What are some Frequently Asked Questions about Duo 2FA?

Tags Enrollment

Getting Set Up


Do I need to enroll in 2FA?

Currently you are required to use 2-factor authentication (2FA) to access certain university applications. Even if you do not use an application that requires 2FA, if you would like to add the additional layer of security to your account, you may enroll in 2FA by visiting NetID Center. -> Get started. Note: Once enrolled, you will not be able to remove this feature from your account. You will be required to use 2FA for any applications that require it.

How do I enroll in Two Factor Authentication (2FA)?

You can enroll in 2FA by visiting NetID Center. -> Get started. Please see How do I set up Duo 2FA?

What are the Authentication Devices/Methods?
 
 
Do I need to use my personal mobile device for 2FA?
 
You are not required to have a mobile device to use 2FA, but it is the most convenient option. Most users prefer to use their smartphones. Using Duo for 2FA will consume data, though it will be relatively small. Instead of a smartphone, you may register with another mobile device for text and voice calls, a tablet, by receiving voice calls through a landline, or a token. The recommended smart phone option makes 2FA extremely easy and cost effective. A token for 2FA can be purchased through the WebStore by your unit. 

Is a smartphone required for 2FA?

A smartphone is recommended but not required.  A smartphone will provide the greatest level of security and allow you to use the Duo Mobile app.  The DUO mobile app can generate a passcode for login (without a cellular connection) and receive push notifications for one-tap authentication.  Any mobile phone will work, but will not include the advantages of the Duo Mobile app.  A home phone number can be used as well, but you will need to answer that phone in order to authenticate. 

Managing your device(s)

What methods are available for authentication? (Select the enrolled device for authentication and then the method):

  • DUO Push – pushes a login request to your phone (if the Duo Mobile app is installed and activated).  Tap Approve to login.

  • Call Me – The DUO service will call the phone number listed and ask you to acknowledge the login attempt by pressing any key.

  • Text Me - The DUO service will send a text message to the phone number listed. You will need to enter that passcode on the authentication screen.
  • Enter a Passcode – The passcode can be generated by DUO Mobile, sent via email, generated by the hardware token, or provided by an administrator.

What devices are supported?

How do I manage my 2FA settings?

Visit NetID Center -> Login -> Manage my 2FA.

Under the My Devices and Settings section, you can add a new device and select your notification preferences under the "When I log in:" menu. There are 3 notification options: 

  1. Ask me how to authenticate - a notification will appear on screen and allow you to select the notification method preferred 
  2. Automatically Duo Push - sends a push to the Duo smartphone app; the Duo app must be opened and authentication must be approved
  3. Automatically Call - will send a call to the registered device; the call must be answered and you will be prompted to authenticate using the phone's keypad 

How do I add a new device?

Visit NetID Center -> Login -> Manage my 2FA -> Click on +Add a New Device.

What if I get a new phone?

Please visit 2FA Enroll a New Phone/New Phone Number.

Can I change my default device?

Visit NetID Center -> Login -> Manage my 2FA -> Select the + to the right of the device you would like to make the default. -> Select the star icon.

What if I lose my phone, or leave it at home? What if I don't have access to my 2FA device?

Please see 2FA, Temporary Passcode. These can be used if you forget your 2FA device at home or have lost it.  They can also be requested if you are going to a testing center and will not be able to take your 2FA device with you.  Temporary passcodes are good for 3 days, 100 uses, and you can request 24 per year.

Can I use multiple devices with 2FA?

Yes. We encourage you to register multiple devices in case there are any problems with the primary device.  Please note, your University phone number can't be used with 2FA.

Can 2FA handle international phone numbers?

Yes, if entering an international phone number select the prefix through the drop down to the left of where you enter your phone number.

Using 2FA with University applications

I have enrolled in Two-Factor Authentication (2FA), but have not used the service.  How do I log in now that it is enabled on certain applications?

2FA requires something you know (NetID/password) and something you have (smartphone/landline/tablet). After verifying your NetID and password, the authentication options via 2FA will be shown.  Select one of the available options and authenticate using that method.  See Authentication Methods & Devices for details on the methods. 

How often will I have to re-authenticate with 2FA-DUO?

The period of time between required authentication varies by application. You can use the 2FA Remember Me functionality to reduce the frequency of prompts for your 2nd factor authentication, however, you will still be prompted for your standard UIC credentials if your session times out.

What happens if I get prompted for 2FA and I am not trying to log in to a University system that is protected?

If you receive an unexpected prompt when you are not trying to log into a university system, you should press "Deny" in the Duo application.  2FA has worked as expected and your account was protected.  All "Deny" actions in the Duo App will alert the University of Illinois Security Working Group. It is also a good idea to change your password.

What does the Duo Mobile app access on my phone?

It uses some base functionality and a certificate that identifies your phone (ensure accurate identification). It does not access other apps or other data on your phone.

The mobile app will request access to your camera during activation (scan bar code), but this is the only time the camera is activated.

How much does 2FA cost?

  • The smartphone/mobile app is free.

  • Text messages and voice calls are sent when you request them.  They will be billed by your carrier in the same way that any other text message or call would be billed based on the carrier plan.  You will not be reimbursed for these charges.

