Two-factor authentication (2FA) is a security measure designed to ensure that you, and only you, are using your CNetID (username) and password to access frequently-used online services, systems, and resources at the University. 2FA simply means that in addition to your password, you use a second form of authentication to prove that you are who you claim to be when accessing an online service that is protected by 2FA.
When you use 2FA, you will provide two forms of proof to gain access:
The University uses the commercial tool, Duo, to manage the 2FA process. Read the 2FA Overview for more information.
Tip: If it is offered, enable two-factor (sometimes also called multi-factor) authentication on your non-UChicago services such as online banking, external email accounts, or social media accounts. This adds an additional layer of protection to your personal data while using various online services.
2FA is an important part of ongoing efforts to secure the online identity and personal information of all faculty, students, and staff, as well as protect the University's research, intellectual property, and institutional data.
No. You will only be prompted to use 2FA when logging into a 2FA-protected service or system. 2FA is being integrated into more services, however, so you should expect to use it along with single sign-on (SSO), regularly.
Okta, the tool the University uses for single sign-on, is integrated with 2FA. Sites that are Okta-protected also require 2FA authentication.
Okta is internationally-used software that provides the ability to authenticate once to an Okta-protected site and convey authorization to other Okta-protected sites without requiring you to use your password again. This allows you to log on to one University website with your CNetID and password or passphrase, and then not need to use your password to sign on to other University websites for up to eight hours. Authorization for your access is passed to those websites by Okta without resending your password.
Note: You must quit your browser entirely to log out of your active SSO session. If you fail to quit your browser, anyone using that browser within the eight hour session will have full access to the websites to which you have access. Many Okta-protected sites contain personal and private information that must not be accessed by anyone who is not authorized. Please ensure that you quit your browser completely if there is any possibility that anyone besides you might be able to access your active session on your browser.
Refer to What is Single Sign-On (SSO)? for detailed information on this technology.
Duo Mobile is a mobile app used by the University to provide 2FA approvals via your smartphone or tablet. When you use Duo Mobile, you may approve or deny login requests through the app via a push notification, passcode, or phone call. Duo Mobile is available for iOS devices on the App Store and for Android devices on Google Play. Go to the Duo Mobile website for more details.
You may also print 10 one-use passcodes from the 2FA website that can be used as a backup for situations where you don't have access to your phone or 2FA-enabled device.
After you have initially logged in using your CNetID and password, you may have Duo remember your device for 30 days. Simply check the Remember this device for 30 days option near the bottom of the 2FA screen. When you choose this option, you can use single sign-on for access all Shibboleth-enabled UChicago websites from that browser on that device for 30 days without going through the 2FA process. Please note that some web browsers do not support 30-day authentication. You have the option either to sign in using 2FA daily or change your browser.
Visit the Two-Factor Authentication website, select the Go to Two-Factor box and then select Register a Device in the left column. There you can register your new cell phone, tablet, landline, or token.
Depending on your situation, you can activate 2FA on your new device using one of the following methods:
I am replacing my cell phone, but not changing operating systems or phone numbers.
I am getting a new device with either a different operating system or a different phone number than my old device.
Contact IT Services immediately if you lose your phone or suspect that it has been stolen. The support person will disable 2FA and help you log on using another phone or hardware token. While it's important that you contact IT Services if you lose your phone, remember that your password will still protect your account. For more detailed instructions or for information on replacing your device, see the article 2FA: Replacement Procedure for Lost, Broken, or Upgraded Devices.
Yes. IT Services recommends that you register at least two devices to ensure uninterrupted service if you not have access to one of your registered devices when logging in to a protected website or service. You may register a mobile phone, landline, tablet, and token. You may also print or have 10 one-use passwords text messaged to you to keep as a backup.
To re-enable push notifications on your iPhone if they have been disabled, go into Settings on your iPhone and select Notifications. From there, you can re-enable push notifications for the application. For more detailed instructions, see the article Enable 2FA Push Notifications for iPhone.
You may choose to have a set of 10 passcodes sent to your registered smartphone from the Manage Devices screen on the Two-Factor Authentication website. Simply find your smartphone from the list of your registered phones then select Text Passcodes. A list of 10 one-time-use passcodes will be sent to your phone via text. To use a one-time passcode, select Passcode at the Duo authentication prompt screen then select Login to continue. It is important that you keep track of which codes you use because each passcode will be invalidated after a single-use. You can print out the list of passcodes to keep in a secure location for your use any time you don't have access to your regular devices. For more detailed instructions, see Use the Duo Security App to Generate 2FA Passcodes.
Yes. After selecting the Duo app on your smartphone, tap the Duo key icon in the upper right corner of the screen to generate a passcode. Generating passcodes does not send any kind of message, use data, or incur any data or text messaging costs. You can generate passcodes even when you are not connected to a network. More information is provided in the article Use the Duo Security App to Generate 2FA Passcodes.
Yes. You can select the key icon on the upper right side of the screen in Duo on iOS and Android devices, or the Generate Passcode button on Microsoft OS devices to generate a numeric passcode that you can use even if your phone does not have any network connection. As an alternative, you can use the 2FA text passcodes feature or select the Print One-Time Passcodes button to print ten passcodes that you can carry with you in case you don't have your device handy.
While you must either use 2FA or change your password regularly, your security will be enhanced by doing both. Additionally, if you suspect your account or password has been compromised, immediately report it to IT Services. You can change your password by logging on to MyAccount.
Yes, You can set up a Recovery address or Recovery phone number at the MyAccount website. By setting up your Recovery address or phone number, you will be able to change your password if you have forgotten it or lost access to your account by using a code that will be sent to your registered Recovery address or phone. The Recovery address or phone number is also used to notify you whenever a change is made to your account. If you notice a change to your account that you did not make, you may change your password immediately which allows you to regain access to your account.
A hardware token is a physical device that you can plug into your laptop or desktop computer to use as your second factor. The University uses YubiKey tokens. They can be purchased for $40 to $60 (depending on which YubiKey is right for you) from the ID & Privileges Office at Regenstein Library.
Contact IT Services if your hardware token doesn't work. Duo tokens (sold before May 2018) can often be re-synced, which will allow them to continue to be used. YubiKey tokens (sold after May 2018) do not require re-syncing and are made to be extremely durable, so problems using your YubiKey token might indicate problems with your computer's hardware.
No. Alumni who are not also currently faculty, student, or staff member are not eligible to use 2FA.
View the IT Services Knowledge Base for other articles about 2FA, or contact IT Services with any other issues.