Frequently Asked Questions About Two-Factor for Weblogin

Expand All Content

General

I see a screen about turning on two-factor every time I log in at Weblogin. Can I make it go away?

Yes. The interrupt screen begins appearing at Weblogin on January 7 for everyone who has not yet turned on two-factor for Weblogin and will be required to do so starting January 23, 2019. 

Turn on two-factor for Weblogin, and you will stop seeing the interrupt screen. You will also stop receiving reminder emails. The reminder screen is intended to help you remember to turn on two-factor before the deadline and to ensure that everyone who will be required to use it is aware of the new requirement.

What if I am charged for texts, don't have a device, or need assistance with device expenses?

The expenses related to the Duo options are mostly low-cost or no-cost. If you need assistance, contact the ITS Service Center so we can connect you with the best low-cost or no-cost option for you.

What can I do to prepare for Duo two-factor for Weblogin?

If you haven’t done so already, you can become an early adopter by (1) enrolling in Duo and (2) turning on two-factor for Weblogin. Visit the Safe Computing website to get started.

If I’m on sabbatical or a leave of absence, am I exempt from the Duo requirement?

No. If you access online resources protected by U-M Weblogin when you are away from the university, you will need to enroll in and begin using one of the multiple options that Duo offers for two-factor authentication by January 23.

Aren’t there better tools than Duo?

No. U-M’s Information Assurance believes Duo is the better choice for what the university hopes to achieve in protecting the institution’s systems and data, as well as your own personal information stored at the university.

Duo is a high-performing, Ann Arbor-based company, recently acquired by Cisco Systems. Besides the fact that the company was founded by Michigan alums, which is a plus, many of our peer institutions are successfully using the two-factor tool.

Duo provides faculty, staff, and students with the most options for individual choice (that is, mobile app, passcode, landline, or hardware token), while effectively allowing U-M to maintain its core missions.

Isn’t having everyone use Duo costly to U-M?

No. In fact, the reverse is true. Successful attacks on peer universities not using two-factor have been costly in terms of time, reputation, and resources. The cost of using Duo is significantly less than the potential cost of a serious data breach. 

I need to use a hardware token, but I heard there is a cost. Do I have to pay for a hardware token?

No. The cost of a hardware token is $25, which is covered centrally by ITS for faculty and staff who cannot or prefer not to use the Duo Mobile app. Check with the IT staff in your unit to see if they have a hardware token you can use. If not, you can get one directly from Computer Showcase.

Will the “whitelist” that exempts faculty and graduate student instructors from using two-factor authentication be continued?

No. Both the ability of faculty and instructors to access online resources, such as Canvas, and the protection of their U-M accounts and credentials are important. Duo provides multiple options for two-factor authentication, so that individuals can continue accessing online resources easily during instructional activities.

Using Duo

What if I forget my two-factor device?

Contact the ITS Service Center to request a temporary bypass code to log in.

Afterward, we recommend you enroll your office landline (if you have one) as a backup option in case your regular two-factor device is unavailable for whatever reason in the future.

Does using Duo require that everyone own a smartphone? What are my options if I don't use a mobile device?

Duo offers multiple options. You do not need to own a smartphone. Although the majority of people find having the Duo Mobile app on their smartphone or other mobile device to be the most convenient option, it may not work for everyone. Duo offers multiple options for different circumstances and needs, including using a basic cell phone, landline, or hardware token.

What happens if I don't enroll by January 23, 2019? Will I still be able to login?

You will not be able to log in until you enroll in a Duo two-factor option or get a temporary bypass code from the ITS Service Center. If you haven’t enrolled as of January 23, 2019, the login screen will prompt you to either enroll in Duo or cancel your login.

Are there exceptions available for those who do not want to use Duo at Weblogin?

No. To better protect university systems and data, it is important that all faculty, staff, and sponsored affiliates use two-factor for Weblogin.

Why is the Duo Remember Me option for 7 days? Can I change that?

The Remember Me for 7 days option is the maximum length of time that U-M allows Duo two-factor to be remembered, provided you are using the same device, same web browser, and your browser does not block cookies. Remember Me is optional and the length of time cannot be changed. However, if you want Duo to remember you for less than 7 days, you can adjust your browser settings to clear your cookies when quitting your browser.

How large is the Duo Mobile app?

