UTORMFA is a security solution that makes remote work better.
- Simple: Only two clicks for a safer login.
- Fast: Self-enroll in minutes.
- Secure: Organizations that use MFA are significantly less likely to experience a breach.
- Convenient: Access even high security applications from home.
What is UTORMFA?
UTORMFA is the University of Toronto's multi-factor authentication solution.
UTORMFA adds an extra layer of security to your login, enabling you to work remotely with confidence. UTORMFA verifies your identity using a second factor like a mobile device or hardware token ensuring that only you can login.
How does it work?
UTORMFA's multi-factor authentication solution is provided by DUO, a mobile application.
When you attempt to login, a push notification is sent to your phone by DUO.
What do I need?
You can enroll with an Apple or Android device. If you need accommodations, contact your local help desk.
When do I use it?
UTORMFA only activates when logging in from off-campus locations. Most users only need to authenticate once a day. Users accessing high security apps may need to authenticate more frequently.
Ready to self-enroll? Get your computer, mobile device and set aside 10 minutes to complete the instructions below. Note: Do not interrupt the self-enrollment process. If you stop the process you will be locked out of your accounts.
NOTE: A recording of an info session about self-enrolment is available here: UTORMFA Info Session Recording The slide deck from that presentation is available here: UTORMFA Info Session Slide Deck
Step 1: Check device compatibility
For Android: Android 8 or above is required. For iPhone: iOS 12 or above is required.
If your device is not compatible, contact your local help desk for support.
Step 2: Download the DUO app
Download DUO from the Google Play store on Android and the App Store on iPhone.
Step 3: Go to the UTORMFA enrollment site. Click “Start Setup.”
To self-enroll visit https://enroll.utormfa.utoronto.ca/enroll.
Step 4: Select your preferred device.
Step 5: Enter your smart phone number.
Step 6: Choose your device type.
Step 7: Activate DUO Mobile.
Scan the QR code to validate your device.
Step 8: Click continue.
Step 9: Generate emergency bypass codes.
These codes will enable you to login when your device is not available. Visit http://bypass.utormfa.utoronto.ca to generate codes.
Step 10: Set up a second device (recommended)
Congratulations you have enrolled in UTORMFA!
Having trouble with self-enrollment?
Self-enrollment interrupted and you can't restart the process? Phone not compatible with DUO? Things don't always go according to plan. Don't worry, we're here to help.
Contact your local help desk for support:
UTSG Information Common Helpdesk: email@example.com, 416-978-HELP
UTM helpdesk: firstname.lastname@example.org, 905-828-5344
UTSC helpdesk: email@example.com, 416-287-HELP
Applications are managed by standard and enhanced requirements, depending on the data classification and criticality of the application (updated May 2020).
For applications protected by enhanced policies:
- You will be prompted to authenticate with UTORMFA every login.
- You will need to authenticate again if your application has a time out.
- If you are not enrolled in MFA, you will be denied access to the application.
- Permissible authentication methods: Duo Push, Duo Mobile Passcode, hardware tokens and Security Keys (U2F and WebAuthn).
- Authentication will “fail close” in the event of a Duo outage.
For applications protected by standard policies:
- If you are connected to a trusted U of T network (excluding Wi-Fi and virtual private network (VPN) connections), you will not be prompted to authenticate with UTORMFA and you can continue to access the application as usual.
- If you are not connected to a trusted U of T network, you will be prompted with UTORMFA. Optionally, you may decide to trust your device and will only receive a UTORMFA prompt every 24 hours.
- If you have not enrolled into UTORMFA, you will not be prompted.
- Permissible authentication methods: Duo Push, Duo Mobile Passcode, hardware tokens and Security Keys (U2F and WebAuthn).
- Authentication will “fail open” in the event of a Duo outage. (See Note 2)
For applications protected by hybrid policies:
- Hybrid policy protects a group of users with "Enhanced" protection as defined above.
- All other users of that application are protected with "Standard" as defined above.
