Powered by the KU IT Security Office

Multi-Factor Authentication FAQs

This section provides common questions and answers regarding Duo Security’s mobile application and multi-factor authentication (MFA). More web resources exist as a part of Duo Security rollout, but this page addresses as many as possible of the most common questions encountered by the project team.

If you're comfortable with multi-factor authentication and are ready to enroll now, first, enroll a device. Once you've enrolled a device, follow the steps outlined in this knowledgebase article to begin using multi-factor authentication at KU. 
 



Getting Started

What is multi-factor authentication (MFA)?

Logging in with MFA requires something you know and something you have. Something you know is your KU Online ID and password, something you have is a device. At KU, we will ask you to register a mobile phone and set that phone to receive either push notifications or text message codes from Duo, our multi-factor authentication partner.

How does MFA work, and when will I have to use it?

MFA is a second layer of security that you have to clear after entering your user ID and password into a system. At KU, MFA comes in to play when you access systems protected by Single Sign On, systems like Blackboard, Enroll and Pay and HR/Pay. . You will use MFA when you sign into these and other KU systems.

First, you will enter your user ID and password as usual. A screen will then appear asking you to choose an authentication method using the Duo app on your smartphone. The best option is a push notification to your phone. Your phone will show an alert, you will accept and you’ll be allowed to enter the system.

Who is required to use multi-factor authentication?

All faculty, staff and GA/GTA/GRAs who are part of the Lawrence and/or Edwards campuses will be required to use multi-factor authentication. Undergraduate student employees may be enrolled at the request of their department. The roll out of MFA service will happen in phases, so not everyone will begin using the service at the same time.  At this time, students are not automatically included in the Duo multi-factor authentication program. However, if there is a situation where students should be using multi-factor authentication, please reach out to the IT Security Office at itsec@ku.edu. Additionally, Affiliated Corporations (e.g. Union, Alumni, Athletics staff) will not be included in the Duo multi-factor authentication program. However, the plan is to extend Duo to Affiliated Corporation staff in the future at a to-be-determined date. Retirees are exempt and will not need multi-factor authentication.

Why do we need it?

Passwords are easily compromised. They’re no longer enough to protect personal, sensitive or financial information. KU’s data includes YOUR data—employment information, health information, etc. A large security breach could affect the University’s finances and reputation, as well as the personal, financial and academic information of students, faculty, staff and other stakeholders.

Do other universities use multi-factor authentication?

More and more universities are adopting multi-factor authentication, including most Big 12 schools and KU’s peer institutions.

Isn't multi-factor authentication inconvenient?

Not really. Many people already use multi-factor authentication for online banking and shopping. Some social media sites ask you to confirm your identity when you try to log in from a new device or location, and you may have to enter your ZIP code when you use a credit card to buy gas. Those are all examples of multi-factor authentication at work.

What should I do if I receive a push notification in Duo that I didn’t initiate?

Assume that someone is trying to illegally access your account:

  • First, choose “Deny” in the Duo app to block the request, then
  • Call the KU IT Customer Service Center at 785-864-8080 and report the attempt!
Is the Duo app accessible for people with disabilities?

According to Duo, “its authentication and self-enrollment features are compatible with screen readers such as NVDA and VoiceOver on PCs and Macs. Additionally, Duo Mobile app is accessible to voiceover functionality on Apple and Android devices. Duo has also made all the authentication and self-enrollment features accessible by keyboard for people with limited motor skills.”

If you have questions or concerns about accessibility, or need an accommodation, please contact the IT Customer Service Center at 785-864-8080 or itcsc@ku.edu.


Duo on Your Mobile Phone

Is the Duo app free?

Yes, Duo Mobile is free to download in the Apple Store, Google Play Store and Windows app store.

Why should I have to use my personal phone for this, when KU doesn’t pay for it? 

Mobile phones are the most popular choice for multi-factor authentication because of the convenience. Most people seldom go anywhere without one. If using a mobile phone isn’t an option for you, contact your IT Support Staff to discuss other options.

You probably already use your phone for a work-related purpose, if only to check email or let your boss know that you’ll be out sick. General concerns about the use of a mobile phone for your job, however, should be discussed with your supervisor. KU considers the use of your phone for multi-factor authentication incidental, much like the incidental use of a KU computer for checking personal email or internet browsing.

I have a limited text and data plan. Are there alternatives?

Yes. You can use a Duo display token to generate codes for logging in. However, display tokens can be forgotten, lost and/or become out of sync. For this reason, we recommend using the Duo mobile app. The Duo app will work on a smartphone even if you have no cell service or Wi-Fi coverage. When you’re logging in, choose “Enter a Passcode.” Then, open the Duo app, tap the KU logo and enter the passcode shown.

Why should I use my mobile device if there are token alternatives?

If you have a smartphone, we strongly recommended that you use the Duo app because it will make your life easier. Most of us keep our mobile devices with us at all times, or have them nearby. Duo display tokens can end up in the washing machine, slip out of pockets or get out of sync if pressed incidentally.

