Your data and online experience are important to us. The University of Toronto (U of T) is enhancing the cyber security protections of your account through a new service called UTORMFA. This is available for all U of T faculty, researchers, librarians and staff. This service is provided by Duo security.

Multi-factor authentication (MFA) is a security enhancement that requires two sets of unique credentials before granting users access to an account (i.e., your password paired with a code sent to your mobile phone).

How does MFA work?

New login process

How do I participate?

You can get started by proceeding to the Getting Started tab or by visiting https://enroll.utormfa.utoronto.ca/enroll. Also, check the 'timelines' tab for the current rollout schedule and what applications are going to be affected.

Lost or stolen device?

Contact the Tri-Campus central help desk for support.

The following steps below allow you to enable UTORMFA associated with your UTORid.  Or click here to download the instructions in a Powerpoint presentation.

1. Checking compatibility with Duo

To ensure that you are capable of using Duo's multi-factor authentication service, it is required to have one of the devices listed below in bold. There are several device compatibility options along with its respective installation instructions for your most preferred device to use. eTokens

  • eTokens can be used to authenticate yourself through UTORMFA if using a mobile device for UTORMFA does not suit your needs.
  • Ensure your eToken has been successfully enrolled by a departmental administrator. If you have trouble with your eToken, you can contact your departmental administrator through this link: https://isops.noc.utoronto.ca/etokendbmodification/Admincheck.
  • Ensure that you have SafeNet Authentication Client installed on your machine.
  • Instructions for authenticating yourself with an eToken is shown below (past step 5).

Android

  • Ensure that your device is a Duo-supported version of Android. If it is not, find an alternate device that Duo is compatible with.
  • On your Android Device, launch the Google play store App.
  • Search for "Duo Mobile". Duo's coloring scheme is white and green.
  • Tap install to install the app.
    • If you are prompted to add a credit card, you can dismiss that request.

iOS

  • Ensure that your device is a Duo-supported version of iOS. If it is not, find an alternate device that Duo can be supported by.
  • On your iOS device, launch the App Store.
  • Search for "Duo Mobile". Duo's coloring scheme is white and green.
  • Tap get and then install to install the app.
    • You may be prompted to enter your credentials.

Other devices

  • Contact the tri-campus support as they may be able to assist you with alternative solutions to fit your needs.

Exceptional Case: I have an Android, but cannot download from the native play store

  • We strongly suggest following the instructions that Duo recommends, which is to use download their APK.

2. Visit the UTORMFA enrollment site

After ensuring that your device is compatible with Duo, you may visit the UTORMFA enrollment site, https://enroll.utormfa.utoronto.ca/enroll, to enroll yourself into UTORMFA. The site experience works best from a desktop or laptop. Your screen should look like the following:

3. Enrollment guide

Once you have the enrollment site open, you can either follow the instructional video below, instructions further down, or follow the instructions on https://guide.duo.com/enrollment. Duo's self-enrollment process makes it easy for you to register your phone or tablet and activate the Duo Mobile application so that you receive Duo requests for push authentication and passcode authentication.

    1. On the enrollment site, click on 'Start Setup', which will bring you to this screen

    1. Click on your preferred device. For the Security Key option, contact the Tri-Campus Central helpdesk for more information. From here, you may be asked your phone number if you chose the mobile option:

    1. Enter your phone number, and confirm your phone number by clicking the checkbox asking if the entered number is correct. Then click 'Continue'.

    2. For both tablets and mobile phones, you will be asked with what device you possess:

    1. You will then receive instructions catered to your device, telling you to install the 'Duo Mobile App'. Install the Duo App on your mobile device. Note: You may be asked to allow camera access for scanning a QR code later in the process. This is an easier option for most users. If you are not comfortable with granting camera privileges to the Duo App, there exists an alternative, but please follow the remaining instructions carefully.

    1. Once you install the Duo Mobile app, and open the app, you have two options
      • 'New to Duo? Get Started'
      • 'Used Duo before? Get My Account Back'

      Just tap on the 'Get Started' option. Note: You may be asked to allow camera access for scanning a QR code later in the process. This is an easier option for most users. If you are not comfortable with granting camera privileges to the Duo App, there exists an alternative, but please follow the remaining instructions carefully.

