FAQs about multi-factor authentication

General questions about MFA

Can I opt out of setting up MFA?

No. It is University policy that all staff and students must have their IT accounts protected with MFA. Once enrolled in MFA, you must not remove it. If you remove it, you will not be able to access your University account and services.

Do I need a smartphone or data plan to use MFA?

No. Although a smartphone will give you the easiest and most secure experience with Duo Push, you can also use a hardware token or security key.

As a member of staff, do I need to set up MFA on a role-based (shared/generic) account, for example admissions@sheffield.ac.uk?

Yes. Find out how to set up a secondary account. 

Duo Mobile app

Which services do I need to use Duo MFA for?

You need MFA for the following services:

• all services accessed through MUSE
• off-campus access to the High Performance Computing (HPC) system
• the University VPN service (University login required)
• remote desktop service (University login required)

Will I have to verify my identity with MFA every time I sign in?

Once enrolled in MFA, you'll be prompted to use it whenever you log into MUSE or any MUSE service. 

You have the option to remember your session for 7 days on the same device and/or browser. The 'Remember Me' feature for MFA works for web services, such as your browser. If you use multiple devices and browsers, you'll need to select the option to remember your session for 7 days on each device and browser.

If you use the University's VPN service (University login required), the 'Remember Me' MFA function will not work. When your VPN connection drops (often due to inactivity), you will need to authenticate using MFA when you reconnect to VPN.

Why am I being asked to log in when I selected 'Remember me for 7 days'?

You may need to use MFA to log in because you're using one of the following:

• A different device or browser to the one you were using when you selected 'Remember me for 7 days'.
• Private browsing such as Incognito Window (Chrome) or Private Window (Firefox). Your browser won’t store any information such as history, cookies or form data. So you won't be able to remember devices or browsers.
• An application that has sensitive or protected information (for example, our staff payroll system).
• A service that doesn't allow the 'Remember me for 7 days' feature, such as the University's VPN. VPN isn't a web service and therefore doesn't have cookies, which are required for this MFA feature. When your VPN connection drops (often due to inactivity), then you will need to authenticate using MFA when you reconnect to VPN.

How do I use 'Remember me for 7 days' if my browser blocks third party cookies?

Go to Duo's website to find out how to add an 'allow cookies from this site' exception.

Is the Duo Mobile app safe and secure?

The Information Security team in IT Services has tested the security and privacy of the app. It is safe to use on personal devices. It does not provide the University or any external parties with access to your device's data, including contacts, photos, text messages or emails.

Duo Mobile needs some device permissions:

• permissions for Android
• permissions for iOS 

For more details, see Duo's Mobile privacy information.

Can Duo see my password?

No. Your password is verified by the University and never sent to Duo.

Why does the Duo Mobile app need access to my camera?

When using MFA for the first time and registering a device, the Duo Mobile app will only access your device's camera to scan a QR code displayed on the screen. For more details, see Duo's Mobile privacy information.

Does using Duo give up control of my smartphone?

No. The Duo Mobile app cannot change settings or remotely wipe your phone.

Duo checks the security settings of your device to make sure it's a safe place to send notifications. It uses these checks to help recommend security improvements to your device. You're always in control of whether to take action on these recommendations.

How much data does a Duo Push request use?

Duo Push authentication requests require a minimal amount of data – less than 2KB per authentication. For example, you would only consume 1 megabyte (MB) of data to authenticate 500 times.

Can I use other authentication apps such as Microsoft or Google?

No. The Duo Mobile app is the only app that can be used for MFA. 

If you're staff or a postgraduate researcher and you can't use this app, you can ask for a hardware token instead. 

I have two University accounts and want to use the same mobile phone for both. Can I do this?

Yes. Devices can be registered to more than one account. To do this, you need to register each account for MFA. Then log in to each account and add the device. See Manage your MFA devices and settings.

What happens if I haven't got my phone with me?

Contact the IT Service Desk on +44 114 222 1111. They will generate a 6-digit code for you to log in. 

What happens if I get a new phone?

Go to 'Managing your devices' on Duo's website to find out how to add a new device.

What should I do if my phone is lost or stolen?

Please contact the IT Service Desk immediately on +44 114 222 1111.

Why have I stopped receiving push notifications from Duo Mobile?

Follow these steps:

• Make sure your enrolled device has a cellular network or wifi connection.
• Have the Duo Mobile app open when you authenticate.
• Try other troubleshooting methods for iPhone or Android.

If the methods above do not work, try using another authentication method, such as a passcode provided in the Duo Mobile app.

Why have I received a push notification when I haven't tried to log in?

Your password may have been compromised. Someone may be trying to log in to your University IT account.

You should deny the request and report it to the IT Service Desk on +44 114 222 1111.

Why can't I download the Duo App from Google Play store in my country?

The Google Play store may be blocked or unavailable in your country. Read Duo's instructions to download and use the Duo App in China.

How does Duo work when I'm travelling?

Duo will continue to work as normal over wifi or mobile data, where available. If it's not available, you can get a security code within the Duo Mobile app instead.

Hardware tokens

How do I get a hardware token?

Only staff and postgraduate researchers can ask for a hardware token. 

Anyone can enrol their own personal security keys.

Is the hardware token linked to a specific user's login?

Yes, attempting to use a token that is registered to another user will not work. Only the token assigned to you will generate a valid code for your own account(s).

I have two University accounts. Can I use the same hardware token for both?

Yes. Devices can be registered to more than one account, but this will need to be done manually by IT Services. Contact the IT Service Desk for assistance.

My hardware token keeps displaying the code 888 888. How do I stop this?

Press the button on the hardware token for a shorter amount of time when you need an authentication code.

If you press the button for several seconds, it displays a test code of 888 888. This is to show that all parts of the display are working.

Why has my hardware token stopped working?

Your hardware token can get out of sync if the button is pressed too many times in a row and the generated passcodes are not used for login. In some cases, this can happen by accident. For example, if the token is next to other objects in a pocket or backpack. 

To resynchronise the token, generate three passcodes in a row and enter them one by one into the passcodes field. 

If this doesn't work, contact the IT Service Desk on +44 114 222 1111.

What should I do if my hardware token is lost or stolen?

Please contact the IT Service Desk immediately on +44 114 222 1111.

Security keys

Can I use a YubiKey or another type of hardware token?

You can use a security key. This method may be suitable for students who are not eligible to use one of our hardware tokens. Go to the Duo website to find out how to enrol your security key. We don't answer queries about personal security keys.

Make sure you enrol a mobile push device too, or you may get locked out of your account.