How do I receive SMS text codes to log in with MFA if I can't use the Duo app?

You can authenticate using a passcode texted to your phone. To have Duo text you a batch of passcodes, from your computer, click the "Text me new codes" button after clicking "Enter a Passcode" (or type "sms" in the "second password" field). The Duo Prompt's status bar indicates the passcodes were sent to your phone. The number of SMS passcodes sent in one batch is defined by your administrator (10 maximum). Sending multiple passcodes at once lets you use those passcodes to authenticate multiple times when you may not have cellular service. To authenticate using an SMS passcode, click the "Enter a Passcode" button, type in a passcode you received from Duo via text message and click "Log In."

Will multi-factor authentication work on my cell phone if I don't have cellular coverage or Wi-Fi access?

Yes. You won't be able to receive push notifications, but if you touch the KU logo in the Duo app, it will give you a six-digit code to enter for authentication.

How do I install Duo on a new phone or reinstall the app on my current phone if I already use Duo?

If you need Duo multi-factor authentication reissued on a new device or you had to reinstall the Duo app on an existing device, contact the IT Customer Service Center at itcsc@ku.edu or 785-864-8080. You will need to answer the following:

  1. Is the phone number of the new device the same as the previous device?
  2. What is the OS of the new device? CSC Leadership will then reissue the DUO Multi-Factor Authentication.
What happens if I change SIM cards in my phone?

SIM card with same phone number:
If the Duo app is already installed on your phone and the new SIM card uses the same phone number as the previous SIM card, Duo will work as normal.

SIM card with different phone number:
If you have the Duo app on your phone and change to a SIM card with a different phone number:

  1. Push notifications in the app — Changing SIM cards should not have any effect.
  2. Text (or call) notifications – You will need to register the phone number corresponding to the new SIM card, and then select which number to use when logging in.

More information is available in this Duo help guide.


Duo App Security and Privacy

Does the Duo app on my phone give KU or Duo control or access to my phone?

The Duo app does not give the University access to your mobile device and does not provide any control over the mobile device. During the multi-factor authentication process, the only information provided to the University is that the authentication was completed. For more information, see Duo’s privacy policy.

Does the presence of Duo on my phone make my entire phone’s contents subject to legal discoverability?

No. The use of personal phones for work-related matters does not make the phone a University phone. It would, however, make records on that phone of work-related matters subject to the Kansas Open Records Act (KORA), but those records would already be covered under KORA. A Duo Mobile code, however, would not be something KU would produce (or ask an employee to produce), any more than KU would seek to obtain or reveal an employee’s password. The use of personal phones for multi-factor authentication would do nothing to expand the reach of KU’s open records obligations.

What should I do if I receive a push notification in Duo that I didn’t initiate?

Assume that someone is trying to illegally access your account:

  • First, choose “Deny” in the Duo app to block the request, then
  • Call the KU IT Customer Service Center at 785-864-8080 and report the attempt!

Alternative Devices

Are there alternatives to using my mobile phone?

Yes. You can use a Duo display token to generate codes for logging in. However, display tokens can be forgotten, lost and/or become out of sync. For this reason, we recommend using the Duo mobile app. The Duo app will work on a smartphone even if you have no cell service or Wi-Fi coverage. When you’re logging in, choose “Enter a Passcode.” Then, open the Duo app, tap the KU logo and enter the passcode shown.

Why should I use my mobile phone instead of a token?

If you have a smartphone, we strongly recommended that you use the Duo app because it will make your life easier. Most of us keep our mobile devices with us at all times, or have them nearby. Duo display tokens can end up in the washing machine, slip out of pockets or get out of sync if pressed incidentally.

How do I get a token device?

Follow the steps below to get a token device. Full-time employees do not need approval to request a token device. If a student employee requests a token device, KU IT will verify that the department requires student employees to use multi-factor authentication.

  1. Request a token device at kusoftware.ku.edu (log in required)
  2. You will receive an email confirming your request
  3. You will receive a second email when your token device is ready to be picked up
  4. Bring a government-issued photo ID (e.g., KU Card, driver's license, etc.) to the IT Customer Service Center in Anschutz Library (see walk-in support hours).

If you have questions about ordering a token, contact the IT Customer Service Center at 785-864-8080 or itcsc@ku.edu.

Can I use a U2F device? What’s the difference between a U2F device and a Duo display token?

U2F devices (e.g., Yubikey or Feitian MultiPass FIDO Security Key) are compatible with Duo multi-factor authentication at KU, but KU IT does not provide technical support for these devices. So, we only recommend them for people who are capable of setting them up and maintaining them without technical support. Some U2F devices are not compatible with the KU Anywhere VPN, so call the IT Customer Service Center to check prior to purchasing one. U2F devices may connect to your computer via USB, Bluetooth or NFC. When you connect the U2F device and touch a button, a code is generated and automatically entered as your second authentication factor.

