Frequently Asked Questions About Two-Factor for Weblogin

Expand All Content

General

What if I am charged for texts, don't have a device, or need assistance with device expenses?

The expenses related to the Duo options are mostly low-cost or no-cost. If you need assistance, contact the ITS Service Center so we can connect you with the best low-cost or no-cost option for you.

What can I do to prepare for Duo two-factor for Weblogin?

If you haven’t done so already, you can become an early adopter by (1) enrolling in Duo and (2) turning on two-factor for Weblogin. Visit the Safe Computing website to get started.

If I’m on sabbatical or a leave of absence, am I exempt from the Duo requirement?

No. If you access online resources protected by U-M Weblogin when you are away from the university, you will need to enroll in and begin using one of the multiple options that Duo offers for two-factor authentication by January 23.

Aren’t there better tools than Duo?

No. U-M’s Information Assurance believes Duo is the better choice for what the university hopes to achieve in protecting the institution’s systems and data, as well as your own personal information stored at the university.

Duo is a high-performing, Ann Arbor-based company, recently acquired by Cisco Systems. Besides the fact that the company was founded by Michigan alums, which is a plus, many of our peer institutions are successfully using the two-factor tool.

Duo provides faculty, staff, and students with the most options for individual choice (that is, mobile app, passcode, landline, or hardware token), while effectively allowing U-M to maintain its core missions.

Isn’t having everyone use Duo costly to U-M?

No. In fact, the reverse is true. Successful attacks on peer universities not using two-factor have been costly in terms of time, reputation, and resources. The cost of using Duo is significantly less than the potential cost of a serious data breach. 

I need to use a hardware token, but understand there is a charge. Are there any provisions if cost is an issue?

Yes. Check with the IT staff in your unit to see if they have hardware tokens you can use. If not, you can get one from Computer Showcase. If you want one as a backup or alternative option, you can purchase it yourself.

Will the “whitelist” that exempts faculty and graduate student instructors from using two-factor authentication be continued?

No. Both the ability of faculty and instructors to access online resources, such as Canvas, and the protection of their U-M accounts and credentials are important. Duo provides multiple options for two-factor authentication, so that individuals can continue accessing online resources easily during instructional activities.

Using Duo

What if I forget my two-factor device?

Contact the ITS Service Center to request a temporary bypass code to log in.

Afterward, we recommend you enroll your office landline (if you have one) as a backup option in case your regular two-factor device is unavailable for whatever reason in the future.

Does using Duo require that everyone own a smartphone? What are my options if I don't use a mobile device?

Duo offers multiple options. You do not need to own a smartphone. Although the majority of people find having the Duo app on their smartphone or other mobile device to be the most convenient option, it may not work for everyone. Duo offers multiple options for different circumstances and needs, including using a basic cell phone, landline, or hardware token.

What happens if I don't enroll by January 23, 2019? Will I still be able to login?

You will not be able to log in until you enroll in a Duo two-factor option or get a temporary bypass code from the ITS Service Center. If you haven’t enrolled as of January 23, 2019, the login screen will prompt you to either enroll in Duo or cancel your login.

Are there exceptions available for those who do not want to use Duo at Weblogin?

No. To better protect university systems and data, it is important that all faculty, staff, and sponsored affiliates use two-factor for Weblogin.

Why is the Duo Remember Me option for 7 days? Can I change that?

The Remember Me for 7 days option is the maximum length of time that U-M allows Duo two-factor to be remembered, provided you are using the same device, same web browser, and your browser does not block cookies. Remember Me is optional and the length of time cannot be changed. However, if you want Duo to remember you for less than 7 days, you can adjust your browser settings to clear your cookies when quitting your browser.

How large is the Duo Mobile app?

The Duo app uses about 32 MB of internal storage on an Android device and 28 MB on an iPhone. For reference, that is the same size as about four digital pictures taken with your device's camera.

Can I use a desktop or laptop application to authenticate with Duo?

No. Duo does not offer a computer app, which means you will need a separate device—such as a phone, tablet, or hardware token.