    2. On your browser, click on the 'I have Duo Mobile installed', and you have two options to initially authenticate yourself
      • Scan a QR code using the Duo Mobile App. You need to allow camera privileges on your mobile device
      • Use your e-mail

    1. If you chose the QR scanning option, use your phone to scan the QR code on your browser, then proceed to step 7. Otherwise, click on the 'Email me an activation link instead'. You will then be redirected to a site that allows you to enter your email. Please ensure that the email is linked to the mobile device that Duo Mobile is installed on:

    1. Once you enter your e-mail, click on 'Send email'. Once you receive the e-mail, open the email on the mobile device that Duo is installed on, and tap on the link

    1. After tapping on the link, you should be redirected back to the Duo Mobile App.

    2. After validating your mobile device, go back to your browser. Your browser should then appear to look like this:

    1. Click on 'Continue', and then you will be greeted by this screen

4. How-To Authenticate

When logging into a UTORMFA protected application, you will get the normal UTORid and password prompt first followed by the UTORMFA page where you can select one of the methods to complete the login process.

If you have more than one device enrolled, you can simply select the device you want to authenticate with during the authentication process. Select the drop-down list next to "Device" Then choose an authentication method: "Send me a Push" or "Enter a Passcode". This will let you authenticate with the selected device.

5. Methods of Authentication

  1. Duo Push
    • You will receive a push notification on your UTORMFA registered mobile device. Tap “approve” on the mobile device to complete the login process.
  2. Passcode
    • The Duo App provides you with a 9 digit code that you then enter into the prompt. From there, you will be redirected to the affiliated U of T application.
  3. Logging in with an eToken
    • When you have your eToken plugged in, SafeNet Authentication Client will prompt you for your eToken password. Once entered successfully, you will be redirected to the affiliated U of T application.
  4. Logging with a SafeNet OTP (One-Time Password)
    • If you have been assigned a hardware token, you can generate a passcode on the hardware token to log into the application.

Using Duo with an eToken on Windows OS

Pre-requisites

  1. A valid eToken key
  2. eToken key plugged in to a USB port on a device that you are using to access secure applications

Step 1: Once you have your eToken key plugged in, open up a browser (Chrome, Firefox, Edge or IE) and go to the web page that you are trying to access. If you have Duo enabled, you will get the screen similar to the following image. Click login with eToken.

Step 2: You will get another window. Click log in with eToken when you get the following screen

Step 3: It will prompt a window to select your eToken certificate to authenticate yourself. Click OK.

Step 4: Please enter your eToken key password in the following pop-up window, and click OK.

Step 5: Once you have verified yourself, it will successfully log you in.

More about Duo Mobile and compatibility options

Want to know more about the Duo Mobile App for your device? You can click on your device's icon below for further support. Additionally, you can look at the FAQ tab for common questions and answers.

The easiest way to enroll in UTORMFA is with a smart phone. If you do not have a smart phone, or you do not feel comfortable with using a personal device, please contact the Tri-campus helpdesk support team to arrange an alternative.

Can't find what you're looking for? You can get help from tri-campus support or you can browse Duo's Knowledge Base.

Please click here to self enroll. All U of T faculty, researchers, librarians and staff are eligible for this service.

The estimated MFA timeline is as follows:

For further understanding of classifications, click here.

Please see the news tab for any upcoming updates.

Applications are managed by standard and enhanced requirements, depending on the data classification and criticality of the application (updated May 2020).

For applications protected by enhanced policies:

  • You will be prompted to authenticate with UTORMFA every login.
  • You will need to authenticate again if your application has a time out.
  • If you are not enrolled in MFA, you will be denied access to the application.
  • Permissible authentication methods: Duo Push, Duo Mobile Passcode, hardware tokens and Security Keys (U2F and WebAuthn).
  • Authentication will “fail close” in the event of a Duo outage.

For applications protected by standard policies:

  • If you are connected to a trusted U of T network (excluding Wi-Fi and virtual private network (VPN) connections), you will not be prompted to authenticate with UTORMFA and you can continue to access the application as usual.
  • If you are not connected to a trusted U of T network, you will be prompted with UTORMFA. Optionally, you may decide to trust your device and will only receive a UTORMFA prompt every 24 hours.
  • If you have not enrolled into UTORMFA, you will not be prompted.
  • Permissible authentication methods: Duo Push, Duo Mobile Passcode, hardware tokens and Security Keys (U2F and WebAuthn).
  • Authentication will “fail open” in the event of a Duo outage. (See Note 2)

To see the list of trusted U of T networks, please see: https://ipam.utoronto.ca/list_of_uoft_networks

Note 1 - UTORMFA authentication methods:

  1. Push: You will receive a push notification on your UTORMFA registered mobile device. Tap on “approve” on the mobile device to complete the login process.
  2. Mobile Passcode: You can find the passcode from your UTORMFA account in the Duo mobile app on the registered mobile device. Type it into the text field, then click on “Log in” to log into the service.
  3. Hardware Token: U of T will issue hardware tokens to users upon request and approval. If you have been issued a hardware token, you can click on the button on the hardware token to generate a One-time Passcode. Enter the One-time Passcode into the text field and click on “Log in” to log in the service.
  4. Security Keys (Webauthn & U2F): Insert your security key into your computer and touch it to activate the key. (An example of a Security Key would be the YubiKey)

See UTORMFA - How-To Authenticate for more details

Note 2 - There are two fail mode available for each UTORMFA-protected web applications, fail-open and fail-close. Application owners can decide which fail mode should be used for their applications.

Fail-open: If there’s a service outage of UTORMFA, the Weblogin service will detect it and allow users to bypass the UTORMFA login screen to access the application.

Fail-close: If there’s a service outage of UTORMFA, the Weblogin service will detect it and deny users’ access to the application.

General

1.1 How do I select a device to authenticate if I have more than one device registered on my UTORMFA account?
You can simply select the device you want to authenticate with during the authentication process. Select the drop-down list next to "Device" Then choose an authentication method: "Send me a Push" or "Enter a Passcode". This will let you authenticate with the selected device.
1.2 Is UTORMFA mandatory at U of T?

UTORMFA is opt-in for users and application owners may enable it for their applications. Applications with Level 4 data are required to have some kind of MFA, which can be eToken or UTORMFA.

UTORMFA will be required for all weblogon and most applications in the future. Communication will be forthcoming after a period of adoption and production use.

1.3 Does UTORMFA replace the eToken service?

No, eToken will continue to exist. Services that require an eToken will continue to prompt end users for their eToken. When presented with the UTORMFA prompt on other applications, users may choose to use their eToken if they are also registered for that service.

1.4 What if my phone is not compatible with Duo Mobile App or I don’t want to use my own device?

A hardware token is available. Please contact the Tri-Campus central help desk with your request and receive approval for the cost you’re your department/division.

The hardware token generates a passcode. i.e.

hardware token
1.5 How do I get help with setting up a UTORMFA account?
1.6 Which applications are protected by UTORMFA?

Look at the "Policy" tab as applications are broken down into enhanced policy and standard policy.

1.7 How do I use hardware token to access UTORMFA protected services?

When you access UTORMFA protected service, you can click on “Enter a Passcode”

Then press the button on the hardware token to generate the one-time passcode, and enter it in the highlighted field.

1.8 How do choose an authentication method for UTORMFA?
By default, there are two UTORMFA authentication methods available: Duo Push and Passcode. You’ll be able to select one of the two methods on the UTORMFA login page.
1.9 Can I set up a second UTORMFA device?

Yes, you can. Log into the device management portal (https://enroll.utormfa.utoronto.ca/enroll) to add a new UTORMFA device.

After you click on “Add another device,” follow the instructions to add another device.

1.10 How do I recover my UTORMFA account if I get a new phone?

If you are using the same number, then log into the Device Management Portal. From there, you will see a screen that asks you to either "send me a push" or "enter a passcode" to authenticate yourself. Choose one of the two options. After authenticating yourself, you can select "Device Options” next to the device you want to recover.

Then click on "Reactivate Duo Mobile", this will generate a new barcode for your UTORMFA account. Use Duo Mobile App to scan the barcode to add your UTORMFA account to the Duo Mobile App on your new phone.

1.11 How do I remove my Duo device if I lost it?

If the device you lost is the only registered UTORMFA device, then contact the UTORMFA helpdesk on your campus to get a bypass code.

Log into the Device Management Portal, click on "Device Options" next to the device you want to remove, then click on the "trash" button to remove your device.

Note: You cannot remove the device if it is your last device.

1.12 Why and how can UTORMFA benefit individuals within the U of T community and the University as a whole?

The amount and sophistication of cyber attacks continues to worsen. According to the IBM X-Force Threat Intelligence Index 2020 report, stolen or compromised credentials and cloud misconfigurations were the most common causes of a malicious breach for companies, representing nearly 40 per cent of malicious incidents. What’s more, 60 per cent of initial entries into victims' networks that were observed leveraged either previously stolen credentials or known software vulnerabilities.