Duo display tokens are issued and supported by KU IT.  They display a six-digit code that you type in when you authenticate using Duo. They are compatible with all services currently protected by Duo at KU, including the KU Anywhere VPN.

Can I share my U2F device or Duo display token with a coworker?

No. Your Duo display token or U2F device will be associated with your account only. Just like your password, it cannot be shared with other users. Either device will work for your account on any computer where you log in with your KU Online ID and password.


Using Duo

What kinds of applications require authentication?

Most enterprise applications at KU will require multi-factor authentication, including HR/Pay, Enroll & Pay, myKU, myIdentity, myTalent, CMS website administration, Blackboard, myCommunity (SharePoint), and others.

Will I have to use Duo to access Wi-Fi and my own KU workstation?

Not at this time. However, you will have to use Duo to access the VPN (KU Anywhere). Please read this KB article for more information. In addition to the VPN, you will be prompted to use multi-factor authentication to access Single-Sign-On-enabled services such as Blackboard, HR Pay and Enroll & Pay.

Do I have to use Duo when logging in to a classroom computer?

Yes, you will be required to use Duo every time you log in to a classroom computer. Multi-factor authentication is connected to your role as a faculty or staff member, not to the computers you use.

Please note that the “Remember Me” option will not work because classroom computers are reset when you log off.

Will I have to use Duo every time I login?

When you authenticate with Duo, there will be an option to select Remember Me. If you select Remember Me, then you will not be required to use Duo for the next 30 days as long as you are logging in from the same device using the same browser (see note below). Please be aware that the 30 day timeframe may change in the future depending upon KU’s security needs.

Note: There are two cases where you will have use Duo every time you log in. First, the KU Anywhere VPN will require you to use Duo each time you authenticate. There is no “Remember Me” option for the VPN. Second, you will be required to use Duo every time you log in to a classroom computer, even if you’ve logged in to that machine before.

Does the "Remember me for 30 days" option work if I have chosen to block third-party cookies?

You can use the "Remember me for 30 days" feature, but you will need to create an exception in your browser(s) security settings to allow third-party cookies coming from Duo Security. Duo provides instructions on how to create an exception in common browsers.

Is this just for KU Lawrence campus and KU Edwards campus?

Yes. KUMC will develop their own multi-factor authentication strategy that will integrate with their separate KUMC systems.

I work at KUMC, but I have a KU Lawrence/Edwards campus online ID. Will I have to use multi-factor authentication to access those systems?

If you are a KUMC employee and have a dual-appointment on the KU Lawrence/Edwards campus, or for other reasons access Lawrence/Edwards campus systems, you will be required to use KU Lawrence/Edwards multi-factor authentication when accessing those systems.

Will DUO change the way I log in to the KU Anywhere VPN?

Yes. After you are enrolled in Duo, you will have to use Duo to access the KU Anywhere Virtual Private Network (VPN) service. Read more about how to access the VPN service while using Duo here.

What is the “Call Me” option in Duo?

The Call Me option in Duo is provided for people who need to authenticate with a voice code due to a visual or other accessibility related accommodation. The registered phone number must be a non-KU number. KU numbers (864-XXXX or 812-XXXX) cannot receive calls from Duo.

How do I set up Duo to use with non-KU online services and accounts?
Duo provides information for using the app with other online services and accounts (e.g., banks, credit cards, social media, etc.)

Technical Support

I will be using a temporary phone or other communication device while traveling. What should I do?

You will need to either register your temporary device yourself through the Duo self-enrollment portal (https://myidentity.ku.edu/multifactor/) or call the IT Customer Service Center (CSC) at 785-864-8080 to register the device before you depart. If you wish to have in-person help registering the device, the IT CSC is located on the third floor of Anschutz Library behind Budig Hall.

My phone number is enrolled with Duo, but I deleted the app or it’s not working. What do I do?

If you need to log in immediately, you can select the “Enter a Code” option on the Duo screen during the login process and then click on “Text me new codes.”


KU IT on Twitter  KU IT on Facebook  KU IT on Instagram  KU Information Technology Home

Security Awareness Tip of the Day (SANS)
Technology Help

Call KU IT Customer Support

785-864-8080
Phone support

Email KU IT Customer Support

itcsc@ku.edu
Support via Email

Faculty/Staff Support

Faculty/Staff Support
Technology Support Centers

KU IT Knowledge Base

Knowledge Base
FAQs & More

Virtual Service Desk

Submit Help Ticket
Online Help

Call KU IT Customer Support

913-626-9619
Phone support

Email KU IT Customer Support

kuec_support@ku.edu
Support via Email

KU IT Knowledge Base

Knowledge Base
FAQs & More

Request Edwards IT Support

Request Edwards IT Support
Online Help

Comments or ideas on how we can serve you better? Send us your feedback!

KU Today