Multi-Factor Authentication (MFA), How to Use

This article will summarize the different types of devices you can use to authenticate with our MFA (Multi-Factor Authentication) provider.

Devices

What kinds of devices can I use?

Phone or Tablet

You can use the Duo Mobile app to authenticate securely and easily. It is free, and available in the Apple App Store (link) and the Google Play Store (link).

The Duo Mobile app allows you to authenticate in a couple different ways:

  • Duo Push technology - will send a push notification to the registered smartphone allowing you to approve or deny the request.
  • Duo Mobile Passcode - can be used to generate passcodes even while offline.

You can set your device up as a tablet if it does not have a phone number, or if you do not want to share your phone number for your smart phone.

If you do not have a compatible smart phone, you can utilize the text method. Do will send a passcode via SMS that can only be used one time on a login page.

Security Key

The Duo Universal Prompt supports the use of WebAuthn security keys. You may also see WebAuthn referred to as "FIDO2".

NOTE: The AITS Duo iFrame does not support the use of WebAuthn/FIDO2 security keys, so you must add the key via the Manage Devices section at the Duo Universal Prompt. It will not appear in your list of devices at the NetID Center nor will it be available for use as an authentication method at an AITS Duo prompt. 

  • In order to use a security key with Duo Universal Prompt you must use a supported browser and a compatible Webauthn/FIDO2 security key.

Token

  • If none of the above are viable options you can request a token for authentication from the Webstore (for an additional cost to your department). See Multi-Factor Authentication (MFA), Hardware Tokens and Security Keys for more information.
  • Since the token is associated with an account, tokens cannot be shared. They can be re-assigned/transferred by following the same process as registering a token for the first time.
  • The Yubikey (USB-A & USB-C) and OTP C100 purchased through the WebStore are the only University of Illinois supported tokens.

Methods

If you are using the Duo Universal Prompt, the default authentication method will either be your last used method or the most secure method you have registered. If you are using the AITS Duo iFrame you can choose a default method via the NetID Center. More information available here: [Link for document 86211 is unavailable at this time].

If you'd like to choose a different authentication method you can do so, by clicking on 'Other options' at a Duo Universal Prompt or the drop down arrow at an AITS Duo prompt, as indicated by the screenshots below:

Duo Universal Prompt window highlighting the other options buttonauthentication

Duo Push

Duo Universal Prompt: Choose the Duo Push option.

 Screenshot showing that a duo push notification was sent to the mobile device

AITS Duo Prompt: Verify the device you will use to authenticate with, select Send me a Push.

Duo Push

It should now send a login request to your phone or tablet (If you have Duo Mobile installed and activated on your iPhone, Android, or BlackBerry device). If you do not see it, you should open the Duo Mobile app directly. Review the request and tap Approve to log in. For information on specific devices see Duo Mobile section.

duopush

Troubleshooting

You may have trouble receiving push notifications if there are network issues between your phone and the DUO service. Phones will have trouble determining whether to use WiFi or data when checking for push requests. Turning the phone to airplane mode and back to normal again can often resolve this type of issue if a reliable internet connection is available.

If you are expecting a notification and it hasn’t arrived, open the DUO mobile app and pull down on the screen to check for pending notifications. Notifications expire after 60 seconds.

Make sure the Mobile app has permissions to show notifications on your device. Go to Settings –> Notifications –>Duo Mobile and validate that Alert Style is Banners or Alerts and Sounds as well as Show on Lock Screen are enabled.

Duo Mobile Passcode

You can use the Duo Mobile app on your smartphone to authenticate, even if your phone has no network connectivity. A six-digit passcode will be generated and be valid for 30 seconds. After the 30 seconds is up, a new passcode will automatically be generated for you.

Screenshot showing a passcode in the Duo Mobile app

More information available here: Multi-Factor Authentication (MFA), Troubleshooting

Security Key (WebAuthn/FIDO2)

NOTE: Instructions for Duo Universal Prompt only. The AITS Duo Prompt does not support this authentication method.

Choose the security key option at the Duo Prompt.

You will then see a pop-up from your operating system and/or browser with instructions on how to continue.

Screenshot showing the duo prompt waiting for you to use your security key

Yubikey Hardware Token Passcode

Place your Yubikey in an available USB port. Upon choosing the correct option, place your cursor in the field and press the gold button on your Yubikey.

Duo Universal Prompt: Choose the YubiKey passcode option.

Screenshot showing the duo prompt waiting for yubikey passcode

AITS Duo Prompt: Select your Yubikey from the drop down.

yubikey

OTP Hardware Token Passcode

Upon choosing the correct option at the Duo prompt, press the red button on the C100, and enter the 6 digit code into the text field.

Duo Universal Prompt: Choose the Hardware token option.



AITS Duo Prompt: Choose your C100 hardware token from the drop down.

yubikey

Text Message Passcode

Upon selecting the correct option, you will be sent a text message with the passcode.

Image of iPhone text message received with UI Verify passcode.

Enter the generated passcode that was sent to your mobile device into the passcode field.

Duo Universal Prompt: Select the Text message passcode option.

Duo universal prompt screenshot showing text option

AITS Duo Prompt: If using a mobile phone, select Text me from the authentication screen.

text metext me

Temporary Bypass Code

If you do not have your MFA device with you, you can request a temporary bypass code here.

More information can be found here: Multi-Factor Authentication (MFA), Troubleshooting.

Please note:

  • The bypass code you receive is designed for short-term occasional or emergency use. Each passcode expires after 3 days or 100 uses, whichever comes first. You can request a temporary passcode a maximum of 24 times a year.
  • Make sure to update your registered MFA devices via the NetID Center or Duo Universal Prompt after receiving the passcode to avoid having to use bypass codes in the future.


Keywords:
2fa two-factor two factor authentication mfa multi-factor multi factor authentication duo mobile app passcode yubikey hardware token fido2 webauthn methods 
Doc ID:
138345
Owned by:
Identity and Access Management in University of Illinois Technology Services
Created:
2024-07-11
Updated:
2024-07-11
Sites:
UI Gies College of Business, University of Illinois Technology Services