Multi-Factor Authentication (MFA)
Multi-Factor Authentication Presentation
About Multi-Factor Authentication (MFA)
Multi-Factor or Two-Factor Authentication (MFA or 2FA) adds a level of security by combining two or more methods of authentication when you log into an account, email and /or application. There are different applications that enable MFA or 2FA and The University of Winnipeg has selected Cisco DUO for UWinnipeg MFA. Initially, UWinnipeg will be implementing MFA on M365/email but more applications will be enabled in the coming months. When you log to your UWinnipeg M365 or email, you will be asked to verify your identity using a second factor (like your mobile device). This prevents others from accessing your email even if your password has been compromised.
In response to recent feedback, the rollout of MFA has been delayed. A meeting will be scheduled with each department to explain the project rollout strategy. After this meeting MFA enrollment dates and a MFA enforcement date will be determined for each department.
Refer to MFA Activation for UWinnipeg Faculty, Staff and Students for specific dates.
Glossary
2FA (two-factor authentication): an additional layer of authentication beyond a username and password. 2FA involves something you know (password) plus something you have with you (like Duo Mobile on your smartphone) to prevent someone from logging in with only your password. With Duo 2FA, you still enter your username and password. The second factor provided by Duo is simply an added layer of security on top of your existing credentials. We recommend using Duo Push via the Duo Mobile app to perform 2FA.
Duo Basic Prompt: this interactive prompt lets you choose how to verify your identity each time you log in (e.g. “Duo Push” or “Call Me”) to a web-based application. The Duo Prompt allows you to enroll and authenticate.
Duo Universal Prompt: Similar to the Duo Basic Prompt. When you select Other option a second screen will allow you to select a different verification method or you can select Manage devices at the bottom of the prompt to setup a new phone or other options that may be available. (Note: All options displayed may not be available.)
Passcode: these are numeric codes that can be generated either via the Duo Mobile app, SMS (text message), or a hardware token, depending on what your IT administrator permits. Passcodes may be used at any time and are particularly handy for authenticating when your 2FA device doesn't have internet or cellular service.
Push Notification (Duo Push): a push authentication request that is sent to the Duo Mobile App on an enrolled device. Push notifications include information like the geographical location of the access device, IP address of the access device, and the application being accessed so you can verify whether the push is real or fraudulent.
Self-service portal: if the self-service portal has been enabled for use in the Duo Prompt, you can click “My Settings & Devices” to add additional devices or update authentication method settings right from the Duo Prompt.
MFA Activation for UWinnipeg Faculty, Staff and Students
MFA for M365 and UWinnipeg email will be required for all faculty, staff and students starting in 2022.
| Activity | Dates | Status |
Progress as of 2-Aug-22 |
| MFA Self-Enrollment for Tech Sector & ACS Techs | January 18 - February 1, 2022 |
Complete |
|
| Enforce MFA for Tech Sector & ACS Techs | February 2, 2022 |
Complete |
|
| Meeting with Departments | February 2 - May 31, 2022 |
Complete |
91 completed
|
| MFA Self-Enrollment for staff / faculty by Department | February 28 - TBD |
Complete |
|
| MFA Activation for staff /faculty by Department | March 7 - TBD |
In Progress |
106*/108 98.15% |
| MFA Self-Enrollment for students | June 27 - Sept 2022 |
In Progress |
|
| MFA Activation for students | July - August 8 2022 |
In Progress |
3452 |
* retirees and consultants remaining
How it works
- Enter your username and password
- Use your phone / other method* to verify your identity
- You are securely logged in
Supported Devices
The following devices are supported with DUO
Setup MFA
DUO’s self-enrollment process makes it easy to register your device and install the mobile app. Refer to the How-to documents below.
Enroll in Duo MFA
Refer to the DUO Enrollment Guide for information and the How-to documents.
If you have any issues please contact the Technology Service Desk (servicedesk@uwinnipeg.ca, 204.786.9149).
Student MFA Info
Refer to the DUO Student's Guide to Two-Factor Authentication
Multi-Factor Authentication Presentation
Videos
The following videos are available to assist you:
Welcome to Duo (for End Users)
Getting Started with Duo - Enrolling in Duo Mobile & using Duo Push
Two-Factor Authentication with Duo Push
Duo's Self-Service Portal: Skip to 2.26 minutes to view the User Experience with the Self-Service Portal
Other Duo Product Videos: The following videos are available:
- Passwordless Authentication
- Authenticate with Duo Mobile (Android)
- Zero-Trust, Explained
- Authenticate with Hardware Tokens
- Introduction to Duo Help Desk Push
- Duo Security Overview for Schools and Students
- Authenticate with SMS
- Authenticate with Apple Watch
- Authenticate with Mobile Passcodes
- Authenticate with U2F Tokens
- Authenticate with Bypass Codes
- Authenticate with Duo Mobile on iPhone
- Duo for Apple Watch
- Duo Push Demonstration
System Requirements
Android: The current version supported for Android can be found here.
iOS: The current version of Duo Mobile supports can be found here.
Apple Watch: The current version supported for Apple Watch can be found here.
Note: For more information, click the above link.
