Duo offers multiple authentication methods to satisfy the MFA requirement. You may be able to use the Duo two-factor authentication option already installed on your phone to log in to two-factor protected systems while traveling. Depending on your travel plans, however, you may prefer to use a better-suited, alternative option.
To add or remove devices/authentication methods from your account, please see our article on managing Duo devices.
You should always have at least two methods registered in case one option does not work for the login scenario you are attempting. This helps prevent you from getting locked out of your account.
Not all authentication methods can be modified or are available for use.
Two-Factor Authentication Methods
 |
Recommended Duo Push
Duo Push is recommended as the primary authentication method for MFA. This option sends a notification to your phone via the Duo Mobile app and ask you if your are attempting to sign in.
|
 |
Duo Verified Push
Verified Push functions similarly to Duo Push with the additional step of entering in a 3-digit code into your Duo app, which is presented on the device you are attempting to log into.
Verified Push is not an authentication method on its own, but an additional feature of the existing Duo Push for added security. In some scenarios, it may not be possible to bypass a Verified push due to the detection of a risky login. Please see Duo: Risk-Based Sign-In and Verified Push for more information on risk-based sign-ins
NEVER enter a code provided by someone through text or email and NEVER provide this code to someone. You should only ever enter a code when you are attempting to log in to a system. If someone claiming to be from the University asks you to type in a specific code on a Duo Verified Push prompt, this is a social engineering attack: stop all communications with the individual and contact UTS immediately.
|
 |
Duo Mobile Passcode
When cellular service is disabled or you have no WiFi connection, you can use the Duo Mobile app to generate a Time-based One-Time passcode for authentication. Simply choose the Enter a Passcode option when you get the Duo authentication prompt. To generate the passcode, open the Duo Mobile app on your phone and tap "show" to display the passcode.
NEVER enter a code provided by someone through text or email and NEVER provide this code to someone. You should only ever enter a code when you are attempting to log in to a system. If someone claiming to be from the University asks you to type in a specific code on a Duo Verified Push prompt, this is a social engineering attack: stop all communications with the individual and contact UTS immediately.
|
 |
Not Recommended To be Deprecated SMS Text Message
Like a Duo Mobile Passcode, with SMS text messages, Duo will send a single-use passcode in a text message. This passcode remain active for 60 seconds. SMS codes are insecure because they are prone to phishing attacks where attackers will social engineer users into providing the code from the text message. SMS is also insecure because messages can be intercepted by malicious actors.
NEVER enter a code provided by someone through text or email and NEVER provide this code to someone. You should only ever enter a code when you are attempting to log in to a system. If someone claiming to be from the University asks you to type in a specific code on a Duo Verified Push prompt, this is a social engineering attack: stop all communications with the individual and contact UTS immediately.
|
 |
Not Recommended To be Deprecated Phone Call
Phone call passcodes act similar to SMS Text Messages, where a user receives a one-time passcode for login. Instead of a texted code, however, Duo will call the user and read a code to them over a phone call. Phone call is also insecure because messages can be intercepted by malicious actors.
NEVER enter a code provided by someone through text or email and NEVER provide this code to someone. You should only ever enter a code when you are attempting to log in to a system. If someone claiming to be from the University asks you to type in a specific code on a Duo Verified Push prompt, this is a social engineering attack: stop all communications with the individual and contact UTS immediately.
|
 |
Hardware Token
A hardware token works similarly to a Duo Mobile passcode by generating a 6-digit one-time password (OTP) every 30 seconds. When logging in, you will be prompted to enter this 6-digit code to complete multi-factor authentication (MFA). Unlike software-based tokens, a hardware token is a physical device that does not rely on a mobile phone or internet connection to generate the code.
NEVER enter a code provided by someone through text or email and NEVER provide this code to someone. You should only ever enter a code when you are attempting to log in to a system. If someone claiming to be from the University asks you to type in a specific code on a Duo Verified Push prompt, this is a social engineering attack: stop all communications with the individual and contact UTS immediately.
|
 |
Highly Secure Roaming Authenticators (Security Keys)
Roaming Authenticators refer to security keys that can be moved between systems to verify user identity. Examples include USB, Bluetooth, and NFC security keys that require a biometric like fingerprint or face recognition or a PIN.
A security key is a physical device used for two-factor authentication (2FA). Instead of generating a code like a hardware token, a security key works by being physically inserted into or tapped on a compatible device. This action confirms your identity and grants you access to systems or applications.
Security keys are highly secure because they require physical possession of the key, making them resistant to phishing and other forms of online fraud. They are also convenient as they do not require an internet connection for use.
|
 |
Highly Secure Platform Authenticators
Platform Authenticators offer another method of two-factor authentication. These solutions leverage your device’s built-in security features to serve as the security key for authentication. You register your device with Duo, and then use the device's authentication (e.g., a fingerprint or facial recognition or PIN) to complete MFA. Platform authenticators are like security keys, but built into a device/platform (e.g. iPhone or Windows PC). These methods require a biometric, PIN, or passcode and include Face ID, Touch ID, Windows Hello, and Android biometrics.
Biometric-based platform authenticators are highly secure because they utilize advanced security features built into modern operating systems.
PIN-based platform authenticators (e.g. Windows Hello using a PIN) are also secure, but they rely on a combination of user knowledge and device-specific data, which can be susceptible to certain types of attacks, such as shoulder surfing or brute force attempts. However, when combined with other security measures like device encryption and multi-factor authentication, PIN-based authenticators still provide a robust level of security.
|
Questions or concerns? Please contact the UTS Service Desk or (USA area code +1) 610-519-7777.