Frequently Asked Questions About Two-Factor for Weblogin

General

What if I am charged for texts, don't have a device, or need assistance with device expenses?

The expenses related to the Duo options are mostly low-cost or no-cost. If you need assistance, contact the ITS Service Center so we can connect you with the best low-cost or no-cost option for you.

If I am studying abroad or taking a term off, am I exempt from the Duo requirement?

No. If you access online resources protected by U-M Weblogin when you are away from the university, you will need to use one of the multiple options that Duo offers.

Aren’t there better tools than Duo?

No. Duo is a high-performing, Ann Arbor-based company, owned by Cisco Systems. Besides the fact that the company was founded by Michigan alums, which is a plus, many of our peer institutions are successfully using the two-factor tool.

Duo provides faculty, staff, and students with the most options for individual choice (that is, mobile app, passcode, landline, YoubiKey, or hardware token), while protecting university data and your personal information.

Isn’t it costly to have everyone use Duo?

No. In fact, the reverse is true. Successful attacks on peer universities not using two-factor have been costly in terms of time, reputation, and resources. The cost of using Duo is significantly less than the potential cost of a serious data breach. 

I need to use a hardware token. Is there a cost to it?

Yes. Hardware tokens do have a cost to the university, but you can get an initial token free of cost from the U-MTech Shop. Visit the Tech Shop to explore your options. Individuals can purchase additional or replacement hardware tokens themselves (need-based exceptions are considered on a case-by-case basis).

Using Duo

What if I forget my two-factor device?

Contact the ITS Service Center to request a temporary bypass code to log in.

Does using Duo require that everyone own a smartphone? What are my options if I don't use a mobile device?

Duo offers multiple options. You do not need to own a smartphone. Although the majority of people find having the Duo Mobile app on their smartphone or tablet to be the most convenient option, it may not work for everyone. Duo offers multiple options for different circumstances and needs, including using a basic cell phone, landline, hardware token, or YubiKey.

Are there exceptions available for those who do not want to use Duo at Weblogin?

No. To better protect university systems and data, it is important that all students, staff, and faculty use two-factor for Weblogin.

Why is the Duo "Remember me" option for seven days? Can I change that?

The "Yes, this is my device/Remember me" option is the maximum length of time that U-M allows Duo two-factor to be remembered, provided you are using the same device, same web browser, and your browser does not block cookies. Remember me is optional, and the length of time cannot be changed. If you clicked Yes, this is my device and want to undo it before the seven days are up, delete your browser cookies.

How large is the Duo Mobile app?

The Duo app uses about 32 MB of internal storage on an Android device and 28 MB on an iPhone. For reference, that is the same size as about four digital pictures taken with your device's camera.

Can I use a desktop or laptop application to authenticate with Duo?

No. Duo does not offer a computer app, which means you will need a separate device—such as a phone, tablet, hardware token, or YubiKey.

What Duo options can I choose from?

U-M students, staff, and faculty can choose to use as many Duo options that work best for them, although some schools, colleges, or units may have their own preferences or guidelines.

Available options:

  • App for your mobile device that offers a "push" notification or passcodes (recommended)
  • Passcodes via text message
  • Phone call-back
  • Duo hardware token (available at the U-M Tech Shop)
  • YubiKey (available at the U-M Tech Shop)

For details, see Options for Two-Factor Authentication.

I understand there is a landline option, but won’t that incur charges?

Yes and no. U-M pays per-authentication charges when a phone call (or text message) is used. And while there is no cost to you when using a university landline, your phone plan’s rates would apply if you’re using a personal landline.

Where can I get a Duo hardware token or YubiKey?

Duo hardware tokens and Yubikeys are available from the Tech Shop. The university will cover the cost of an initial hardware token or YubiKey for individuals. Individuals can purchase additional or replacement hardware tokens or YubiKeys themselves (need-based exceptions are considered on a case-by-case basis).

I use a hardware token, and my login screen says "Incorrect passcode." How do I fix that? (Re-sync hardware token.)

Your hardware token may be out of sync when the login screen displays “Incorrect passcode. Please try again.”

You can re-sync a hardware token by generating a new passcode three more times and entering each of the three passcodes on the Duo prompt. On the third entry, you should be logged in successfully.

Your hardware token may be out of sync when the login screen displays “Incorrect passcode. Please try again.”

I already use Duo for services outside the university. How will that work when using it at U-M?

When you enroll, you will be adding an account. You will see a U-M account in your Duo app.

What if I have an exam that requires me to log in, but I can’t bring my smartphone into class?

It is best to check with your instructor before the exam to determine how they would like to address this matter for your particular class.

One of the easiest options, assuming you have the Duo Mobile app, would be to use the Duo login screen shortly before the exam and send yourself a text message with apasscode. Write it down and take it into class. Again, it is a good idea to check with your instructor first to make sure they are okay with this option.

Text message passcodes are good when used within 30 days.

What do I do if I get a new phone?
  • If you get a new phone with the same number, you need to install the Duo Mobile app on your new phone and reactivate the app. Follow the steps in Manage Your Duo Devices. Note: Before you sell or give away your old device, back it up and then erase all content and settings.
  • If you get a new phone with a new number, you can add it as an additional device. Follow the steps in Manage Your Duo Devices.

Best Practices

Won’t having to use two-factor throughout the day be time consuming?

No. It usually takes only a few extra seconds to enter a passcode or to approve a notification on your phone. Additionally, Duo has a “Remember Me” function, so you aren’t prompted to use two-factor every time you log in.

Will there be problems using Duo while I am traveling?

No. Within the Duo Mobile app, you can generate a passcode that doesn’t require connectivity. More information is available on the Safe Computing website. We encourage you to plan ahead before your trip and choose something that will work for you.

Your Privacy

I don’t have access to anything that would interest anyone. Do I still need to use Duo?

Yes. You likely have access to more than you think, including information that can be of great value to attackers. If your account is compromised, it is a foot in the door that can be used to spread attacks elsewhere at U-M.

For instance, your email account could be used to spread phishing attacks to your contact list. Shared files to which you have access could be infected, so that other users who access those files could have their accounts compromised. Or your account could be used to log into various university systems. We encourage you to not underestimate the valuable assets to which you hold the keys.

Doesn’t using Duo attract attackers, since having it suggests we possess something of value?

No. Higher education institutions are known to be a big target for cyber criminals, particularly universities where a significant amount of research is done. Universities house a great deal of sensitive data of value to cyber criminals and, by their nature, have an open-access, decentralized environment. 

If I use Duo, will “Big Brother” be watching me?

No. U-M's intent is to provide a safe and secure online environment, so that no one can spy on or steal from the institution or its employees.

Getting Help

What do I do if I get caught without a backup option?

Contact the ITS Service Center or HITS Service Desk. They can provide an emergency bypass code.

What if I just need assistance?

The ITS Service Center or HITS Service Desk are available to provide assistance and support, and answer questions you have about Duo.