFA), Device Management
- Multi-Factor Authentication (MFA), Troubleshooting
- Multi-Factor Authentication (MFA), Hardware Tokens and Security Keys