Note 1 - UTORMFA authentication methods:
- Push: You will receive a push notification on your UTORMFA registered mobile device. Tap on “approve” on the mobile device to complete the login process.
- Mobile Passcode: You can find the passcode from your UTORMFA account in the Duo mobile app on the registered mobile device. Type it into the text field, then click on “Log in” to log into the service.
- Hardware Token: U of T will issue hardware tokens to users upon request and approval. If you have been issued a hardware token, you can click on the button on the hardware token to generate a One-time Passcode. Enter the One-time Passcode into the text field and click on “Log in” to log in the service.
- Security Keys (Webauthn & U2F): Insert your security key into your computer and touch it to activate the key. (An example of a Security Key would be the YubiKey)
See UTORMFA - How-To Authenticate for more details
Note 2 - There are two fail mode available for each UTORMFA-protected web applications, fail-open and fail-close. Application owners can decide which fail mode should be used for their applications.
Fail-open: If there’s a service outage of UTORMFA, the Weblogin service will detect it and allow users to bypass the UTORMFA login screen to access the application.
Fail-close: If there’s a service outage of UTORMFA, the Weblogin service will detect it and deny users’ access to the application.
To determine what login experience you should expect, please consult our list of applications using a hybrid or enhanced protection policy.
1.1 How do I select a device to authenticate if I have more than one device registered on my UTORMFA account?
You can simply select the device you want to authenticate with during the authentication process. Select the drop-down list next to "Device"
Then choose an authentication method: "Send me a Push" or "Enter a Passcode". This will let you authenticate with the selected device.
1.2 Is UTORMFA mandatory at U of T?
UTORMFA is opt-in for users and application owners may enable it for their applications. Applications with Level 4 data are required to have some kind of MFA, which can be eToken or UTORMFA. UTORMFA will be required for all weblogon and most applications in the future. Communication will be forthcoming after a period of adoption and production use.
1.3 Does UTORMFA replace the eToken service?
No, eToken will continue to exist. Services that require an eToken will continue to prompt end users for their eToken. When presented with the UTORMFA prompt on other applications, users may choose to use their eToken if they are also registered for that service.
1.4 What if my phone is not compatible with Duo Mobile App or I don’t want to use my own device?
1.5 How do I get help with setting up a UTORMFA account?
1.6 Which applications are protected by UTORMFA?
Look at the "Policy" tab as applications are broken down into enhanced policy and standard policy.
1.7 How do I use hardware token to access UTORMFA protected services?
When you access UTORMFA protected service, you can click on “Enter a Passcode”
Then press the button on the hardware token to generate the one-time passcode, and enter it in the highlighted field.
1.8 How do choose an authentication method for UTORMFA?
By default, there are two UTORMFA authentication methods available: Duo Push and Passcode. You’ll be able to select one of the two methods on the UTORMFA login page.
1.9 Can I set up a second UTORMFA device?
After you click on “Add another device,” follow the instructions to add another device.
1.10 How do I recover my UTORMFA account if I get a new phone?
If you are using the same number, then log into the Device Management Portal
. From there, you will see a screen that asks you to either "send me a push" or "enter a passcode" to authenticate yourself. Choose one of the two options. After authenticating yourself, you can select "Device Options” next to the device you want to recover.
1.11 How do authenticate if I don't have access to wi-fi or data?
The DUO application can automatically generate a passcode if you don’t have access to wi-fi or data. To generate a passcode:
- Click on the application.
- Click on University of Toronto.
- A code will be generated.
- Enter the code when you login.
1.12 How do I remove my Duo device if I lost it?
If the device you lost is the only registered UTORMFA device, then contact the UTORMFA helpdesk on your campus
to get a bypass code. Log into the Device Management Portal
, click on "Device Options" next to the device you want to remove, then click on the "trash" button to remove your device.
Then click on "Reactivate Duo Mobile", this will generate a new barcode for your UTORMFA account. Use Duo Mobile App to scan the barcode to add your UTORMFA account to the Duo Mobile App on your new phone.
Note: You cannot remove the device if it is your last device.
