Topics Map > Account Management > 2FA/Duo

Multi-Factor Authentication (MFA), Enrollment

Attention: The phone call option for performing multi-factor authentication will be disabled on June 12. If you currently use this, please select an alternative authentication option, as mentioned in this KB.

Step by Step guide on multi-factor authentication (MFA) self-enrollment.

For more information about multi-factor authentication and how it protects your university account, see our article here: Multi-Factor Authentication (MFA), Introduction.

The first time you log in to MFA-protected University website or service, you will be asked to enroll your account and set up a device. Please note that your account cannot be un-enrolled from MFA once the feature is configured.

Choosing a Device

  1. Duo Mobile App (recommended) - It is strongly recommended that you use the smartphone that you already own during enrollment. This will allow you to use the Duo Mobile app (available on iOS and Android) for authentication. With the Duo Mobile app, you can simply receive a push notification to approve authentication requests, instead of typing in a code.
    • You can use a tablet in lieu of a smartphone.
    • One advantage of using the Duo Mobile app is that you can receive push notifications over Wi-Fi. This is helpful when you're in an area where you cannot get a cellular signal, or when traveling abroad.
    • You can also use the Duo Mobile app even if you are offline and have no access to data, via the Duo Mobile passcode option.
  2. Hardware Token / Security Key - These can be a good option if you do not want to use your smartphone for authentication. Information on hardware tokens can be found at this help article: Multi-Factor Authentication (MFA), Hardware Tokens and Security Keys.
    • Staff members can inquire with their department to see if a hardware token can be purchased for them.
    • The Duo Mobile Prompt adds support for FIDO2/WebAuthn security keys. This enables users to bring their own, although it is the user's responsibility to ensure compatibility.
    • Hardware tokens and security keys can also be used while offline.
  3. Basic Mobile Phone (non-Smartphone) - Users can also enroll their basic mobile phone to receive SMS messages for authentication.
    • This should be used as a last resort since this method is dependent on having a cellular signal. Additionally, cellular carriers occasionally block the numbers that Duo uses.

Enrollment

There are two ways to enroll in multi-factor authentication:

NetID Center

Instructions

  1. Navigate to the NetID Center (https://identity.uillinois.edu) and log in.
    1. If your account is already enrolled in MFA, you will need to authenticate with one of your existing devices. If you run into issues or do not have your device, please see this help article for more information: Multi-Factor Authentication (MFA), Troubleshooting.
  2. Once you're logged in, make sure that the email address listed under Recovery Settings is still correct. This email address can be used to get bypass codes in case you cannot authenticate using your devices in the future.
  3. Click on 'Set up 2FA'.
  4. If you are not on campus and connected via the campus network: You will be shown a screen with the heading “(!) Must be connected to the University network to register” – you will still be able to enroll, but you will need to confirm your identity by way of one of your recovery options:
    1. Click the blue “Get registration code” button below the ‘Option 2’ heading.
    2. Select one of the presented pieces of contact information, which should match the password recovery options confirmed in step 2.
    3. You will receive a 6-digit “UI Verify Registration Code” there. Enter the numbers at the “Enter registration code” box on the next screen.
  5. You will be taken to the “Device Setup: Add a Device” screen. Select the type of device you are intending to use for authentication:
    1. Smartphone (recommended) should be selected for any device with a phone number
    2. Tablet should be selected for devices that do not have a phone number but can install the Duo Mobile app.
    3. Hardware token should be selected for MFA token devices purchased from the University WebStore; more detailed instructions here: Multi-Factor Authentication (MFA), Hardware Tokens and Security Keys.
  6. Device dependent instructions below.

Smartphone

If enrolling a phone, enter your phone number and click Yes you want to use the Duo Mobile App, then Continue

If you do not want to provide your phone number when configuring your smartphone, you can hit the back button and set it up as a tablet. With this option you will only be able to receive push notifications or generate passcodes via the Duo Mobile App.

Add a new device (phone number)

4. Type of Device Platform (if applicable)

Select your device platform, then click Continue.

Device Platform

 

5. Installing and Activating Duo Mobile

Duo Mobile is an app that runs on your smartphone or tablet and helps you authenticate quickly and easily. You can still authenticate via text message without it, but for the best experience we recommend Duo Mobile.

  • Search for Duo Mobile in your app store.
  • Download the app.
  • Select "OK" when asked if Duo Mobile can send push notifications.
  • Select Add Account
  • Once the app is installed, click I have Duo Mobile installed.

Duo Mobile App

 

6. Activate Duo Mobile

 

A)  Using phone camera for Activation

Follow the instructions shown on the screen to open Duo Mobile on your device, tap the '+' button, and scan the barcode on your screen with your camera.

 activate duo mobile

 You are now successfully enrolled.  If you have more than one device enrolled, you will be asked if you would like to make this device your favorite.  If it is your favorite, it will show first when authenticating.

 

B)  If you opt not to use your phone's camera for activation

Select "Or have an activation link email to you instead"

   activation email
 

Enter your email address and select Send email

 enter email

Below is an example of the email you will be sent.  You should open this email on your smartphone by clicking the link or pasting/typing the link in to your smartphones broswer URL bar.


Select Open

 duo mobile

Tap Save on the next screen.

University of Illinois should appear under the Duo Mobile App

 activation


 You are now successfully enrolled.  If you have more than one device enrolled you will be asked if you would like to make this device your favorite.  If it is your favorite it will show first when authenticating. 

Tablet

Choose the type of tablet you are adding.

