What do you mean by 2FA “on the web”?
This refers to UW resources that rely on a web browser for single sign-on using UW NetID and password.
Now you will be protecting data in more systems using 2FA. These include MyUW, Canvas, Panopto, UW Google, UW Exchange Online and other web-based services that require UW NetID authentication. Some desktop and mobile apps, including Outlook, Zoom and Husky OnNet virtual private network (VPN), also rely on UW NetID sign-in via the web.
I’ve been using 2FA in my academic department already. Is this something new and different?
This expanded use of 2FA would be in addition to your departmental use. It is also additional to 2FA for Workday, GradePage, Hyak, eFECS, and other systems faculty use. Stronger protection through this use of 2FA is for even more UW systems — websites and apps that use a web browser for single sign-on with UW NetID.
What happened June 15?
UW resources that rely on a web browser for single sign-on using UW NetID and password started to require 2FA. After entering your UW NetID and password for a UW system or app that relies on a web browser for single sign-on, you will be prompted to verify your identity by using your 2FA/Duo device. Please always have your 2FA device (typically a smartphone) with you.
I would like to reduce the number of times I am prompted for 2FA. How can I do this?
- Easily reduce the number of times you are prompted to sign in with your 2FA device by clicking the “remember me” option on personal devices or on other non-shared computers that you regularly use and trust. “Remember me” tells your browser to remember that you have confirmed your identity using your 2FA device. If you select this option, you won’t have to use your 2FA device as often with that browser.
- Microsoft similarly offers “Stay signed in” for UW Azure AD; read more about this option to reduce 2FA/Duo prompts.
I don’t always have my smartphone with me when I teach. What should I do?
Use of a smartphone with the Duo Mobile app is the most secure method of using 2FA. It is also the most common method for default use. It is preferred by users for its convenience. It is highly recommended.
Given that you may not have your smartphone with you for various reasons, be sure you’ve set up an alternative back-up method. See “What are the recommended 2FA alternative methods?”.
I work in a lab, and a smartphone doesn’t work for me. What can I use?
You can use a hardware token, which has a button that is easy to activate, even when wearing gloves. The token will give you a code to enter as your 2FA authentication. See “What are the recommended 2FA alternative methods?”.
What if I have accessibility concerns with 2FA?
Duo has documented the steps they have taken for accessibility at https://duo.com/docs/accessibility.
The Duo prompt iframe has been designed by Duo to be more accessible including supporting most screen readers. A default authentication method can also be set to avoid having to select an authentication method.
For authentication methods the Duo Mobile application which can be used as a form of authentication is reported by Duo to work with smartphone accessibility technologies. The App can be used for “pushes” which is a prompt on the smartphone, or for generating a passcode.
Additionally with a phone based authentication method, the “call me” option can be easier to use, as this method requires answering a phone call.
Finally there do exist physical tokens that are not dependent on reading a passcode off of them. UW offers Hardware tokens, and supports personal hardware tokens that may be a better fit for accessibility like Yubikeys.
What are the recommended 2FA alternative methods?
It’s important to understand and set up alternative methods of authentication that are available when you’re not connected:
- What if I have no service?:
- When you can, use the internet! Your Duo Mobile app can be used to approve authentications via the “Duo Push” method, even when you don’t have service. This is helpful when the building you are in blocks service or you are traveling but find wi-fi.
- What if I have no internet?
- Use passcodes on your Duo-enabled device! Your Duo Mobile app can be used to generate passcodes while not connected. Go to “Sign in with 2FA” near the bottom of the main 2FA page for more information. See the above question for more details
- Hardware tokens are small security devices that support 2FA. They are another great resource when you are expecting to encounter trouble with other authentication methods. Refer to Hardware tokens.
- Security key:
- You can set up a security key (also known as Universal 2nd Factor, or U2F) device for Duo 2FA at UW. Refer to Set up a security key.
- Another phone:
- You can use a different phone as your alternative. Refer to Set up a mobile phone or landline.
Do NOT approve Duo Mobile push notifications or Duo phone calls that you didn’t initiate yourself. They may be fraudulent, unauthorized attempts to sign in as you. Only approve 2FA requests you initiate yourself, knowingly and intentionally. To learn more refer to reporting fraudulent 2FA requests.
While most devices and sign-in options may be used outside the United States, it is important to enroll the device(s) ahead of your travel time.
- If you’ll have reliable internet access on your device while abroad, Duo Mobile and its “Send Me a Push” option for signing in will work normally.
- If you won’t have internet access on your device, Duo Mobile can operate while offline using the “Enter a Passcode” options; follow the steps above to generate a passcode when you need to sign in. A hardware token will also work offline but, since it is a physical device, it is best to obtain the hard token before you begin travel. Refer to hardware tokens to learn more.
- Please note the “Call Me” option only works with phone numbers in the US (and parts of Canada). If you want to use this option, you must enroll in Duo using a US phone number and be able to receive calls to this number while abroad.
- Lastly, the following regions are affected by Duo OFAC restrictions and will block authentication attempts. If you are traveling to one of these regions, please contact UW-IT at firstname.lastname@example.org.
Impacted countries or regions:
- Cuba (CU)
- North Korea (KP)
- Iran (IR)
- Sudan (SD)
- Syria (SY)
- Crimea region (43)
- Donetsk region (14)
- Luhansk region (09)
- Sevastopol region (40)
What if I am locked out of a system or website?
If your primary 2FA and back-up method(s) fail, you can contact the UW-IT Service Center for a temporary bypass code. A support person will verify your identity and provide a temporary bypass code that authorizes your UW NetID and password access, acting as the critical second step for authentication.
Phone: (206) 221-5000 | Email: email@example.com
If I get a new phone, what do I do?
If you get a new phone (or tablet) you will need to configure the Duo Mobile application on your new device, as it will not work automatically even if your old device had Duo installed.
- If you are keeping your same phone number, then you can use the “call me” method of authentication. Go to Identity Provider, 2FA tab, and add a new device via “Manage 2FA devices.” Once authenticated, you can select “Add a new device” or “Reactivate Duo Mobile.” Get details at Set up a smartphone or tablet.
- If you are not keeping your old phone number, you will either need to use your old phone for authentication or call the UW-IT Service Center at 206-221-5000, option 1, to get a temporary passcode. Once authenticated, you can enroll your device as above. Get details at Set up a smartphone or tablet.
What do I do if my 2FA device (phone/token) is lost or stolen?
Visit the Lost or stolen 2FA device page on IT Connect for detailed information. Note that if you set up more than one 2FA device, you can use your available 2FA device to remove your lost or stolen device from https://identity.uw.edu/2fa.