Routinely, post-secondary institutions are targets of malicious phishing (i.e., impersonation emails, bogus job scams) and breaches to private data, including research. The addition of MFA will empower University of Toronto faculty, researchers, librarians and staff to better protect their work, research, data and identities.

Benefits include:

  • Extra security against weak/compromised passwords: In the event that an account(s) is compromised (i.e., hackers gain access to login credentials), UTORMFA will ensure attackers won’t be able to complete the second login step, preventing unauthorized access to account(s).
  • Protection against cyber-attack financial losses: According to IBM Security’s 2020 Cost of a Data Breach Report, data breach incidents cost companies $3.86 million per breach on average.
  • Potential for future technical innovations: Looking ahead, strengthening the University’s overall security posture will also result in more flexible implementations of new business processes and infrastructure solutions for the future.

Duo mobile app

2.1 Can we use any third-party mobile applications to generate a Duo passcode or a Duo push prompt?
The Duo Mobile app and Duo's service are designed to work together. Only the Duo Mobile app can be activated for use with Duo's cloud service (push, phone call, or generated passcode authentication to a Duo protected application or service). You can use Duo Mobile to replace other pass-code generating apps for third-party accounts, but can't use those other apps to replace Duo Mobile.
2.2 What data does the Duo Mobile App collect from my mobile phone?

iOS and Android phones: Smartphone model, Duo mobile app version, operating system version and screen lock type.

Android only: full disk encryption or not.

2.3 What permission(s) on my phone are required for the Duo Mobile App?

Information about this can be found on https://help.duo.com/s/article/4683?language=en_US

2.4 Is my phone compatible with Duo Mobile App?

Duo is compatible on iOS and Android.

2.5 How do I test if my Mobile App and account are set up properly?

Users can test if their Mobile App and UTORMFA accounts have been set up properly by logging in: https://sp.utorauth.utoronto.ca/idpz. If you get UTORMFA login prompt and access the website successfully, your UTORMFA account and Mobile App have been set up successfully.

2.6 What are the numbers that appear in the Duo Mobile App? How do I use it?

The numbers are the one-time passcode, it is used to access UTORMFA protected services. When you try to access a UTORMFA protected service, you can either authenticate by Duo Push or one-time passcode.

Click on “Enter a Passcode” and enter the one-time passcode in the highlighted field.

2.7 What should I do if I get spammed with push notifications?

Please contact help desk listed in the Tri-Campus central help desk page. Please be careful not to push unless you are logging in.

After enrolling yourself

3.1 What happens after I enrolled for UTORMFA?

See the "Policy" tab.

3.2 Do I need to do anything with UTORMFA if I change my UTORid password?

No, you don’t need to do anything as long as your UTORid is not changed.

3.3 Will I be prompted for UTORMFA every time I try to log into work application?

It depends on the policy of the application:

  • If you are connected to a U of T network (excluding Wi-Fi and VPN connections), and the application is listed as a standard policy application, you will not be prompted to authenticate with Duo and you can continue to access the application as usual
  • If you are not connected to a U of T network and the application is listed as a standard policy application, you will only be prompted to authenticate with Duo once every 24 hours, if you decide to trust the device that is accessing the U of T application. Additionally, if you have not enrolled yourself into Duo, you will not be prompted for MFA
  • If you are trying to access an enhanced policy application, you will be prompted to authenticate with Duo every single time that you are timed out. Additionally, if you are not enrolled in MFA, you will be denied access to the U of T application

Please look at the "Policy" tab for application categorization.

3.4 How do I remember a device for UTORMFA?

When you access a UTORMFA protected service, check the check box next to “Remember me for 1 day” before you log in. This will allow you to bypass UTORMFA on this device for one day.

October 19, 2020 -- Security Matters

Kim Wells has written a great article highlighting the benefits of UTORMFA over at the Security Matters blog.  Check it out now!

October 7, 2020 -- UTORMFA BINGO!

Ready to play BINGO — the U of T multi-factor authentication (MFA) version? Try this UTORMFA game for a chance to win a prize! Follow this link, and you will find your BINGO card.  Instructions:

  • Read each square.
  • If you’ve completed the task on a square, select it. Once you’ve completed a line, you’ll get BINGO.
  • Click the "Claim Prize!" button and fill in the email template that appears.
Prizes: Five winners — from across the tri-campus — will be selected at the end of the month. Each winner will be contacted via email and receive a $50 Amazon gift card.