Options for Two-Factor Authentication

This document describes the options available with Duo for two-factor authentication and includes links to enrollment instructions for each option.

See the Decision Aid: Choosing a Duo Option for a list of advantages and considerations for each option.
See the Duo Two-Factor Options at-a-Glance for a one-page handout that describes the options.

We recommend that you enroll in a primary option plus at least one backup option. During each login session, you can choose which of your enrolled options to use. (For login instructions, see Using Duo Two-Factor to Log In.)

The Duo Mobile app meets web accessibility requirements. If you need assistance choosing an option that will best accommodate a disability, please contact sites.knox@umich.edu.

Duo Mobile App on a Smartphone
Duo Mobile App on a Tablet
Duo Mobile App on an Apple Watch
Duo Push Notifications on an Android Smartwatch
Passcodes
Other Cell Phone—Phone Call or Text
Landline Phone Call
Softphone Call
U-M Hardware Token
U-M YubiKey
Touch ID for macOS
Third-Party Security Key

Duo Mobile App on a Smartphone

Enrolling the Duo Mobile app on a smartphone (a cell phone that allows you to download and install applications) gives you the greatest number of options when you log in to a two-factor-protected system. Most people find the push notification the most convenient option.

Push Notification	Generate an Offline Passcode	Phone Call	Passcodes via Text Message
From the login page, click Send me a Push, open the push notification on your smartphone, and tap Approve to log in. Requires WiFi or mobile data connection. Duo Mobile Push uses a minimal amount of mobile data—less than 2 KB per authentication.	No WiFi or mobile data connection needed! The app generates a passcode for you. When you log in and are prompted for two-factor, click the Enter a Passcode button, enter the passcode from the smartphone, then click Log In.	From the login page, click Call Me, answer the call on your phone, and press 1 to log in.	From the login page, click Enter a Passcode, click Text me new codes, and receive a text message that includes 10 passcodes. Enter your passcode on the login page, and click Log In. Ten passcodes are sent because each can be used only once. Passcodes expire after 30 days.

Enrollment Instructions: Enroll a Smartphone or Tablet in Duo
How-to Video: Introduction to Two-Factor Authentication at U-M (1:42)
How-to Video: Use Offline Passcodes for Travel (1:08)
Supported Device OS Versions: iPhone, Android, Windows Phone

Duo Mobile App on a Tablet

A tablet provides two options with the Duo Mobile app.

Push Notification	Generate a Passcode
From the login page, click Send me a Push, open the push notification on your smartphone, and tap Approve to log in. Requires WiFi or mobile data connection. Duo Mobile Push uses a minimal amount of mobile data—less than 2 KB per authentication.	No WiFi or mobile data connection needed! The app generates a passcode for you. When you log in and are prompted for two-factor, click the Enter a Passcode button, enter the passcode from the smartphone, then click Log In.

Enrollment Instructions: Enroll a Smartphone or Tablet in Duo
Supported Device OS Versions: iPad, Android

Duo Mobile App on an Apple Watch

An Apple Watch that you have paired with an iPhone with the Duo Mobile app provides two options.

Push Notification	Generate an Offline Passcode
From the login page, click Send me a Push, open the push notification on your Apple Watch, and tap Approve to log in. Requires WiFi or mobile data connection. Duo Mobile Push uses a minimal amount of mobile data—less than 2 KB per authentication.	No WiFi or mobile data connection needed! The app generates a passcode for you. When you log in and are prompted for two-factor, click the Enter a Passcode button, enter the passcode from your Apple Watch, then click Log In.

Enrollment Instructions: Enroll a Smartphone or Tablet in Duo to enroll the paired iPhone. Then use the companion Watch app on the iPhone to show the Duo app on your Apple Watch.
Supported Device OS Versions: iPhone, Apple Watch

Duo Push Notifications on an Android Smartwatch

There is not a standalone Duo Mobile app for Android smartwatches, but you can approve authentication requests on your watch via the notification.

Android Smartwatch
From the login page, click Send me a Push, open the push notification on your Android Smartwatch, and tap Approve to log in. Requires WiFi or mobile data connection. Duo Mobile Push uses a minimal amount of mobile data—less than 2 KB per authentication.

Enrollment Instructions: Enroll a Smartphone or Tablet in Duo to enroll an Android phone that you have paired with an Android smartwatch. Ensure that notifications are enabled on your phone and that your watch is paired with your phone. To approve authentications, your phone must be unlocked. If your phone is normally locked, you can enable Smart Lock in order to approve notification actions.

Passcodes

If you will not have a reliable cellular or WiFi connection, or even access to a phone, plan to use passcodes. There are four different ways to get an offline passcode:

Duo Mobile app. Use the Duo Mobile app to generate passcodes on a smartphone or tablet. The app can generate passcodes you can use to login when you do not have a cellular or WiFi connection. See Enroll a Smartphone or Tablet in Duo and Using Duo Two-Factor to Log In.
Text message. You will still need a cell phone connection, but a text message will often get through even when you have spotty data coverage. You will receive a set of 10 passcodes in a single text message. The passcodes are good when used within 30 days. See Enter a Passcode.
Hardware token. Hardware tokens and YubiKeys are available at no cost from the Tech Shop.
Temporary bypass code. If you are restricted from using technology, such as the internet or hardware tokens, or if you won’t be able to charge a device, contact the ITS Service Center to request a temporary bypass code. You will be asked to verify your identity by providing information such as your date of birth.

