Environment
University of Michigan, Duo Two-Factor Authentication
Issue
Instructions for using Duo two-factor authentication when logging in.
Resolution
Instructions for using Duo two-factor authentication when logging in.
Automatic prompts
- Duo authentication automatically defaults to the authentication method you last used on the same browser and device.
- You can cancel an automatic prompt and select Other options to change your authentication method.
- When using a new browser or device to log in, Duo defaults to the most secure method available (in order of Touch ID, Security key, Duo Mobile push, YubiKey passcode, Duo Mobile passcode, Hardware token passcode, SMS passcode, Phone call).
"This is my device/Remember me"
To bypass the two-factor prompt for seven days when using Weblogin AND the same device and web browser, click This is my device after completing the two-factor authentication step. After seven days, a Remember me for 7 days checkbox will appear checked on the Duo Universal Prompt. If you want to turn off the "Remember me" feature, unclick the checkbox. (This feature requires browser cookies.)
Push Notification—Duo Mobile App
- Duo immediately sends a notification to your mobile device. Depending on how you have set notifications up on your device, you may need to open the notification.
- On your device, tap Approve to approve the login.
Important! If you receive a push notification that you did not initiate:
Phone Call—Call Me
- Duo will immediately phone the number you enrolled. Answer the call on your phone, and press 1 to approve the login.
The call interface for a softphone is shown here. To receive a Duo call to a softphone, you must be logged in to the softphone and have it open.
Important! If you receive a Duo authentication phone call that you did not initiate:
- Press 9 to report fraud. You may want to change your UMICH password.
- If the Duo prompt indicates that the call has been answered, but you have not received the call, it has likely gone to voicemail. Make sure the softphone is logged in and connected and that your line is not occupied with another call.
Enter a Passcode
- You can get a passcode to enter in multiple ways. Instructions for each option are below.
- Generate a passcode with the Duo Mobile app
- Get passcode via text message
- Duo hardware token passcode
- YubiKey passcode
- Emergency bypass code
Generate a Passcode with the Duo Mobile App
You don't need WiFi or cellular connectivity to generate a passcode with the Duo Mobile app. This works even if your device is in Airplane mode.
- Open the Duo Mobile app on your device.
- In the app, tap the University of Michigan account.
- A six-digit passcode displays in the app.
- To log in on your computer, enter the passcode in the passcode field, and click Verify.
Get Passcodes Via Text Message
- Duo will immediately send a text message with a passcode to the device you enrolled.
- To log in on your computer, enter the seven-digit passcode in the authentication window on your computer, and click Verify. Passcodes expire after 30 days.
U-M Hardware Token Passcode
It does not matter which device is selected on the Duo authentication screen. You can enter a passcode from your U-M hardware token without changing the default device.
- Tap the green button on your U-M hardware token to display a six-digit passcode.
- Enter the passcode in the passcode field.
- Click Verify.
Note: If the login screen displays “Incorrect passcode. Please try again.” your hardware token may be out of sync. You can re-sync it by generating and entering a new passcode three more times. On the third entry, you should be logged in successfully.
U-M YubiKey Passcode
- Touch the U-M YubiKey in the USB port of your computer to add a text-based passcode to the passcode field.
- Click Verify.
Temporary Bypass Code
When you don't have any of your Duo options available to you, you can phone the ITS Service Center for a temporary bypass code.
- Phone the Service Center at 734-764-HELP (764-4357).
- Ask for a Duo two-factor temporary bypass code and say how long you need it for. The Service Center can give you a bypass code that is good for an extended period of time.
- You will be asked to verify your identity by providing information such as your date of birth.
- To log in on your computer, enter the passcode in the passcode field, and click Verify.
Third-Party Security Key
A security key plugs into your USB port and when tapped or pressed it sends a signed response back to Duo to validate your login.
- When you see the "Use your Security Key to login" message in the blue bar at the bottom of the screen, tap, insert, or press a button on your third-party security key to authenticate.
Secure Shell (SSH) Clients
When logging in with an SSH client (for example, PuTTY), the prompt field for Duo two-factor authentication is completed as follows. Depending on the SSH client, these instructions may not be displayed above the prompt field.
If you have a primary and backup device enrolled in Duo, enter a passcode or enter one of the following numbers:
- Duo Push to primary device
- Phone call to primary device
- Phone call to backup device
- SMS passcode to primary device
If you have only one device enrolled in Duo, enter a passcode or enter one of the following numbers:
- Duo Push to primary device
- Phone call to primary device
- SMS passcode to primary device
Remote Desktop Protocol (RDP)
- If Duo automatically sends you a Duo Mobile Push notification or a phone call, approve the Duo Push or phone call.
- To switch to a different authentication method (e.g., backup phone), click Cancel.
- Enter a Duo passcode or the name of an authentication option you want to use:
- push for a Duo Push to primary device
- phone for call to primary device
- sms to text passcodes to primary device
- push2 for a Duo Push to backup device
- phone2 for call to backup device
- sms2 to text passcodes to backup device
- Click OK.
- Approve the authentication prompt.
Additional Information
Need additional information or assistance? Contact the ITS Service Center.