Using Duo Two-Factor to Log In

This document provides instructions for using two-factor authentication (2FA) when logging in. You have multiple options available to you: push notification using the Duo Mobile app, phone call, and passcodes (generated by the Duo Mobile app, sent via text message, and generated by a hardware token—as well as emergency bypass codes from the ITS Service Center). These options include the Remember me for 12 hours option for Weblogin. This document also includes 2FA instructions for Secure Shell (SSH) clients and Remote Desktop Protocol (RDP).

Contents

Consider This First

  • Before you can use two-factor authentication, you must first choose and enroll in one of the Options for Two-Factor Authentication.
  • If you are logging in to a two-factor-protected system via the U-M Weblogin page, you will first enter your uniqname and UMICH (Level-1) password and click Log In. Then you will see the Duo two-factor authentication screen. Other two-factor protected systems may present the two-factor prompts differently.
    • ATTENTION MICHIGAN MEDICINE!See Duo Two-Factor Security (Michigan Medicine) for instructions specifically for the Michigan Medicine community.

    Use "Remember Me"

    To bypass the two-factor prompt for 12 hours when using Weblogin (using the same device and web browser), check the Remember me for 12 hours checkbox at the bottom of the window. (This feature requires browser cookies.)

    The Remember Me checkbox is at the end of the page.

    Checkbox grayed out? If you have set Duo to send you a push notification automatically, the Remember me for 12 hours checkbox may be grayed out. Cancel the push by clicking the blue Cancel button in the lower right corner of the window. You will then be able to click the checkbox. Then you will need to click the Send Me a Push button (or choose another option if you wish) to authenticate.

    Push Notification—Duo Mobile App

    1. Click Send Me a Push.
      To bypass the two-factor prompt for 12 hours for Weblogin (using the same device and web browser), first check Remember me for 12 hours.

      Choose an authentication method page

    2. Duo immediately sends a notification to your mobile device. Depending on how you have set notifications up on your device, you may need to open the notification.
    3. On your device, tap Approve to approve the login.

      mobile push notification

      Important! If you receive a push notification that you did not initiate, tap Deny, then tap It's unusual - I'm not sure I should approve it.

    4. If you want to cancel the push (for example, because you want to switch to a different device or authentication method), click the blue Cancel button that appears on the login screen when the push is being sent.

      mobile push Cancel screen

    Phone Call—Call Me

    1. Click Call Me.
      To bypass the two-factor prompt for 12 hours for Weblogin (using the same device and web browser), first check Remember me for 12 hours. This feature requires browser cookies.

      Choose an authentication method page

    2. Duo will immediately phone the number you enrolled. Answer the call on your phone, and press 1 to approve the login.

      Important! If you receive a Duo authentication phone call that you did not initiate, press 9 to report fraud.

    3. If you want to cancel the phone call (for example, because you want to switch to a different device or authentication method), click the blue Cancel button that appears on the login screen when the call is being made.

      mobile push Cancel screen

    Enter a Passcode

    1. Click Enter a Passcode.
      To bypass the two-factor prompt for 12 hours for Weblogin (using the same device and web browser), first check Remember me for 12 hours. This feature requires browser cookies.

      Choose an authentication method page

    2. You can get a passcode to enter in multiple ways. Instructions for each option are below.
      • Generate a passcode with the Duo Mobile app
      • Get passcodes via text message
      • Duo hardware token passcode
      • Emergency bypass code

    Generate a Passcode with the Duo Mobile App

    You don't need WiFi or cellular connectivity to generate a passcode with the Duo Mobile app. This works even if your device is in Airplane mode.

    1. Open the Duo Mobile app on your device.
    2. In the app, tap the key icon.
    3. A six-digit passcode displays in the app.
    4. To log in on your computer, click the Enter a Passcode button, then enter the passcode in the passcode field, and click Log In.

      Choose an authentication method page - enter a passcode

     

    Get Passcodes Via Text Message

    1. Click Text me new codes at the bottom of the window.

      Choose an authentication method page - text me new codes button

    2. Duo will immediately send a text message with 10 passcodes to the device you enrolled.
    3. To log in on your computer, enter the first six-digit passcode in the authentication window on your computer, and click Log In. Use the remaining passcodes in order as needed until they expire.

      Note: Each passcode can be used only once. Passcodes expire after 12 hours.

    Example of Text Message With Passcodes

    text message with passcodes

     

    Duo Hardware Token Passcode

    It does not matter which device is selected on the Duo authentication screen. You can enter a passcode from your hardware token at any time.

    1. Click the Enter a Passcode or Enter a Bypass Code button.
    2. Tap the green button on your Duo hardware token to display a six-digit passcode.
    3. To log in on your computer, enter the passcode in the passcode field, and click Log In.

      hardware token

      Note: If the login screen displays “Incorrect passcode. Please try again.” your hardware token may be out of sync. You can re-sync it by generating and entering a new passcode two more times. On the third entry, you should be logged in successfully.

    Emergency Bypass Code

    In an emergency when you don't have any of your Duo options available to you, you can phone the ITS Service Center for an emergency bypass code.

    1. Phone the Service Center at 734-764-HELP (764-4357).
    2. Ask for a Duo two-factor emergency bypass code and say how long you need it for. The Service Center can give you a bypass code that is good for up to four days. Extended-use bypass codes require security approval, which the Service Center can request for you if needed.
    3. You will be asked to verify your identity by providing information such as your date of birth.
    4. To log in on your computer, click the Enter a Passcode button, enter the passcode in the passcode field, and click Log In.

    Secure Shell (SSH) Clients

    When logging in with an SSH client (for example, PuTTY), the prompt field for Duo two-factor authentication is completed as follows. Depending on the SSH client, these instructions may not be displayed above the prompt field.

    If you have a primary and backup device enrolled in Duo, enter a passcode or enter one of the following numbers:

    1. Duo Push to primary device
    2. Phone call to primary device
    3. Phone call to backup device
    4. SMS passcode to primary device

    If you have only one device enrolled in Duo, enter a passcode or enter one of the following numbers:

    1. Duo Push to primary device
    2. Phone call to primary device
    3. SMS passcode to primary device

    Remote Desktop Protocol (RDP)

    1. If Duo automatically sends you a Duo Mobile Push notification or a phone call, approve the Duo Push or phone call.
    2. To switch to a different authentication method (e.g., backup phone), click Cancel.

      RDP automatic push dialog box

    3. Enter a Duo passcode or the name of an authentication option you want to use:
      • push for a Duo Push to primary device
      • phone for call to primary device
      • sms to text passcodes to primary device
      • push2 for a Duo Push to backup device
      • phone2 for call to backup device
      • sms2 to text passcodes to backup device

      RDP prompt for authentication method

    4. Click OK.
    5. Approve the authentication prompt.
    Last Updated: 
    Sunday, May 14, 2017