1.13 Why and how can UTORMFA benefit individuals within the U of T community and the University as a whole?
The amount and sophistication of cyber attacks continues to worsen. According to the IBM X-Force Threat Intelligence Index 2020 report
, stolen or compromised credentials and cloud misconfigurations were the most common causes of a malicious breach for companies, representing nearly 40 per cent of malicious incidents. What’s more, 60 per cent of initial entries into victims' networks that were observed leveraged either previously stolen credentials or known software vulnerabilities. Routinely, post-secondary institutions are targets of malicious phishing (i.e., impersonation emails, bogus job scams) and breaches to private data, including research. The addition of MFA will empower University of Toronto faculty, researchers, librarians and staff to better protect their work, research, data and identities. Benefits include:
- Extra security against weak/compromised passwords: In the event that an account(s) is compromised (i.e., hackers gain access to login credentials), UTORMFA will ensure attackers won’t be able to complete the second login step, preventing unauthorized access to account(s).
- Protection against cyber-attack financial losses: According to IBM Security’s 2020 Cost of a Data Breach Report, data breach incidents cost companies $3.86 million per breach on average.
- Potential for future technical innovations: Looking ahead, strengthening the University’s overall security posture will also result in more flexible implementations of new business processes and infrastructure solutions for the future.
1.14 What should I do if I leave my phone at home after installing UTORMFA?
The Help Desk (links are on the "Support" tab above) is able to issue a one-time use bypass code. This code will allow you to log into your applications. Use the "remember me" feature to make sure that your session with UTORMFA will last for 24 hours.
1.15 Can I start the UTORMFA sign-up process and come back to it later?
No, you should set aside 10 minutes to go through the entire process at once. If you stop half way through, you will need to call the Help Desk to finish.
Duo mobile app
2.1 Can we use any third-party mobile applications to generate a Duo passcode or a Duo push prompt?
The Duo Mobile app and Duo's service are designed to work together. Only the Duo Mobile app can be activated for use with Duo's cloud service (push, phone call, or generated passcode authentication to a Duo protected application or service). You can use Duo Mobile to replace other pass-code generating apps for third-party accounts, but can't use those other apps to replace Duo Mobile.
2.2 What data does the Duo Mobile App collect from my mobile phone?
iOS and Android phones: Smartphone model, Duo mobile app version, operating system version and screen lock type. Android only: full disk encryption or not.
2.3 What permission(s) on my phone are required for the Duo Mobile App?
2.4 Is my phone compatible with Duo Mobile App?
Duo is compatible on iOS and Android.
2.5 How do I test if my Mobile App and account are set up properly?
Users can test if their Mobile App and UTORMFA accounts have been set up properly by logging in: https://can.login.utoronto.ca/
. If you get UTORMFA login prompt and access the website successfully, your UTORMFA account and Mobile App have been set up successfully.
2.6 What are the numbers that appear in the Duo Mobile App? How do I use it?
The numbers are the one-time passcode, it is used to access UTORMFA protected services. When you try to access a UTORMFA protected service, you can either authenticate by Duo Push or one-time passcode.
Click on “Enter a Passcode” and enter the one-time passcode in the highlighted field.
2.7 What should I do if I get spammed with push notifications?
Bypass Code Service
3.1 What is the bypass code service?
The bypass code service enables UTORMFA users to generate 10 codes that enable them to login if their mobile device is unavailable.
3.2 When should I generate the bypass codes?
You should generate bypass codes as soon as possible. Codes cannot be generated after a device is lost or stolen. They must be generated when your mobile device is in your possession.
3.3 How should I store bypass codes.
Print out or write down bypass codes and store them in a safe place. Do not save the codes on your computer.
3.4 How do I generate bypass codes?
Visit http://bypass.utormfa.utoronto.ca to generate bypass codes.
After enrolling yourself
4.1 What happens after I enrolled for UTORMFA?
See the "Policy" tab.
4.2 Do I need to do anything with UTORMFA if I change my UTORid password?
No, you don’t need to do anything as long as your UTORid is not changed.
