Using Duo Two-Factor to Log In

This document provides instructions for using two-factor authentication (2FA) when logging in. You have multiple options available to you: push notification using the Duo Mobile app, phone call, and passcodes (generated by the Duo Mobile app, sent via text message, and generated by a hardware token—as well as emergency bypass codes from the ITS Service Center). These options include the Remember me for 12 hours option for Weblogin. This document also includes 2FA instructions for Secure Shell (SSH) clients and Remote Desktop Protocol (RDP).

Contents

Consider This First

  • Before you can use two-factor authentication, you must first choose and enroll in one of the Options for Two-Factor Authentication.
  • If you are logging in to a two-factor-protected system via the U-M Weblogin page, you will first enter your uniqname and UMICH (Level-1) password and click Log In. Then you will see the Duo two-factor authentication screen. Other two-factor protected systems may present the two-factor prompts differently.
  • If your Duo setting for When I log in is Automatically send this device a Duo Push or Automatically call this device, you can still use the Remember me for 12 hours option when you log in:
    • First click the blue Cancel button on the login screen to cancel the automatic push or call, and then check Remember me for 12 hours and initiate a new push or phone call.
    • This will bypass the two-factor prompt for 12 hours for Weblogin (using the same device and web browser).
    • When you next log in after 12 hours, Duo will automatically send you a push or call and the Remember me for 12 hours option will already be checked. If you do not want to renew that option, cancel the automatic push or call, uncheck Remember me for 12 hours, and initiate a new push or phone call.
  • ATTENTION MICHIGAN MEDICINE!See Duo Two-Factor Security (Michigan Medicine) for instructions specifically for the Michigan Medicine community.

Push Notification—Duo Mobile App

  1. Click Send Me a Push.
    To bypass the two-factor prompt for 12 hours for Weblogin (using the same device and web browser), first check Remember me for 12 hours. This feature requires browser cookies.

    Choose an authentication method page

  2. Duo immediately sends a notification to your mobile device. Depending on how you have set notifications up on your device, you may need to open the notification.
  3. On your device, tap Approve to approve the login.

    mobile push notification

    Important! If you receive a push notification that you did not initiate, tap Deny, then tap It's unusual - I'm not sure I should approve it.

  4. If you want to cancel the push (for example, because you want to switch to a different device or authentication method), click the blue Cancel button that appears on the login screen when the push is being sent.

    mobile push Cancel screen

Phone Call—Call Me

  1. Click Call Me.
    To bypass the two-factor prompt for 12 hours for Weblogin (using the same device and web browser), first check Remember me for 12 hours. This feature requires browser cookies.

    Choose an authentication method page

  2. Duo will immediately phone the number you enrolled. Answer the call on your phone, and press 1 to approve the login.

    Important! If you receive a Duo authentication phone call that you did not initiate, press 9 to report fraud.

  3. If you want to cancel the phone call (for example, because you want to switch to a different device or authentication method), click the blue Cancel button that appears on the login screen when the call is being made.

    mobile push Cancel screen

Enter a Passcode

  1. Click Enter a Passcode.
    To bypass the two-factor prompt for 12 hours for Weblogin (using the same device and web browser), first check Remember me for 12 hours. This feature requires browser cookies.

    Choose an authentication method page

  2. You can get a passcode to enter in multiple ways. Instructions for each option are below.
    • Generate a passcode with the Duo Mobile app
    • Get passcodes via text message
    • Duo hardware token passcode
    • Emergency bypass code

Generate a Passcode with the Duo Mobile App

You don't need WiFi or cellular connectivity to generate a passcode with the Duo Mobile app. This works even if your device is in Airplane mode.

  1. Open the Duo Mobile app on your device.
  2. In the app, tap the key icon.
  3. A six-digit passcode displays in the app.
  4. To log in on your computer, click the Enter a Passcode button, then enter the passcode in the passcode field, and click Log In.

    Choose an authentication method page - enter a passcode

 

Get Passcodes Via Text Message

  1. Click Text me new codes at the bottom of the window.

    Choose an authentication method page - text me new codes button

  2. Duo will immediately send a text message with 10 passcodes to the device you enrolled.
  3. To log in on your computer, enter the first six-digit passcode in the authentication window on your computer, and click Log In. Use the remaining passcodes in order as needed until they expire.

    Note: Each passcode can be used only once. Passcodes expire after 12 hours.

Example of Text Message With Passcodes

text message with passcodes

 

Duo Hardware Token Passcode

It does not matter which device is selected on the Duo authentication screen. You can enter a passcode from your hardware token at any time.

  1. Click the Enter a Passcode or Enter a Bypass Code button.
  2. Tap the green button on your Duo hardware token to display a six-digit passcode.
  3. To log in on your computer, enter the passcode in the passcode field, and click Log In.

    hardware token

    Note: If the login screen displays “Incorrect passcode. Please try again.” your hardware token may be out of sync. You can re-sync it by generating and entering a new passcode two more times. On the third entry, you should be logged in successfully.

Emergency Bypass Code

In an emergency when you don't have any of your Duo options available to you, you can phone the ITS Service Center for an emergency bypass code.

  1. Phone the Service Center at 734-764-HELP (764-4357).
  2. Ask for a Duo two-factor emergency bypass code and say how long you need it for. The Service Center can give you a bypass code that is good for up to four days. Extended-use bypass codes require security approval, which the Service Center can request for you if needed.
  3. You will be asked to verify your identity by providing information such as your date of birth.
  4. To log in on your computer, click the Enter a Passcode button, enter the passcode in the passcode field, and click Log In.

Secure Shell (SSH) Clients

When logging in with an SSH client (for example, PuTTY), the prompt field for Duo two-factor authentication is completed as follows. Depending on the SSH client, these instructions may not be displayed above the prompt field.

If you have a primary and backup device enrolled in Duo, enter a passcode or enter one of the following numbers:

  1. Duo Push to primary device
  2. Phone call to primary device
  3. Phone call to backup device
  4. SMS passcode to primary device

If you have only one device enrolled in Duo, enter a passcode or enter one of the following numbers:

  1. Duo Push to primary device
  2. Phone call to primary device
  3. SMS passcode to primary device

Remote Desktop Protocol (RDP)

  1. If Duo automatically sends you a Duo Mobile Push notification or a phone call, approve the Duo Push or phone call.
  2. To switch to a different authentication method (e.g., backup phone), click Cancel.

    RDP automatic push dialog box

  3. Enter a Duo passcode or the name of an authentication option you want to use:
    • push for a Duo Push to primary device
    • phone for call to primary device
    • sms to text passcodes to primary device
    • push2 for a Duo Push to backup device
    • phone2 for call to backup device
    • sms2 to text passcodes to backup device

    RDP prompt for authentication method

  4. Click OK.
  5. Approve the authentication prompt.
Last Updated: 
Sunday, May 14, 2017