  • Hardware token(s) are available through the WebStore at a cost to your department.  Please see What are 2FA hardware tokens?

I don’t have reliable cellular network access.  Can I still use 2FA via my phone?

Yes, see How can I authenticate with 2FA without network access?

What do I need to do if leaving the University?

If your department purchased a hardware token for you, you will need to return it.

Are there any accessible device options available?

Some accessibility challenges can be addressed by the phone itself, however, if you have an accessibility problem that can't be resolved by using 2FA with a phone, please contact your service desk.

What does a Duo Two-Factor Authentication notification look like in an application that requires 2FA?

After logging in to a university application using a NetID and password, a Duo notification will appear and prompt the user to select an authentication method. Below are examples of Duo authentication notifications that will appear on university applications that require 2FA.

Shibboleth Single Sign-On  Azure Active Directory

Errors

"FAIL valid_user is:" error message when logging into Duo.

Try logging in from another web browser (Internet Explorer, Firefox, Chrome, Safari).

Not able to authenticate on smartphone (blank authentication screen).

If you are trying to authenticate with a University application on your smartphone and get a blank authentication screen, it is most likely due to restrictions being turned on in your browser. Please whitelist the duosecurity.com domain.  Please visit https://help.duo.com/s/article/3710?language=en US for additional information.

What do I do if I receive the message QR code is no longer valid?

Please close your browser and try again. Visit NetID Center -> Login -> Manage My 2FA -> Select + Add a New Device.  Go through the steps of adding the same phone number again.

Why was I locked out of Two-Factor Authentication (2FA)?  

You can get locked out whenever 10 consecutive attempts to log in via 2FA fail.

Suggestions to prevent lockout:

  • Have the Duo Mobile app open - Lockouts sometimes happens when the Duo Mobile app sends multiple attempts to authenticate and they are not responded to. Have the Duo Mobile app open and approve the Duo Push notification when you request authentication.

  • Authenticate to an enrolled and available device:  Attempts to authenticate to an inactive or incorrect device may cause a lockout.  Make sure you are attempting to authenticate to an enrolled device that is available to you. 

I have enrolled in 2FA, but have automatically been denied access.  

This may be because you have been locked out.  This usually occurs with 10 consecutive attempts have failed.  Try again in 5 minutes. 

No longer getting push notifications?  

This may be due to network issues between your phone and the two-factor authentication service.

    • On the DUO mobile app, between the University of Illinois and key, tap and pull down the window then release.  The app will be refreshed.

    • Turn phone to airplane mode and back to normal

    • Turn off WiFi connection on device and turn it back on

    • Make sure the time/date on your phone is correct.  If manually set, try changing your device to sync date and time automatically with the network.

    • With the DUO mobile app on your smartphone, you can generate a passcode by hitting the down arrow to the right of the University of Illinois.  This passcode can be used on the authentication screen.

    • If none of the above work – remove University of Illinois from DUO app on your smart phone and then add your smart phone back via https://identity.uillinois.edu -> Manage my 2FA.

What do I do if I am getting an invalid security certificate error when attempting to authenticate using DUO Push on my smartphone?  

Try un-installing and re-installing the DUO mobile app. Walk through the steps to set up your device. 

Two-Factor Authentication (2FA) isn’t working on my phone!

  • Make sure your NetID and password are correct.
  • If the first time you have used the service on this phone then make sure the enrollment process was complete then try again.
  • If used the service on this phone before then make sure your phone is not locked.  If locked, unlock the phone, start the mobile app (if smartphone) and try again
  • Make sure you are using a registered mobile device.  If using a new device (even if same phone number), please see How do I manage my 2FA devices.
  • Try disabling WiFi on your mobile device and connect using your provider's cellular network
  • Make sure the DUO phone numbers are not blocked on your cellular device.
  • If it is still not working, contact your University service desk.

I was recently hired and went through the UI New Hire process but did not enroll in 2FA. Can I still enroll from off-campus? 

Yes, if it has been less than 60 days since your hire date, you can log back into the UI New Hire application from off-campus and enroll in 2FA from within the application.  If you have forgotten your UI New Hire Login ID or UI New Hire Password (which is different from your NetID and NetID password), your department hiring contact can reset and resend this information to you.  You can also enroll when off-campus using your password recovery options.

I am going to be traveling abroad. Can I use 2FA? 
 
You can still use the Duo Mobile app to authenticate. By opening up the Duo Mobile app, you can press the down arrow to the right of the University of Illinois which will generate a passcode. This does not require a cellular or wireless (Wi-Fi) connection.

About this project

What is the University of Illinois’ Two-Factor Authentication (2FA) Service?  2FA is a cloud-based second-factor authentication service provided by Duo Security. 

With 2FA, you primarily rely on a smartphone to be in your possession (although cell phones that are not smartphones, landlines, and tablets – can be used) to quickly verify your identity in order to log in to a 2FA-protected application.  Most users like the convenience of using existing phones to verify their identity, as opposed to having something else to carry with them.

Details

Article ID: 764
Created
Fri 1/15/21 6:07 PM
Modified
Wed 8/11/21 12:56 PM