What Duo options can I choose from?

U-M faculty and staff can choose the Duo option that works best for them, although some schools, colleges, or units may have their own preferences or guidelines.

Available options:

  • App for your mobile device that offers a "push" notification or passcodes (Most Popular)
  • Passcodes via text message
  • Phone call-back
  • Duo hardware tokens (available for purchase at the U-M Computer Showcase)

I understand there is a landline option, but won’t that incur charges?

Yes and no. U-M pays per-authentication charges when a phone call (or text message) is used. And while there is no cost to you when using a university landline, your phone plan’s rates would apply if you’re using a personal landline. We encourage you to check with your carrier to be certain.

Can I use multiple options or do I have to pick just one?

You can use various Duo options as needed. We recommend that you set up a primary option as well as a backup option. Additional options can be added whenever you wish.

Where can I purchase a Duo hardware token?

The Computer Showcase sells the tokens for $25 each. Two walk-in locations are available.

How do I re-sync a hardware token?

You can re-sync a hardware token by generating a new passcode three more times and entering each of the three passcodes on the Duo prompt. On the third entry, you should be logged in successfully.

Your hardware token may be out of sync when the login screen displays “Incorrect passcode. Please try again.”

Can I use a YubiKey?

Not at this time. The option of purchasing, enrolling, and using a YubiKey in a manner similar to a hardware token is currently under review.

I already use Duo for services outside the university. How will that work when using it at U-M?

When you enroll, you will be adding an account. You will see a U-M account in your Duo app.

I am student who has to use Duo because of work or my unit requires it. What if I have an exam that requires me to log in, but I can’t bring my smartphone into class?

It is best to check with your instructor before the exam to determine how they would like to address this matter for your particular class.

One of the easiest options, assuming you have the Duo Mobile app, would be to use the Duo login screen shortly before the exam and send yourself a text message with 10 passcodes. Write them down and take your list of passcodes into class. Again, it is a good idea to check with your instructor first to make sure they are okay with this option.

Text message passcodes are good when used within 12 hours. For details, see Get Passcodes Via Text Message.

Best Practices

Won’t having to use two-factor throughout the day be time consuming?

No. It usually takes only a few extra seconds to enter a passcode or to approve a notification on your phone. Additionally, Duo has a “Remember Me” function, so you aren’t prompted to use two-factor every time you log in.

Will there be problems using Duo while I am traveling?

No. Within the Duo Mobile app, you can generate a passcode that doesn’t require connectivity. More information is available on the Safe Computing website. We encourage you to plan ahead before your trip and choose something that will work for you.

What if my phone battery dies and I'm away from the landline I registered as a backup?

Contact the ITS Service Center or HITS Service Desk for assistance.

Your Privacy

I don’t have access to anything that would interest anyone. Do I still need to use Duo?

Yes. You likely have access to more than you think, including information that can be of great value to attackers. If your account is compromised, it is a foot in the door that can be used to spread attacks elsewhere at U-M.

For instance, your email account could be used to spread phishing attacks to your contact list. Shared files to which you have access could be infected, so that other users who access those files could have their accounts compromised. Or your account could be used to log into various university systems. We encourage you to not underestimate the valuable assets to which you hold the keys.

Doesn’t using Duo attract attackers, since having it suggests we possess something of value?

No. Higher education institutions are known to a big target for cyber criminals, particularly universities where a significant amount of research is done. Universities house a great deal of sensitive data of value to cyber criminals, and, by their nature, have an open-access, decentralized environment. 

One of the reasons U-M is expanding the use of Duo institution-wide is to significantly decrease the likelihood of a successful cyber attack or data breach.

If I use Duo, will “Big Brother” be watching me?

No. U-M's intent is to provide a safe and secure online environment, so that no one can spy on or steal from the institution or its employees.

Getting Help

What do I do if I get caught without a backup option?

Contact the ITS Service Center or HITS Service Desk. They can provide an emergency bypass code.

What if I just need assistance?

The ITS Service Center or HITS Service Desk are available to provide assistance and support, and answer questions you have about Duo.