Body
Environment
University of Michigan, Duo Two-Factor Authentication
Issue
Describes the options available with Duo at U-M for two-factor authentication.
Resolution
Duo two-factor authentication has multiple options for methods of authentication.
When enrolling in Duo two-factor authentication, you have the ability to choose a primary option plus backup options. That way, Duo streamlines the authentication process by having you authenticate using your preferred method without asking you each time.
Note: You can modify your options from the Duo prompt by clicking the “Other Options” link.
Overall Recommendations
- It is important to enroll in a primary option plus at least one backup option. This ensures you will be able to log in even if you do not have your primary option.
- We recommend choosing the Duo Mobile App as either your primary or backup option because it offers multiple login-approval methods that are very secure and work with or without a WiFi or cellular connection.
- Some options are more secure than others. Here is some overall guidance:
- Biometric options and security keys are the most secure, but they are not the most flexible options.
- Phone calls and text messages are available but not recommended because they are less secure.
The options for two-factor authentication are described below.
Duo Mobile App
The Duo Mobile app on a smartphone, tablet, or smartwatch gives you the best combination of flexibility and security when you need to authenticate with Duo two-factor. Options include:
|
Verified Push Notification: Duo sends a notification to your device, where you enter a three-digit passcode from the authentication screen and tap Verify within 60 seconds.
|
 |
|
Mobile App Passcode: Ender a six-digit passcode within 60 seconds to authenticate (works with or without a WiFi or cellular connection).
|
 |
Notes:
- The Duo Mobile app meets web accessibility requirements.
- Users should regularly update their version of the Duo Mobile app to the most current version. If you are unable to update to the most current version of Duo Mobile app, you will need to choose an alternate method.
- The most recent version of Duo Mobile is available from the app stores for devices running Android 11 or later and iOS 15 or later.
Enrollment Instructions: Enroll a Device or Phone Number in Duo
Supported Device OS Versions: iPhone, Android, iPad
U-M Security Token
You can use a U-M security token to generate a passcode when authenticating with Duo. There are two types of U-M security tokens:
- U-M hardware token: This is a key fob that generates a passcode for you to enter.
- YubiKey: A YubiKey is a chip that you insert into the USB port of your computer. When logging in, place your cursor in the passcode field and tap the YubiKey to enter a passcode.
U-M security tokens are available from the ITS Tech Shop. The university will cover the cost of an initial U-M security token for individuals. Individuals can purchase additional or replacement hardware tokens (need-based exceptions are considered on a case-by-case basis).
Enrollment Instructions: Enroll a Device or Phone Number in Duo
Supported Device OS Versions: iPad, Android
Security Key
A security key plugs into your USB port and when tapped or pressed it sends a signed response back to Duo to validate your identity. You may enroll a third-party security key or a U-M YubiKey as a security key.
Note: A U-M YubiKey may be enrolled as either a U-M security token to generate a passcode or as a security key that can be tapped to verify your identity.
Enrollment Instructions: Enroll a Device or Phone Number in Duo
Supported Device OS Versions: Security Key Requirements
Biometric Options
You can use your device's biometric authentication, if available. See Duo’s enrollment instructions for different biometric options:
Phone Call - not recommended, less secure
A smartphone (with or without the Duo Mobile app), landline, or softphone can be used to receive a phone call. When authenticating with Duo, answer the call and press 1 on your phone’s keypad to authenticate or press 2 to report fraud.
Notes:
- To receive a Duo call to a softphone, you must be logged in to the softphone and have it open.
- Michigan Medicine affiliates do not have the phone option for all systems.
Enrollment Instructions: Enroll a Device or Phone Number in Duo
Text Message - not recommended, less secure
You will need a cell phone connection, but a text message will often get through even when you have spotty data coverage. You will receive a single-use passcode in a text message.
Note: Michigan Medicine affiliates do not have the text message option for all systems
Enrollment Instructions: Enroll a Device or Phone Number in Duo
Temporary Bypass Code
If you are restricted from using technology, such as the internet or hardware tokens, or if you won’t be able to charge a device, contact the ITS Service Center.
Additional Information
Michigan Medicine affiliates will not be able to call or text options with Michigan Medicine related resources. Contact Health Information Technology & Services (HITS) if you have additional questions about Duo authentication for Michigan Medicine.
Need additional information or assistance? Contact the ITS Service Center.
If you need help choosing a Duo two-factor authentication option that meets your needs, or encounter a disability-related barrier, contact the ITS Accessibility Team.