Options for Two-Factor Authentication

Environment

University of Michigan, Duo Two-Factor Authentication

Issue

Describes the options available with Duo for two-factor authentication and includes links to enrollment instructions for each option.

Resolution

We recommend that you enroll in a primary option plus at least one backup option. During each login session, you can choose which of your enrolled options to use.

​The Duo Mobile app meets web accessibility requirements. If you need assistance choosing an option that will best accommodate a disability, please contact sites.knox@umich.edu.

Duo Mobile App on a Smartphone

Enrolling the Duo Mobile app on a smartphone (a cell phone that allows you to download and install applications) gives you the greatest number of options when you log in to a two-factor-protected system. Most people find the push notification the most convenient option. The options include:

• Push Notification
• Generate an Offline Passcode
• Phone Call
• Passcodes via Text Message

Enrollment Instructions: Enroll a Device or Phone Number in Duo
Supported Device OS Versions: iPhone, Android

Duo Mobile App on a Tablet

A tablet provides two options with the Duo Mobile app:

• Push Notification
• Generate a Passcode

Enrollment Instructions: Enroll a Device or Phone Number in Duo
Supported Device OS Versions: iPad, Android

Duo Mobile App on an Apple Watch

An Apple Watch that you have paired with an iPhone with the Duo Mobile app provides two options:

• Push Notification
• Generate a Passcode

​Enrollment Instructions: Enroll a Device or Phone Number in Duo to enroll an Android phone that you have paired with an Android smartwatch. Ensure that notifications are enabled on your phone and that your watch is paired with your phone. To approve authentications, your phone must be unlocked. If your phone is normally locked, you can enable Smart Lock in order to approve notification actions.

Passcodes

If you will not have a reliable cellular or WiFi connection, or even access to a phone, plan to use passcodes. There are four different ways to get an offline passcode:

• Duo Mobile app. Use the Duo Mobile app to generate passcodes on a smartphone or tablet. The app can generate passcodes you can use to login when you do not have a cellular or WiFi connection. See Enroll a Device or Phone Number in Duo.
• Text message. You will still need a cell phone connection, but a text message will often get through even when you have spotty data coverage. You will receive a single-use passcode in a text message. The passcode is good when used within 30 days.
• U-M Hardware token. U-M Hardware tokens and U-M YubiKeys are available at no cost from the Tech Shop.
• Temporary bypass code. If you are restricted from using technology, such as the internet or hardware tokens, or if you won’t be able to charge a device, contact the ITS Service Center to request a temporary bypass code. You will be asked to verify your identity by providing information such as your date of birth.

Other Cell Phone—Phone Call or Text

Cell phones with text messaging and phone service provide two options:

• Phone Call
• Passcodes via Text Message

Enrollment Instructions: Enroll a Device or Phone Number in Duo

Landline Phone Call

Landline phones provide one option, a phone call.

Enrollment Instructions: Enroll a Device or Phone Number in Duo

Softphone Call

Softphones provide one option, a phone call. To receive a Duo call to a softphone, you must be logged in to the softphone and have it open.

Enrollment Instructions: Enroll a Device or Phone Number in Duo

U-M Hardware Token

U-M hardware tokens are available from the Tech Shop. The university will cover the cost of an initial U-M hardware token for individuals. Individuals can purchase additional or replacement hardware tokens (need-based exceptions are considered on a case-by-case basis). A hardware token provides one option, a passcode.

Enrollment Instructions: Enroll a U-M Hardware Token or U-M YubiKey

U-M YubiKey

A U-M YubiKey is inserted in the USB port of your computer for touch-based authentication. 

• Only U-M YubiKeys obtained from the Tech Shop can be used to log in to non-web-based interfaces, such as servers and Virtual Private Networks (VPNs), in addition to web interfaces, such as the U-M Weblogin screen.
• For a U-M YubiKey to work with a non-web-based interface, it needs to be enrolled as a U-M YubiKey. If it is enrolled as a Third-party Security Token, it will only work with a web interface.

The university will cover the cost of an initial YubiKey for individuals. Individuals can purchase additional or replacement YubiKeys (need-based exceptions are considered on a case-by-case basis). There are four USB port options:

• YubiKey USB-A
• YubiKey Nano USB-A
• YubiKey USB-C
• YubiKey Nano USB-C

Enrollment Instructions: Enroll a U-M Hardware Token or U-M YubiKey

Biometric Options

Depending on your device, you may be able to use your device's biometric authentication.

Enrollment Instructions:

• Touch ID on Mac
• Windows Hello
• Face ID/Touch ID on iPhone or iPad
• Android Biometrics

Third-Party Security Key

A third-party security key plugs into your USB port and when tapped or pressed it sends a signed response back to Duo to validate your login. You may enroll a third-party security key in Duo to log in to U-M Weblogin.

Enrollment Instructions: Enroll a Device or Phone Number in Duo

Supported Device OS Versions: Security Key Requirements

Additional Information

Need additional information or assistance? Contact the ITS Service Center.