This document provides instructions for using two-factor authentication (2FA) when logging on to systems that require Duo two-factor. It covers the standard Web options for authentication — Duo Push, Call Me, and Passcodes (via phone call, text message, or hardware token), as well as the prompts for Secure Shell (SSH) clients and Remote Desktop Protocol (RDP). Individuals who need to complete 2FA to log in to UMHS-specific services, including MiChart for Electronic Prescription of Controlled Substances (EPCS), will follow different documentation.
Before you Begin
- Before you can use two-factor authentication when logging in, you must select one of the Options for Two-Factor Authentication and enroll in it.
- The steps you will follow when logging in with two-factor authentication depend on whether you use a mobile device, phone number, or hardware token.
- If you chose to have Duo automatically send you a push or call you, you will not have to complete the first step in the following examples.
- This document covers the standard Duo Web interface and the prompts for Secure Shell (SSH) clients and Remote Desktop Protocol (RDP). The login interface for some systems may be different. In this case, ask the administrator of the system for specific instructions.
- If you are logging in to a two-factor-protected system on the web via the Weblogin page, you will first enter your uniqname and UMICH (Level-1) password and click Log In. Then you will see the Duo two-factor authentication screen. Other two-factor protected systems may present the two-factor authentication screen differently.
Standard Web Options
You will follow slightly different steps depending on the Duo option you have enrolled in.
Duo Mobile Push
- Click Send me a Push.
- Duo immediately sends a notification to your mobile device. Depending on how you have set notifications up on your device, you may need to open the notification.
- On your device, tap Approve to approve the login.
Important If you receive a push notification that you did not initiate, click Deny, then tap the option to report fraud.
Call Me
- Click Call Me.
- Duo will immediately phone the number you enrolled. Answer the call on your phone, and press 1 to approve the login.
Important If you receive a Duo authentication phone call that you did not initiate, press 9 to report fraud.
Enter a Passcode
- Click Enter a Passcode.
- The next steps depend on the option you selected when you enrolled:
- Duo Mobile app passcode
- Text message passcode
- Duo hardware token passcode
Duo Mobile App Passcode
- Open the Duo Mobile app on your device.
- In the app, tap the key icon.
- A six-digit passcode displays in the app.
- On your computer, enter the passcode in the passcode field, and click Log In.
Text Message Passcode
- Click Text me new codes at the bottom of the window.
- Duo will immediately send a text message with passcodes to the device you enrolled. Enter the first six-digit passcode in the authentication window on your computer, and click Log In.
Note Ten passcodes are sent because each can be used only once. Passcodes expire after 12 hours.
Example of Text Message With Passcodes
Duo Hardware Token Passcode
Note It does not matter which device is selected on the Duo authentication screen. You can enter a passcode from your hardware token at any time.
- Click the Enter a Passcode or Enter a Bypass Code button.
- Tap the green button on your Duo hardware token to display a six-digit passcode.
- Enter the passcode in the passcode field on your computer, and click Log In.
Secure Shell (SSH) Clients
Note When logging in with an SSH client (e.g., PuTTY), the prompt field for Duo two-factor authentication is completed as follows. Depending on the SSH client (e.g., Secure Shell), these instructions may not be displayed above the prompt field.
If you have a primary and backup device enrolled in Duo, enter a passcode or enter one of the following numbers:
- Duo Push to primary device
- Phone call to primary device
- Phone call to backup device
- SMS passcode to primary device
If you have only one device enrolled in Duo, enter a passcode or enter one of the following numbers:
- Duo Push to primary device
- Phone call to primary device
- SMS passcode to primary device
Remote Desktop Protocol (RDP)
- If Duo automatically sends you a Duo Mobile Push notification or a phone call, approve the Duo Push or phone call.
- To switch to a different authentication method (e.g., backup phone), click Cancel.
- Enter a Duo passcode or the name of an authentication option you want to use:
- push for a Duo Push to primary device
- phone for call to primary device
- sms to text passcodes to primary device
- push2 for a Duo Push to backup device
- phone2 for call to backup device
- sms2 to text passcodes to backup device
- Click OK.
- Approve the authentication prompt.