4.3 Will I be prompted for UTORMFA every time I try to log into work application?
It depends on the policy of the application:
- If you are connected to a U of T network (excluding Wi-Fi and VPN connections), and the application is listed as a standard policy application, you will not be prompted to authenticate with Duo and you can continue to access the application as usual
- If you are not connected to a U of T network and the application is listed as a standard policy application, you will only be prompted to authenticate with Duo once every 24 hours, if you decide to trust the device that is accessing the U of T application. Additionally, if you have not enrolled yourself into Duo, you will not be prompted for MFA
- If you are trying to access an enhanced policy application, you will be prompted to authenticate with Duo every single time that you are timed out. Additionally, if you are not enrolled in MFA, you will be denied access to the U of T application
Please look at the "Policy" tab for application categorization.
4.4 How do I remember a device for UTORMFA?
When you access a UTORMFA protected service, check the check box next to “Remember me for 1 day” before you log in. This will allow you to bypass UTORMFA on this device for one day.
May 18, 2021 -- UTORMFA Staff Info Session Recording and Slide Deck Now Available
The slide deck and recording of the staff info sessions are now available to view and download:
UTORMFA Staff Info Session Recording
UTORMFA Staff Info Session Slide Deck
May 13, 2021 -- UTORMFA Application Integration Info Session Recordings Now Available
Recordings are now available for the application integration info sessions that occurred on April 22, 2021 and May 12, 2021.
April 22, UTORMFA & SSH: Secure your server logins with UTORMFA: Info Session Recording
May 12, UTORMFA & RDG/RDP: Secure your Remote Desktop Gateway environment using UTORMFA: Info Session Recording
April 13, 2021 -- UTORMFA Application and Service Integration Info Sessions
Join the UTORMFA project team to learn how your application or service can integrate with U of T’s latest information security solution.
Matt Wilks, the UTORMFA project team’s technical lead, will walk you through an actual integration demo and delve into how applications and services can easily integrate with UTORMFA. Finally, the floor will be open for your questions and concerns.
Info Session Dates:
April 22, 2pm – UTORMFA & SSH: We will demonstrate how you can secure your server logins with UTORMFA.
Teams Meeting Link for April 22
May 12, 2pm – UTORMFA & RDG/RDP: We will demonstrate securing your Remote Desktop Gateway environment using UTORMFA.
Teams Meeting Link for May 12
April 12, 2021 -- UTORMFA Staff Info Sessions
Join the UTORMFA project team to learn about U of T’s latest information security solution: multi-factor authentication (MFA). UTORMFA roll outs have been underway across the tri-campus and all USW and appointed staff should be self-enrolled by May 2021.
In the info session, attendees will learn what UTORMFA is and how it works. Matt Wilks, the UTORMFA project team’s technical lead, will guide attendees through the self-enrollment process. Finally, the floor will be open for your questions and concerns.
Info session dates, times and event links:
Tuesday, April 20 at 9:15 am: Teams Meeting Link, April 20
Tuesday, April 27 at 4 pm: Teams Meeting Link, April 27
Thursday, April 29 at 12 pm: Teams Meeting Link, April 29
Monday, May 3 at 2 pm: Teams Meeting Link, May 3
Wednesday, May 5 at 3 pm: Teams Meeting Link, May 5
November 19, 2020 -- UTORMFA Connect+Learn
Watch the UTORMFA Connect+Learn hosted by EASI + IS. This features a quick introduction to the service as well as a live demo and a Q&A session. https://easi.its.utoronto.ca/self-enroll-in-utormfa-session-2/
November 12, 2020 -- UTORMFA Connect+Learn
Watch the UTORMFA Connect+Learn hosted by EASI + IS. This features a quick introduction to the service as well as a live demo and a Q&A session. https://easi.its.utoronto.ca/self-enroll-in-utormfa-session-1/
October 19, 2020 -- Security Matters
Kim Wells has written a great article highlighting the benefits of UTORMFA over at the Security Matters blog. Check it out now!