Instructions and tips for enrolling in Duo and turning on two-factor authentication to protect your personal information in the services you log into via the Weblogin page (Wolverine Access, Canvas, U-M Google, U-M Box, MFile, MPrint, and more).
Two-factor (Duo) authentication for Weblogin is required for all current faculty, staff, student employees, and sponsored affiliates. It is not required of retirees, alumni, or students at this time, although they are welcome and encouraged to turn it on for Weblogin to add protection to their information in Wolverine access, U-M Google account, and more.
Need help? Contact the ITS Service Center.
Table of Contents
- Enroll in Duo and Turn on Two-Factor for Weblogin
- What to Expect When Using Two-Factor
- You need to enroll a device or phone number to turn on two-factor. When you enroll a device, two-factor for Weblogin will be turned on.
- We recommend you enroll both a primary and backup method for two-factor authentication. You can enroll multiple phone numbers and download the Duo Mobile app on multiple devices.
- The number of times you are prompted to log in to websites via the Weblogin page will not change after you turn on two-factor with Weblogin. It will simply add a second step log in—completing a two-factor authentication prompt.
- If you generally work on a single device, in a single web browser, and your browser does not block cookies, you can check Remember me for 7 days when you log in. In this case, you will not be prompted to complete two-factor for 7 days.
- If you use multiple browsers or private/incognito sessions, you will need to log in and complete the two-factor prompt for each new browser session.
- If you change location throughout the day, you will be prompted to log in or reauthenticate with each new browser session.
You only need to complete two-factor authentication when you log in through the Weblogin page. Depending on the services and websites you use, you may be prompted to log in again.
- Adding two-factor for Weblogin does not increase the number of times you are prompted to log in; it adds a second step to the login process.
- Different services and websites prompt you to log in again after different time-out periods.
With U-M Google, there is essentially no time-out. If you are logged into your U-M Google Mail or Calendar all day, you may not need to re-authenticate as you access other systems.
If you use multiple browsers, change location (and therefore the network you are on), or log out of services and websites when you are done using them, the number of times you need to log in and use two-factor increases.
Some of the common time-out periods are listed below.
- Wolverine Access:
- Employee Self-Service: 30 minutes
- University Business: 60 minutes
- Faculty Business: 60 minutes
- Canvas: 60 minutes
- Weblogin: 120 minutes
- U-M Box: 48 hours
- Introduction to Two-Factor Authentication at U-M (1:43)
- Add a Device in Duo and Manage Settings (1:25)
- Use Offline Passcodes for Travel (1:08)
- Use a YubiKey (0:28)
- Use Text Passcodes (0:39)
- Use a Phone Call (0:36)
It is not uncommon to forget your cell phone when you come to work. If you only have one phone enrolled in Duo, you can contact the ITS Service Center for a bypass code to let you in.
If you add your desk phone or a tablet as a backups, you could use them as an alternative until you have your primary device. You can enroll as many phone numbers or devices as you want. See Enroll in Duo for the enrollment procedures.
You can extend your two-factor authentication to seven days for services accessed via the Weblogin page (using the same device and web browser). To bypass the two-factor prompt for seven days, you must first check the Remember me for 7 days checkbox. This feature requires browser cookies.
Important!Checkbox grayed out? If you have set Duo to send you a push notification automatically, the Remember me for 7 days checkbox will be grayed out. Cancel the push by clicking the blue Cancel button in the lower right corner of the window. You will then be able to click the checkbox. Then you will need to click the Send Me a Push button (or choose another option if you wish) to authenticate.
If you do not share your workstation with others during your work shift, you may lock your screen when you take a break. This allows you to remain logged into systems while your computer is secured.
To lock your screen, press Ctrl+Alt+Del on a Windows computer. On a Mac, you will need to set your computer to require a password after sleep or after the screen saver begins (System Preferences --> Security & Privacy --> General tab). Then you can lock the screen by putting your computer to sleep or activating the screen saver.
You will need to log in to your computer to unlock it.
You do not need to completely log out of administrative systems if you are going to work in the systems throughout the day and you lock your screen when you are away from your computer.
It's best to set all your devices—smartphone, tablet, computer—to lock the screen and require a password or passcode for access after 15 or fewer minutes of inactivity. To learn about this and other settings to secure your devices, see Secure Your Devices.
If you are someone on the move, you probably will want to use your smartphone (or basic cell phone) as your primary two-factor authentication device so you have it when you need it. Of course, you have to remember to carry it with you! If you primarily use your desk phone for Duo, you might want to add your cell phone as a backup to use when you’re out and about on campus.
Duo two-factor authentication is not restricted to U-M devices, phones or computers. If you work from home, or need to access personal information at home (for example, W-2s, paychecks), you can add your home phone number as a backup.