UTORMFA Bypass Code Service Now Available

The bypass code service for UTORMFA is now available. Users are encouraged to generate their bypass codes as soon as possible. These codes will allow you to login if your mobile device or hardware token is lost, broken or unavailable. 

What are UTORMFA bypass codes? 

The UTORMFA bypass code service generates 10 unique, single-use codes. If you lose your phone or hardware token, you can enter one of these codes instead to log in. 

Bypass codes provide you with more flexibility and independence in managing your multi-factor authentication. 

Be prepared – generate your UTORMFA bypass code today 

These codes cannot be generated after you lose your device. They must be generated before they are needed. Once generated, we recommend that you print off your codes and store them in a safe place where they are readily available. 

Generate your UTORMFA bypass codes: https://bypass.utormfa.utoronto.ca 

Learn more about UTORMFA: uoft.me/mfa 

UTORMFA “remember me” feature extended to seven days

Information security is pleased to share that UTORMFA’s “remember me” feature will extend from one day to seven days. This change will take place on October 7.

This will reduce the number of times a user must authenticate through UTORMFA. With this update, users who select “remember me” will only have to provide their second factor of authentication once every seven days. 

 This change will not apply to MFA-enabled high security applications (e.g., RedCap). Use of these applications will still require regular second factor authentication 

This change makes UTORMFA more convenient and easier to use. 

A new look for UTORMFA is coming soon!

During the week of October 11th to 15th, UTORMFA users will see a new look on the Duo Mobile application.  

1.What is changing?  

Duo Mobile,  which provides UTORMFA’s two-factor authentication service, is introducing a redesigned version of its app.  

The redesigned Duo Mobile app is designed to make the login experience better by: 

  • Updating the position of the Approve / Deny buttons so that Approve is on the right — a more natural location.  
  • Improving the accessibility of the app, including adding a landscape view, variable font sizes and improved color contrast.   
  • Providing clear guidance on how to restore accounts  on a new device.  
  • Making it easier to find and manage your accounts with a simpler interface.  

Here is a preview of the app’s new look:  

Image of the updated look and feel of the Duo application's approve/deny prompt              Image of the updated look and feel of the Duo application's passcode page

2. Why is it changing?  

The UTORMFA service provider, Duo, is upgrading their software and distributing this change through all major platforms.  

3. When the Duo Mobile update launches, will UTORMFA users need to do anything?  

If users have enabled automatic app updates on their device, Duo Mobile will update automatically. The Duo Mobile app can also be manually updated.   

4. What if I don’t want to update the app now, or if my device is not compatible with the update?  

If you don’t update the app, you can continue using the old version of Duo Mobile. However, you will not be able to enjoy the new user interface and app support from the University and Duo may not be available in the future.   

5. What is not changing?  

The core functionality of Duo Mobile is not changing. Users will continue to be able to: 

  • Receive a push notification.  
  • Use passcodes.  
  • Add, edit, reorder and remove accounts.  
  • Backup and restore accounts.  
  • Use dark mode.  
  • For more information, watch Duo Mobile’s video about the update.  

If you have questions, contact your tri-campus help desk:  

Bookmark the permalink. 

E-Token retirement coming soon

In the coming months, e-token authentication for high security logins will migrate to UTORMFA.

UTORMFA has already been adopted by over 9000 members of the U of T community. UTORMFA, powered by DUO, is a software based multi-factor authentication method that authenticates user logins via prompts sent to a user’s phone. UTORMFA is easy to use, quick to set up and secure.

Other authentication options will be available for use cases where UTORMFA is not appropriate.

The migration process will be gradual and carefully implemented.

  • Fall 2021: Licences for e-tokens no longer issued.
  • Fall to Winter 2021: Migration process underway.
  • Winter 2021 to Spring 2022: Migration process complete by the end of June 2022.

More information about the e-token migration will be available in the coming weeks.

To learn more about UTORMFA visit: uoft.me/mfa

If you have questions, feel free to reach out to the UTORMFA project team: utormfa@utoronto.ca

Multi-factor authentication self-enrollment for faculty, researchers and librarians  

Faculty, researchers and librarians can now self-enroll in the University of Toronto’s multi-factor authentication (UTORMFA) solution. Login with confidence knowing your U of T account, teaching, and research are protected with this new security feature. 