The Duo app uses about 32 MB of internal storage on an Android device and 28 MB on an iPhone. For reference, that is the same size as about four digital pictures taken with your device's camera.

Can I use a desktop or laptop application to authenticate with Duo?

No. Duo does not offer a computer app, which means you will need a separate device—such as a phone, tablet, or hardware token.

What Duo options can I choose from?

U-M faculty and staff can choose the Duo option that works best for them, although some schools, colleges, or units may have their own preferences or guidelines.

Available options:

  • App for your mobile device that offers a "push" notification or passcodes (Most Popular)
  • Passcodes via text message
  • Phone call-back
  • Duo hardware tokens (available for purchase at the U-M Computer Showcase)

I understand there is a landline option, but won’t that incur charges?

Yes and no. U-M pays per-authentication charges when a phone call (or text message) is used. And while there is no cost to you when using a university landline, your phone plan’s rates would apply if you’re using a personal landline. We encourage you to check with your carrier to be certain.

Can I use multiple options or do I have to pick just one?

You can use various Duo options as needed. We recommend that you set up a primary option as well as a backup option. Additional options can be added whenever you wish.

Where can I purchase a Duo hardware token?

Hardware tokens are available from the Computer Showcase. Two walk-in locations are available.

How do I re-sync a hardware token?

You can re-sync a hardware token by generating a new passcode three more times and entering each of the three passcodes on the Duo prompt. On the third entry, you should be logged in successfully.

Your hardware token may be out of sync when the login screen displays “Incorrect passcode. Please try again.”

Can I use a YubiKey?

Yes. YubiKeys are available from the Computer Showcase. Two walk-in locations are available.

 

I already use Duo for services outside the university. How will that work when using it at U-M?

When you enroll, you will be adding an account. You will see a U-M account in your Duo app.

I am student who has to use Duo because of work or my unit requires it. What if I have an exam that requires me to log in, but I can’t bring my smartphone into class?

It is best to check with your instructor before the exam to determine how they would like to address this matter for your particular class.

One of the easiest options, assuming you have the Duo Mobile app, would be to use the Duo login screen shortly before the exam and send yourself a text message with 10 passcodes. Write them down and take your list of passcodes into class. Again, it is a good idea to check with your instructor first to make sure they are okay with this option.

Text message passcodes are good when used within 12 hours. For details, see Get Passcodes Via Text Message.

Best Practices

Won’t having to use two-factor throughout the day be time consuming?

No. It usually takes only a few extra seconds to enter a passcode or to approve a notification on your phone. Additionally, Duo has a “Remember Me” function, so you aren’t prompted to use two-factor every time you log in.

Will there be problems using Duo while I am traveling?

No. Within the Duo Mobile app, you can generate a passcode that doesn’t require connectivity. More information is available on the Safe Computing website. We encourage you to plan ahead before your trip and choose something that will work for you.

What if my phone battery dies and I'm away from the landline I registered as a backup?

Contact the ITS Service Center or HITS Service Desk for assistance.

Your Privacy

I don’t have access to anything that would interest anyone. Do I still need to use Duo?

Yes. You likely have access to more than you think, including information that can be of great value to attackers. If your account is compromised, it is a foot in the door that can be used to spread attacks elsewhere at U-M.

For instance, your email account could be used to spread phishing attacks to your contact list. Shared files to which you have access could be infected, so that other users who access those files could have their accounts compromised. Or your account could be used to log into various university systems. We encourage you to not underestimate the valuable assets to which you hold the keys.

Doesn’t using Duo attract attackers, since having it suggests we possess something of value?

No. Higher education institutions are known to a big target for cyber criminals, particularly universities where a significant amount of research is done. Universities house a great deal of sensitive data of value to cyber criminals, and, by their nature, have an open-access, decentralized environment. 

One of the reasons U-M is expanding the use of Duo institution-wide is to significantly decrease the likelihood of a successful cyber attack or data breach.

If I use Duo, will “Big Brother” be watching me?

No. U-M's intent is to provide a safe and secure online environment, so that no one can spy on or steal from the institution or its employees.

Getting Help

What do I do if I get caught without a backup option?

Contact the ITS Service Center or HITS Service Desk. They can provide an emergency bypass code.

What if I just need assistance?

The ITS Service Center or HITS Service Desk are available to provide assistance and support, and answer questions you have about Duo.