University of Vermont

Information Technology

Multi-Factor Authentication FAQ

Multi-Factor Authentication

Frequently Asked Questions (FAQ)

About Duo and multi-factor Authentication (MFA)

What does this do?

Multi-factor authentication provides an extra layer of security when accessing sensitive data. It is designed to thwart stolen login credentials from being used to gain access since the thief would not have your second factor.

Am I required to use multi-factor authentication (MFA), and if so, why?

Once your NetID has been enrolled in Duo by ETS, you will be required to use multi-factor authentication for access to any resource so specified. The PeopleSoft system will be first to require multi-factor.

We are implementing MFA to protect you, your information, and the University's information.

Do I have to use Duo every time I log in to PeopleSoft?

Yes, but only once per day if you don't close the web browser you're using. This applies to each browser or private/incognito window you open for PeopleSoft.

I know how to avoid phishing email messages, why do I need to use this?

Unfortunately, experience has shown that people are not as good at recognizing malicious email as you might think. Every day, members of the UVM community fall prey to these kinds of scams. We have to take steps to ensure that we are each more than just a single click away from having our paycheck stolen or becoming a victim of identity theft.

There are other ways for hackers to get your credentials besides phishing, and multi-factor authentication is the best protection available against hackers.

Whom should I contact if I have questions or concerns about the requirement to use Duo?

We encourage you to contact us with feedback, or with questions or concerns about the project in general. The Information Security Office and Associate CIO Julia Russell would appreciate your feedback on this requirement. For assistance with setup or use of multi-factor authentication, please contact the Tech Team.

How will using Duo change how I log in to PeopleSoft and other web services?

First, you will be asked to provide your NetID and NetID password on the single sign-on page (Webauth). Next, you will be asked to pick a method of providing or being contacted for your second factor. This second factor can be a smartphone app (Push), a pre-generated list of off-line codes, a text message to a device, or via automated calls to a mobile or landline phone.

If you login to PeopleSoft using one of the links on the myUVM Portal, you will be presented with the Duo Multi-Factor screen once per day (if you don't close the web browser you're using).

Can more than one person register a phone we share?

For the time being this is not available. Should we find a usage case that requires it without a reasonable alternative, it will be reevaluated.

Will it cost me anything to use multi-factor authentication?

It depends on which method you use, but it is highly likely that the cost will be effectively none. See our MFA page for a detailed description of methods.

  • The Duo mobile App itself is free.
  • Generating a code with the App is free.
  • The "push" method to the App, if you are connected by Wi-Fi, is free.
  • The "push" method, using very little data, is effectively free via cellular data depending on your data plan.
  • Generating a list of one-time codes from the Multi-Factor setup page is free.
  • Sending an SMS text message to your mobile phone may incur charges depending on your texting plan.
  • Using the "call" method and your mobile phone may incur minutes charges depending on your phone plan.
  • The YubiKey comes with a one-time charge of $40 to your department, not you.

Why couldn't we have used security questions?

UVM is requiring multi-factor authentication to solve the problem of stolen, reusable credentials like passwords. Security questions are no different from passwords in that an attacker who captures your answers to those questions via phishing, other social engineering, or malware, can use them to impersonate you.

The framework UVM has adopted protects against this in one of two ways:

  • by requiring that you have a physical device (Duo Mobile app, SMS, phone, and Yubi Key methods), or
  • by requiring a credential which is only good for a single use (the "offline codes" method).

What if I don’t have a cell phone?

If you don’t have a cell phone, Duo allows you to use your landline (office, home) phone. You would receive an automated phone call that requires you to hit any button to confirm your identity. You may also generate a list of off-line codes to keep with you as an alternative to the app, text, and voice options.

Do I need a smartphone to use Duo?

No. Duo provides a great deal of flexibility and you do not need a smartphone to use it.

The recommended smartphone/mobile device option makes multi-factor authentication extremely convenient, but other easy options exist as well. Duo can send a text message to a cell phone or place a voice call to your office landline phone or cell phone. Alternatively, you may generate a list of off-line codes to keep with you.

Can I set up Duo on more than one phone?

Yes. You are encouraged (but not required) to set up Duo on more than one phone in case you forget your mobile phone at home or are not at your office phone. You may add as many phones as you like, landline and/or mobile, on the Multi-Factor setup page. After that, when you are logging in you can choose which line Duo will send the authentication request to (via smartphone app, SMS text message, or voice phone call depending on what you chose).

What is the 'Activate/Manage Duo Security' button? Can I use that to add more devices?

Yes, when logged onto the Multi-Factor setup page, you can use the Activate/Manage Duo Security feature to add, remove, or change the devices that Duo can use to verify who you are.

Can I use the Duo app internationally?

Yes. The Duo smartphone app is designed to work internationally. If you install the app, it can generate the required code without need of either a mobile voice or data plan, and it can do this anywhere in the world.

If you have a voice or data plan, the app makes multi-factor authentication as easy as a pushing a single button, but if you don't have one of those things, you can use the app to generate (by pressing the key symbol) a six digit code and enter that manually.

Troubleshooting Questions

I have a new phone and the Duo app stopped working. What should I do?

If you get a new phone, even if the Duo app is restored from a cloud backup, it will lose its association with your account. Each device has a unique ID separate from your phone number.

If the phone number of your new phone is the same, you can still authenticate using the phone call or SMS option, but the push option will not work until the Duo app is re-activated.

Using the Activate/Manage Duo Security feature, remove your mobile number, then add it again to register the app. If you have difficulties with this process, you can submit a ticket with the Tech Team or call for immediate assistance from Identity and Account Management (IAM) at (802) 656-2006.

What happens if I set up my browser to clear cache/cookies after exiting?

You will have to confirm your identity via Duo again when logging in.

What if I forget my phone at home?

You may use any web browser to access the Duo management page to generate off-line codes. We encourage you to add multiple phones when enrolling for multi-factor authentication, for example, your office phone (but not if it's a shared phone). If you have not setup another phone, you can do so at any time using the Duo management page.

What if I lose my phone?

You may remove your own device using the Duo management page from any web browser, or Contact Identity and Account Management (IAM) at (802) 656-2006 immediately and we will lock your Duo account to prevent malicious activity.

What if I don’t have a data plan on my phone? What if I don’t have a connection?

The Duo smartphone app provides options that work without a data plan, a texting plan, or even a connection, if necessary. The app can generate the required code without need of a Wi-Fi connection, a cell signal, or data plan, and it can do so anywhere in the world. For the Push option, the Duo app will use Wi-Fi if your device can join a Wi-Fi network, such as at UVM or home. If you have a cell signal and data plan or Wi-Fi connection, the app makes multi-factor authentication as easy as a tapping a single button. If you don’t, you can use the app to generate a six digit code and enter that instead on the Multi-Factor login page.

Last modified April 25 2017 03:38 PM

Contact UVM © 2019 The University of Vermont - Burlington, VT 05405 - (802) 656-3131