What authentication options are available?
We currently support the following two methods of authentication:
Mobile app on a smartphone or tablet
See Setting up MFA for more information.
Who can sign up for MFA?
MFA is now mandatory on all staff and student personal University IT accounts.
When you join the university, your IT account is automatically enrolled in MFA, so when you next log into MUSE you'll be prompted to register a device in MFA.
Any non-staff/student member of the University can sign up for MFA. If you wish to start using MFA, you can sign up at any time. See Setting up MFA.
If you have more than one personal computer account you must apply MFA to all IT accounts. You can set up and manage MFA for multiple IT accounts on the same device.
Can I opt out of setting up MFA?
No, it is University policy that all staff and students must have their IT accounts protected with MFA. Once enrolled in MFA you must not remove it. If removed, you will find yourself unable to access your University account and therefore unable to access University services.
Will I have to verify my identity with MFA every time I sign in?
Once enrolled in MFA, you'll be prompted to use it whenever you log into MUSE or any MUSE service. You will be prompted each time you log in.
You have the option to remember your session for 7 days on the same device and/or browser. The 'Remember Me' feature for MFA works for web services, such as your browser. If you use multiple devices and browsers, you'll need to check the option to remember your session for 7 days on each device and browser.
Users of the University's VPN service will find that the 'Remember Me' MFA function doesn't work for VPN. VPN isn't a web service and therefore doesn't have cookies, which are required for this MFA feature. When your VPN connection drops (often due to inactivity), then you will need to authenticate using MFA when you reconnect to VPN.
Do I need a smartphone or data plan to use MFA?
No. Having a smartphone makes for the easiest and most secure experience with Duo Push.
Can Duo see my password?
No. Your password is only verified by the University and never sent to Duo. Duo provides only the second factor, using your enrolled device to verify it’s legitimately you who is logging in.
How does Duo work when I'm travelling?
Duo will continue to work as normal over WiFi or mobile data where available. If WiFi or mobile data isn't available, you can generate a security code within the Duo Mobile app instead.
[Staff] Do I need to apply MFA to a role-based (shared/generic) account, for example email@example.com?
No. At this time, we are not applying MFA to role-based accounts. You should only set up MFA for your personal University IT account, for example, firstname.lastname@example.org.
Which services do I need to use Duo MFA for?
To access the following services you will need to perform MFA:
All services accessed via MUSE
Off-campus access to the High Performance Computing (HPC) system
The University VPN service
Other services may require MFA now and/or in the future.
What is Duo Mobile?
Duo Mobile is a mobile application (app) that you install on your smartphone or tablet to generate passcodes for login or receive push notifications for easy, one-tap authentication on your mobile device. It works with Duo Security’s MFA service to make your logins more secure.
Using the Duo Mobile app is the fastest and most convenient method for most users. It uses almost no data and doesn’t give Duo control over your device aside from a few necessary permissions.
Is the Duo Mobile app safe and secure?
The Information Security team in IT Services have carefully tested the security and privacy of the Duo Mobile app and can confirm it's safe to use on personal devices. This app does not provide the University or any external parties with access to your device's data, including its contacts, photos, text messages or emails.
There are some device permissions Duo Mobile needs:
Why does the Duo Mobile app need access to my camera?
When using MFA for the first time and registering a device, the Duo Mobile app will only access your device's camera to scan a QR code displayed on the screen. For more details, see Duo's Mobile Privacy Information article.
How much data does a Duo Push request use?
Duo Push authentication requests require a minimal amount of data - less than 2KB per authentication. For example, you would only consume 1 megabyte (MB) of data to authenticate 500 times.
Does using Duo give up control of my smartphone?
No. The Duo Mobile app has no access to change settings or remotely wipe your phone. Duo Mobile simply checks the security settings of your device, such as operating system (OS) version, device encryption status, use of screen lock, etc., so that it knows it's a safe place to send notifications. Duo uses these checks to help recommend security improvements to your device. You’re always in control of whether or not you take action on these recommendations.
Can I use other authentication apps such as Microsoft or Google?
The Duo Mobile app is the only app that can be used for MFA. This is set by Duo themselves.
Staff/Posgraduate Researchers: If it's not possible to use this app, you can request a hardware token instead. See Setting up MFA > 'Device options'.
I have two University accounts and want to use the same mobile phone for both. Can I do this?
Yes. Devices can be registered to more than one account, but this will need to be done manually by IT Services.
Contact the IT Service Desk for assistance.
What happens if I haven't got my phone with me?
Please contact the IT Service Desk immediately on 0114 222 1111. The IT Service Desk team will generate a 6 digit code for you to use to log in for 24 hours.
What happens if I get a new phone?
You can manage the device(s) you use for Duo through their self-service portal. See 'Managing Devices and Settings' page for more details.
What should I do if my phone is lost or stolen?
Please contact the IT Service Desk immediately on 0114 222 1111.
Hardware Tokens [Staff/postgraduate researchers only]
How do I get a hardware token?
See Setting up MFA > 'Device options'.
Note: Hardware tokens are only provided to staff and postgraduate researchers at this time, though anyone may enrol their own personal Security Keys.
Is the hardware token linked to a specific user's login?
Yes, attempting to use a token that is registered to another user will not work. Only the token assigned to you will generate a valid code for your own account(s).
I have two University accounts. Can I use the same hardware token for both?
Yes. Devices can be registered to more than one account, but this will need to be done manually by IT Services. Contact the IT Service Desk for assistance.
My hardware token keeps displaying the code 888 888. How do I stop this?
Hardware Tokens display a test code of 888 888 when a user holds the button down for several seconds so that it can show all the parts of the display are working. Pressing this for a shorter time should display the relevant authentication code.
Can I use a YubiKey or another type of hardware token?
The preferred and supported authentication method is by mobile push. However, in order to make the MFA experience as easy as possible we have also enabled the use of personal security tokens within Duo - particularly for students who are not eligible to receive one of our hardware tokens. This guide describes the steps to enrol your device.
Note that we will not be able to offer support for the use of a personal device, so you must ensure you have enrolled a mobile push device too, to avoid getting locked out of your account.
What should I do if my hardware token is lost or stolen?
Please contact the IT Service Desk immediately on 0114 222 1111.