Options for Two-Factor Authentication

Environment

University of Michigan, Duo Two-Factor Authentication

Issue

Describes the options available with Duo at U-M for two-factor authentication.

Resolution

Duo two-factor authentication has multiple options for methods of authentication.

When enrolling in Duo two-factor authentication, you have the ability to choose a primary option plus backup options. That way, Duo streamlines the authentication process by having you authenticate using your preferred method without asking you each time.

Note: You can modify your options from the Duo prompt by clicking the “Other Options” link.

Overall Recommendations

• It is important to enroll in a primary option plus at least one backup option. This ensures you will be able to log in even if you do not have your primary option.
• We recommend choosing the Duo Mobile App as either your primary or backup option because it offers multiple login-approval methods that are very secure and work with or without a WiFi or cellular connection.
• Some options are more secure than others. Here is some overall guidance:
  • Biometric options and security keys are the most secure, but they are not the most flexible options.
  • Phone calls and text messages are available but not recommended because they are less secure.

The options for two-factor authentication are described below.

Duo Mobile App

The Duo Mobile app on a smartphone, tablet, or smartwatch gives you the best combination of flexibility and security when you need to authenticate with Duo two-factor. Options include:

Verified Push Notification: Duo sends a notification to your device, where you enter a three-digit passcode from the authentication screen and tap Verify within 60 seconds.
Mobile App Passcode: Ender a six-digit passcode within 60 seconds to authenticate (works with or without a WiFi or cellular connection).

Notes:

• ​The Duo Mobile app meets web accessibility requirements.
• Users should regularly update their version of the Duo Mobile app to the most current version. If you are unable to update to the most current version of Duo Mobile app, you will need to choose an alternate method.
• The most recent version of Duo Mobile is available from the app stores for devices running Android 11 or later and iOS 15 or later.

Enrollment Instructions: Enroll a Device or Phone Number in Duo
Supported Device OS Versions: iPhone, Android, iPad

U-M Security Token

You can use a U-M security token to generate a passcode when authenticating with Duo. There are two types of U-M security tokens:

• U-M hardware token: This is a key fob that generates a passcode for you to enter.
• YubiKey: A YubiKey is a chip that you insert into the USB port of your computer. When logging in, place your cursor in the passcode field and tap the YubiKey to enter a passcode.

U-M security tokens are available from the ITS Tech Shop. The university will cover the cost of an initial U-M security token for individuals. Individuals can purchase additional or replacement hardware tokens (need-based exceptions are considered on a case-by-case basis). 

Enrollment Instructions: Enroll a Device or Phone Number in Duo
Supported Device OS Versions: iPad, Android

Security Key

A security key plugs into your USB port and when tapped or pressed it sends a signed response back to Duo to validate your identity. You may enroll a third-party security key or a U-M YubiKey as a security key.

Note: A U-M YubiKey may be enrolled as either a U-M security token to generate a passcode or as a security key that can be tapped to verify your identity.

Enrollment Instructions: Enroll a Device or Phone Number in Duo
Supported Device OS Versions: Security Key Requirements

Biometric Options

You can use your device's biometric authentication, if available. See Duo’s enrollment instructions for different biometric options:

• Touch ID on Mac
• Windows Hello
• Face ID/Touch ID on iPhone or iPad
• Android Biometrics

Phone Call - not recommended, less secure

A smartphone (with or without the Duo Mobile app), landline, or softphone can be used to receive a phone call. When authenticating with Duo, answer the call and press 1 on your phone’s keypad to authenticate or press 2 to report fraud.

Notes:

• To receive a Duo call to a softphone, you must be logged in to the softphone and have it open. 
• Michigan Medicine affiliates do not have the phone option for all systems.

Enrollment Instructions: Enroll a Device or Phone Number in Duo

Text Message - not recommended, less secure

You will need a cell phone connection, but a text message will often get through even when you have spotty data coverage. You will receive a single-use passcode in a text message.

Note: Michigan Medicine affiliates do not have the text message option for all systems

Enrollment Instructions: Enroll a Device or Phone Number in Duo

Temporary Bypass Code

If you are restricted from using technology, such as the internet or hardware tokens, or if you won’t be able to charge a device, contact the ITS Service Center.

Additional Information

Michigan Medicine affiliates will not be able to call or text options with Michigan Medicine related resources. Contact Health Information Technology & Services (HITS) if you have additional questions about Duo authentication for Michigan Medicine. 

Need additional information or assistance? Contact the ITS Service Center.

If you need help choosing a Duo two-factor authentication option that meets your needs, or encounter a disability-related barrier, contact the ITS Accessibility Team.