Two-Factor Login When the Push Option is Unavailable (Duo Append)

Environment

Duo two-factor authentication when the tool sends a push notification without any user interaction

Issue

Sometimes you do not receive a Duo Push, either by choice or because you are not near their device.  Accessing a U-M resource that automatically sends push notifications without user interaction will not work by default.

For example, ITS BeyondTrust/Bomgar, UMHS SSL VPN and the UMVPN using the MacOS’ built-in VPN client simply send a push notification when the user’s uniqname and password are submitted. It is not obvious that a Duo push was sent and you cannot select other options on your computer screen for authentication.

Resolution

A passcode or prompt for an alternative two-factor method can be added after the password with an appropriate append character between, based on the system requiring the two-factor authentication. 

Here are example instructions on how to authenticate using other two-factor Duo methods.

1. In the Username: field input your uniqname
2. Use the bullet points below as a guide on what to input in the Password: field (Note: replace yourpassword with your unique account password and do not input any spaces after your password):
   • yourpassword,123456  ([your password][comma][a code from the app or token, or a yubikey])
   • yourpassword,phone (will call the first phone number on record with Duo)  use phone1 or the other number for alternate devices
   • yourpassword,sms (receive a text with new codes, will have to authenticate again)
3. Note that the appended character varies by resource
   • ITS resources like BeyondTrust (Bomgar) and UMVPN both use the comma as the appended character
   • UMHS SSL VPN and possibly other Michigan Medicine resources use the caret ^ append
     • yourpassword^123456 ([your password][caret][a code from the app or token, or a yubikey]) 

Additional Information

Note that this does not apply to the U-M Weblogin page (Level-1), which should prompt you after login for Duo; if the U-M Weblogin automatically sends a push, you can click “cancel” on the blue banner at the bottom of the Duo options to choose a new Duo method.

• There is not a list of resources that will allow append for Duo
• Depending on which VPN you are using you may or may not be able to use append mode
  • Normal UMVPN profiles do not allow append mode, use umvpn.umnet.umich.edu/umvpn-all-traffic-alt or umvpn.umnet.umich.edu/umvpn-split-tunnel-alt instead

Need additional information or assistance? Contact the ITS Service Center.