Tablets will be iOS or Android.

 

4. Installing and Activating DUO Mobile

Duo Mobile is an app that runs on your tablet and helps you authenticate quickly and easily.

  • Search for Duo Mobile in your app store.
  • Download the app.
  • Select "OK" when asked if Duo Mobile can send push notifications.
  • Select Add Account
  • Once the app is installed, click I have Duo Mobile installed.

Duo Mobile App

5. Activate Duo Mobile

A)  Using tablet camera for Activation:

Activate Duo Mobile by scanning the barcode with the app’s built-in barcode scanner using your tablets camera.

activate duo mobile

You are now successfully enrolled.  If you have more than one device enrolled you will be asked if you would like to make this device your favorite.  If it is your favorite it will show first when authenticating.

B) If you opt not to use your tablet camera for Activation

Select "Or have an activation link email to you instead"

activation email

Enter your email address and select Send email

enter email

Below is an example of the email you will be sent.  You should open this email on your tablet by clicking the link or pasting/typing the link in to your tablets broswer URL bar.


Select Open

duo mobile

Tap Save on the next screen.

University of Illinois should appear under the Duo Mobile App

activation

You are now successfully enrolled.  If you have more than one device enrolled, you will be asked if you would like to make this device your favorite.  If it is your favorite, it will show first when authenticating.

Hardware Token

Type in the serial number of your device which can be found on the back of the hardware token.

For the Yubikey, you can also find the serial number in your WebStore account (Log into  WebStore  with your NetID, under Order History select your order number.   The serial number will be listed under the Installation Key/Code).


After you click Continue, you will need to confirm your token.

For Yubikey:

Insert the Yubikey in the USB port of your computer with the gold button facing up. It will take a few seconds to register the first time.  Press the gold button on the Yubikey (either on top for USB-A or side for USB-C) and it will generate the passcode and log you in. Make sure CAPS LOCK is off when registering a Yubikey.

For OTP C100:

Press the red button on your token.  It will generate and display 6-digit code.   Manually enter this code into the box and select Enter. You are now successfully enrolled.  If you have more than one device enrolled you will be asked if you would like to make this device your favorite.  If it is your favorite it will show first when authenticating.

    Duo Universal Prompt (Urbana, Chicago, and Springfield Applications)

    1. If you are accessing an application protected by the Duo Universal Prompt, it will walk you through the enrollment process after you authenticate with your username and password:
      Duo Universal Prompt initial enrollment page
    2. Next, you will be presented with a list of enrollment options.

      We highly recommend using the Duo Mobile smartphone app, as it offers the best combination of security and convenience:
      Duo Universal Prompt device selection page when enrolling. Options include duo mobile, security key, phone number

    Duo Mobile

    1. If you choose the Duo Mobile option, you will be asked to enter your phone number on the next screen. If you have a tablet you can select that option:
      Duo universal prompt enrollment - phone number entry
    2. A text message will be sent to your phone number to verify ownership:
      Duo Universal Prompt enrollment - phone number entry
    3. After ownership of the phone is verified, you will be instructed to download the Duo Mobile app, available for iOS and Android:
      Duo universal prompt enrollment - download mobile app
    4. Once Duo Mobile is installed on your phone, open it. Make sure to enable notifications for the app.

      Click on Next in the prompt on your computer, and either scan the QR code provided, or choose to have an activation code emailed to you:
      Duo universal prompt enrollment, scan qr code from app
    5. Your enrollment is complete! You have the option of adding a backup authentication method. If you choose to skip for now, you can click the "Log in with Duo" button to proceed with the login process:
      Duo Universal Prompt enrollment complete

    WebAuthn/FIDO2 Security Key

    The Duo Universal Prompt supports the use of a WebAuthn/FIDO2 Security Key for authentication. Please make sure your security key and browser meet the requirements listed here. The dialog boxes you see outside of the Duo Universal Prompt can vary between browsers and operating systems.

    NOTE: The NetID Center and AITS Duo Prompts do not support WebAuthn. Because of this, you will want to add another authentication method such as the Duo Mobile app as a backup.

    1. Once the Security Key option is selected, click Continue. You may see a dialog box from your browser next. If the security key is already recognized by your browser, you can skip to step 2. Otherwise, select the option for 'External security key or built-in sensor':
      Add webauthn security key browser prompt
    2. You will then see a dialog box from your operating system. Once you proceed you will be asked to set your security key PIN. If you have not set a PIN yet you can create one.
      Duo Universal Prompt webauthn
    3. Once your security key is verified and authorized you will be asked to touch your security key to complete the authentication.
      Duo Universal Prompt webauthn touch security key
    4. You're done! As previously mentioned, you will want to have an additional authentication method as a backup in case you encounter an application protected by the AITS Duo Prompt such as Banner or the NetID Center.

    You may also enroll using the text method. This is not recommended as using SMS for authentication is not as secure as other methods.

    See Also:




    Keywords:mfa, 2FA, 2-factor authentication, Two-factor authentication, Duo, Duo Security, Verify, UI Verify, enrollment, multi-factor, multifactor, security, AITS self guide, 2FA setup   Doc ID:65947
    Owner:ID M.Group:University of Illinois Technology Services
    Created:2016-08-10 10:56 CDTUpdated:2023-05-31 14:43 CDT
    Sites:University of Illinois System, University of Illinois Technology Services
    CleanURL:https://answers.uillinois.edu/systemoffices/2fa-self-enrollment-guide
    Feedback:  4   1