Download DUO Mobile App
New M365 Login Page
Starting January 31, 2022 there will be an additional login page for M365 login page. It will look like the following:
How To Documents
OWA / VPN
How Multi-factor Authentication Works with Outlook Web Access
How Multi-factor Authentication Works with VPN
How Multi-factor Authentication and VPN work together
Smartphone / Tablet
Setup Duo Mobile on a Smartphone
Activate a New Phone or Add a Security Key / Phone Number / Duo Mobile for Smartphone or Tablet
USB Key
Setup Duo Mobile using a USB Security Key (WebAuthn/Fido2)
SMS Text
Setup Duo on a cellphone for SMS (text message) only passcodes
Phone Call
Shared Mailboxes
Faculty / Staff FAQs
Passwords are no longer enough to secure accounts. They are increasingly easy to compromise. Weak, reused or easy to guess passwords put your accounts at risk. Enabling MFA on an account adds a layer of protection, even if your password is compromised a hacker will not be able to gain access to your account and you will be notified that someone is trying to log in.
No. Having a smartphone makes for an easier and more secure experience with Duo Push. However, it is also possible to enroll a non-smartphone mobile device to receive SMS passcodes.
Duo Mobile is a mobile application (app) that you install on your smartphone or tablet to generate passcodes for login or receive push notifications for easy, one-tap authentication on your mobile device. It works with Duo Security’s two-factor authentication (2FA) service to make your logins more secure.
If you have a smartphone or tablet, Duo Push is recommended, as it is quick, easy-to-use, and secure. See an introduction to Duo Security and a demonstration of Duo Push in this short video: https://www.youtube.com/watch?v=_T_sJXnSM98
Duo Push authentication requests require a minimal amount of data -- less than 2KB per authentication. For example, you would only consume 1 megabyte (MB) of data if you were to authenticate 500 times in a given month.
Android: The current version of Duo Mobile supports Android 8 and greater. (More Information)
iOS: The current version of Duo Mobile supports iOS 12.0 and greater. (More Information)
Apple Watch: requires Duo Mobile 3.8 or later. (More Information)
Yes, DUO can be configured on several devices or multiple devices of the same type.
If you get a new cell phone, you will need to re-activate Duo Mobile. You may enroll your new device yourself using the device management portal.
If you no longer have access to your cell phone that was registered, you will need to contact the Technology Service Desk (servicedesk@uwinnipeg.ca or 204.786.9149) for assistance.
Duo authentication methods from most to least secure:
- Touch ID (only for MacBook Pro and MacBook Air with Touch ID) Currently not enabled
- Security keys
- Duo Mobile push approval (Recommended)
- YubiKey passcodes
- Duo Mobile generated passcodes
- Hardware token passcodes
- SMS passcodes
- Phone call approval
To learn more about Duo Authentication methods visit the Duo Users Guide for the universal-prompt.
Faculty and staff who do not have a mobile phone or tablet, or would prefer to use an alternative method, can request a hardware token by submitting a request to the Technology Service Desk (servicedesk@uwinnipeg.ca or 204.786.9149).
Lost or stolen tokens should be reported to the Technology Service Desk (servicedesk@uwinnipeg.ca or 204.786.9149) as soon as they are noticed missing. Please note there may be a fee for replacing the hardware token.
Duo hardware tokens can be reprogrammed for use by a different employee. Please contact the Technology Service Desk (servicedesk@uwinnipeg.ca or 204.786.9149).
Defective tokens can be replaced. Please note there may be a fee for replacing the hardware token. Please contact the Technology Service Desk (servicedesk@uwinnipeg.ca or 204.786.9149).
Tokens can be retired when an employee leaves the University. Please return them to Technology Solutions Centre.
Faculty and staff who don’t have a mobile phone or tablet can request a hardware token from the Technology Service Desk (servicedesk@uwinnipeg.ca or 204.786.9149).
There are several reasons this could be happening. Please try the following to troubleshoot:
- Make sure your enrolled device has a cellular network or WiFi connection.
- Have the Duo Mobile app open when you authenticate.
- Try these additional push troubleshooting steps:
- iPhone: https://help.duo.com/s/article/2051
- Android: https://help.duo.com/s/article/2050
- If the above solutions don’t work, try using another authentication method, such as passcodes provided in the Duo Mobile app.
Duo Mobile App does not support OTP applications like Google Authenticator.
See this Duo Knowledge Base article for information on authenticating without cell or internet service: https://help.duo.com/s/article/4449
If you have access to the “My Settings & Devices” link (the self-service portal) at the Duo Prompt and are currently able to authenticate with a device, you may:
- Add additional devices
- Designate your “default” device that receives authentication requests in addition to your preferred authentication method
- Deactivate Duo Mobile if you got a new phone but kept your number
- Change the name of your device (ex. “Personal Cell” or “Work Phone”)
- Remove a device
Go to Manage devices at the bottom of the "Other options to log in" list.
Learn more about managing your devices here: Duo Universal Prompt - Guide to Two-Factor Authentication · Duo Security
Open Apple App Store
Click on the Person (upper right hand corner)
Click on your Name/email address
Sign In when prompted with your Apple ID Password
Scroll down to the bottom and click on Terms of Service
That initiated the Acceptance message for Apple Terms of Service that needed to be Accepted in order to use the Apple App Store.
To get more detailed help with DUO check out Duo Help Center
No. Your password is only verified by your organization and never sent to Duo. Duo provides only the second factor, using your enrolled device to verify it’s actually you who is logging in.
No. The Duo Mobile app has no access to change settings or remotely wipe your phone. The visibility Duo Mobile requires is to verify the security of your device, such as OS version, device encryption status, screen lock, etc. We use this to help recommend security improvements to your device. You always are in control of whether or not you act on these recommendations.
Assume that someone is trying to illegally access your account.
- Choose "Deny" in the Duo app to block the request then call the Technology Service Desk at 204.786.9149 and report the attempted login!
Please refer to Duo's Privacy Data Sheet
Please refer to the Duo Information: https://help.duo.com/s/article/3814?language=en_US