Other Cell Phone—Phone Call or Text

Cell phones with text messaging and phone service provide two options.

Phone Call	Passcodes via Text Message
From the login page, click Call Me, answer the call on your phone, and press 1 to log in.	From the login page, click Enter a Passcode, click Text me new codes, and receive a text message that includes 10 passcodes. Enter your passcode on the login page, and click Log In. Ten passcodes are sent because each can be used only once. Passcodes expire after 30 days.

Enrollment Instructions: Enroll a Landline or Non-Smart Cell Phone in Duo
How-to Video: Use a Phone Call (0:36)
How-to Video: Use Text Passcodes (0:39)

Landline Phone Call

Phone Call
From the login page, click Call Me, answer the call on your phone, and press 1 to log in.

Enrollment Instructions: Enroll a Landline or Non-Smart Cell Phone in Duo
How-to Video: Use a Phone Call (0:36)

Softphone Call

Softphone Call
From the login page, click Call Me, answer the call on your softphone, and press 1 to log in. To receive a Duo call to a softphone, you must be logged in to the softphone and have it open. If the Duo prompt indicates that the call has been answered, but you have not received the call, it has likely gone to voicemail. Make sure the softphone is logged in and connected and that your line is not occupied with another call.

From the login page, click Call Me, answer the call on your softphone, and press 1 to log in. To receive a Duo call to a softphone, you must be logged in to the softphone and have it open.

If the Duo prompt indicates that the call has been answered, but you have not received the call, it has likely gone to voicemail. Make sure the softphone is logged in and connected and that your line is not occupied with another call.

Enrollment Instructions: Enroll a Landline, Non-Smart Cell Phone, or Softphone in Duo
How-to Video: Use a Phone Call (0:36)

U-M Hardware Token

U-M hardware tokens are available from the Tech Shop. The university will cover the cost of an initial U-M hardware token for individuals. Individuals can purchase additional or replacement hardware tokens (need-based exceptions are considered on a case-by-case basis).

Passcode
From the login page, click Enter a Passcode. Press the button on your U-M hardware token to generate a passcode, enter your passcode on the authentication page, and click Log In.

Enrollment Instructions: Get and Enroll a Hardware Token or YubiKey
How-to Video: Use a Hardware Token (0:48)

U-M YubiKey

A U-M YubiKey is inserted in the USB port of your computer for touch-based authentication. To use it, click Enter a Passcode on the Duo authentication screen, touch the YubiKey to add a letter-based passcode in the passcode field, and click Log In or press Enter on your keyboard. Choose a YubiKey that's right for you based on the type of USB port in your computer and whether or not you will leave the YubiKey in your computer.

USB-A
USB-C

Notes on non-web-based login:

Only U-M YubiKeys obtained from the Tech Shop can be used to log in to non-web-based interfaces, such as servers and Virtual Private Networks (VPNs), in addition to web interfaces, such as the U-M Weblogin screen.
For a U-M YubiKey to work with a non-web-based interface, it needs to be enrolled as a U-M YubiKey. If it is enrolled as a Third-party Security Token, it will only work with a web interface.

The university will cover the cost of an initial YubiKey for individuals. Individuals can purchase additional or replacement YubiKeys (need-based exceptions are considered on a case-by-case basis).

YubiKey USB-A	YubiKey Nano USB-A	YubiKey USB-C	YubiKey Nano USB-C
Designed to fit on your keychain. Fits USB-A computer ports.	Designed to stay in your computer. Fits USB-A computer ports.	Designed to fit on your keychain. Fits USB-C computer ports.	Designed to stay in your computer. Fits USB-C computer ports.

Enrollment Instructions: Get and Enroll a Hardware Token or YubiKey
How-to Video: Use a YubiKey (0:28)

Touch ID on macOS

If you have a MacBook Pro or MacBook Air with a Touch ID button, you can use Touch ID to complete the Duo authentication prompt when logging in to Weblogin on the Chrome browser. Important: Do not set up Touch ID as your only option for two-factor authentication. If you do not have your MacBook, or if something happens to it, you will not be able to log in without contacting the ITS Service Center for a temporary bypass code.

Touch ID
From the login page, select Touch ID in the Device drop-down menu, click Use Touch ID, and complete the Duo authentication prompt.

Enrollment Instructions: Enrolling Touch ID
Supported Device OS Versions: Touch ID Requirements
How-to Video: Video Overview of Touch ID and Duo (0:48)

Third-Party Security Key

A third-party security key plugs into your USB port and when tapped or pressed it sends a signed response back to Duo to validate your login. The U-M YubiKey is an example of a security key. You may also enroll a third-party security key in Duo to log in to U-M Weblogin.

Third-Party Security Key
From the login page, select your security key in the Device drop-down menu. Depending on your security key model, you'll need to tap, insert, or press a button on your device to proceed.

Enrollment Instructions: Enrolling Your Security Key
Supported Device OS Versions: Security Key Requirements

Tags:

Two-Factor Authentication

Last Updated:

Friday, March 13, 2020