  • Simple: Only two clicks for a safer login.  
  • Fast: Self-enroll in minutes. 
  • Secure: Organizations that use MFA are significantly less likely to experience a breach.  
  • Convenient: Access even high security applications and resources from home. 

Use a mobile device to self-enroll today. To self-enroll visit: https://enroll.utormfa.utoronto.ca/enroll

For more information visit: uoft.me/utormfa  

Learn about U of T’s multi-factor authentication service

Join the UTORMFA project team to learn about U of T’s latest information security solution: multi-factor authentication (MFA). UTORMFA roll outs have been underway across the tri-campus and all USW and appointed staff should be self-enrolled by May 2021.  

In the info session, attendees will learn what UTORMFA is and how it works. Matt Wilks, the UTORMFA project team’s technical lead, will guide attendees through the self-enrollment process. Finally, the floor will be open for your questions and concerns.  

About UTORMFA:  

UTORMFA is a security solution that makes remote work better. MFA adds an extra layer of security to your login, enabling you to work remotely with confidence. It is:   

  • Simple: Only two clicks for a safer login.  
  • Fast: Self-enroll in minutes  
  • Secure: Organizations that use MFA are significantly less likely to experience a breach.  
  • Convenient: Access even high security applications from home.  

Don’t miss this opportunity to learn about how you can login with confidence with UTORMFA.  

Info session dates, times and event links:  

Tuesday, April 20 at 9:15 am 

Tuesday, April 27 at 4 pm 

Thursday, April 29 at 12 pm 

Monday, May 3 at 2 pm 

Wednesday, May 5 at 3 pm 


Whitehats, Red Team-Blue Team, Capture the Flag…

Recently Allan Stojanovic, one of the key members of the network visibility and InfoSec incident response team, organized and participated in a ‘Whitehat Challenge’ with CERN. Their goal was to, in a controlled way, hack at CERN’s infrastructure for the purpose of discovering vulnerabilities and, in turn, improving the security design of services.

CERN acknowledgement:


And the CERN info on ‘Whitehat Challenge’:


The toolbox of information security is full of vendor products: detection/blocking attacks, prevention, and finding vulnerabilities. The ‘whitehat’ challenge is different. Akin to penetration testing, this is primarily a skill that people bring. The skill includes the abilities to:

  • discover what’s connected on the network, and use that to:
  • gather information of one particular device, and use that to:
  • find a single vulnerability on that device, and use that to…

You get the idea. This type of work usually requires expert level knowledge and it explains in part why information security staffing is a challenge in today’s world. How can this be remedied? Part of the answer lies in infosec community events such as the whitehat challenge that CERN ran. This was a grassroots effort to bring experts together to exercise their skill as well as give CERN a valuable test of their infrastructure. Another example of this kind of event are ‘Capture-the-Flag’ competitions where teams try to find the ‘flag’ by using their infosec penetration skills. Finally we have Red Team-Blue Team competitions where the Red Team are the infosec attackers and the Blue Team are the defenders.

These kinds of events are important to strengthen infosec expertise thus contributing to the ability of our institution, the University of Toronto, to protect itself in the infosec environment we find ourselves. I look forward to working with other community members to organize an event or two here!


Improved Information Security and Enterprise Architecture Website

Welcome to the re-vamped Information Security and Enterprise Architecture  (ISEA) website. The objective for the new site is to improve the presentation and usability of ISEA’s services and information. In conjunction with the Information Security Awareness and Education site (https://securitymatters.utoronto.ca), you can easily find information and see it presented in a format that fits your needs.

New features:

  • updated information security incident response procedure and reporting information.
  • improved view of the information security risk assessment service.
  • a view of work on ISEA and ITS compliance practices for data retention.
  • a view of  ITS work on information security standards, guidelines and procedures.

Check the ‘Services’ section that includes help and documentation for:

  • Identity and Access Management (UTORid account information, UTORid and eToken authentication, UTORGrouper and UTORauth authorization services).
  • Enterprise Architecture principles and artifacts.
  • Enterprise Active Directory.
  • Antivirus advice, network vulnerability scanning service.

Our goal is to provide the University community with services and information that can be used to reduce information security associated risks. I welcome your comments and suggestions.