UTORMFA FAQs

You can simply select the device you want to authenticate with during the authentication process. Select the drop-down list next to “Device”

UTORMFA is mandatory for staff, faculty, librarians and students at UofT.

The eToken service is migrating to UTORMFA. New eTokens will no longer be issued as of November 27, 2021. eToken users will be able to continue to use their eTokens until Winter 2022 but we recommend that eToken users begin to use UTORMFA as soon as it is available. Learn more about the eToken migration project.

A hardware token is available. Please contact the Tri-Campus central help desk with your request and receive approval for the cost you’re your department/division. St. George Campus (ICHD): https://onesearch.library.utoronto.ca/ic/utormfa-hardware-token The hardware token generates a passcode. i.e.

See the Tri-Campus central help desk support page.

Look at the “Policy” tab as applications are broken down into enhanced policy and standard policy.

When you access UTORMFA protected service, you can click on “Enter a Passcode”

By default, there are two UTORMFA authentication methods available: Duo Push and Passcode. You’ll be able to select one of the two methods on the UTORMFA login page.

Yes, you can. Log into the device management portal (https://enroll.utormfa.utoronto.ca/) to add a new UTORMFA device.

If you are using the same number, then log into the Device Management Portal. From there, you will see a screen that asks you to either “send me a push” or “enter a passcode” to authenticate yourself. Choose one of the two options. After authenticating yourself, you can select “Device Options” next to the device you want to recover.

If the device you lost is the only registered UTORMFA device, then contact the UTORMFA helpdesk on your campus to get a bypass code. Log into the Device Management Portal, click on “Device Options” next to the device you want to remove, then click on the “trash” button to remove your device.

The amount and sophistication of cyber attacks continues to worsen. According to the IBM X-Force Threat Intelligence Index 2020 report, stolen or compromised credentials and cloud misconfigurations were the most common causes of a malicious breach for companies, representing nearly 40 per cent of malicious incidents. What’s more, 60 per cent of initial entries into victims’ networks that were observed leveraged either previously stolen credentials or known software vulnerabilities. Routinely, post-secondary institutions are targets of malicious phishing (i.e., impersonation emails, bogus job scams) and breaches to private data, including research. The addition of MFA will empower University of Toronto faculty, researchers, librarians and staff to better protect their work, research, data and identities. Benefits include:

• Extra security against weak/compromised passwords: In the event that an account(s) is compromised (i.e., hackers gain access to login credentials), UTORMFA will ensure attackers won’t be able to complete the second login step, preventing unauthorized access to account(s).
• Protection against cyber-attack financial losses: According to IBM Security’s 2020 Cost of a Data Breach Report, data breach incidents cost companies $3.86 million per breach on average.
• Potential for future technical innovations: Looking ahead, strengthening the University’s overall security posture will also result in more flexible implementations of new business processes and infrastructure solutions for the future.

The Help Desk (links are on the “Support” tab above) is able to issue a one-time use bypass code.  This code will allow you to log into your applications.  Use the “remember me” feature to make sure that your session with UTORMFA will last for 24 hours.

No, you should set aside 10 minutes to go through the entire process at once. If you stop half way through, you will need to call the Help Desk to finish.

Safari (on MacOS and iOS) has a privacy feature enabled by default that prevents Duo’s “remember me” feature from being used. You can enable this feature by doing the following steps:
Safari:

1. Go to Safari -> Preferences.
2. Click the Privacy tab.
3. Disable the “Block All Cookies” and “Prevent cross-site scripting” options.

iPhone:

1. Open the Settings application and navigate to “Safari -> Privacy & Security”.
2. Disable the “Block All Cookies” and “Prevent cross-site scripting” options.

The “remember me” box will be greyed out when you have your UTORMFA account configured to automatically send you a push notification. This can be turned off in the settings by visiting https://enroll.utormfa.utoronto.ca/ and setting your default.

The Duo Mobile app and Duo’s service are designed to work together. Only the Duo Mobile app can be activated for use with Duo’s cloud service (push, phone call, or generated passcode authentication to a Duo protected application or service). You can use Duo Mobile to replace other pass-code generating apps for third-party accounts, but can’t use those other apps to replace Duo Mobile.

iOS and Android phones: Smartphone model, Duo mobile app version, operating system version and screen lock type. Android only: full disk encryption or not.

Information about this can be found on https://help.duo.com/s/article/4683?language=en_US

Duo is compatible on iOS and Android.

• Information on iOS compatibility: https://help.duo.com/s/article/1871?language=en_US
• Information on Android compatibility: https://help.duo.com/s/article/1872?language=en_US

Users can test if their Mobile App and UTORMFA accounts have been set up properly by logging in: https://can.login.utoronto.ca/. If you get UTORMFA login prompt and access the website successfully, your UTORMFA account and Mobile App have been set up successfully.

The numbers are the one-time passcode, it is used to access UTORMFA protected services. When you try to access a UTORMFA protected service, you can either authenticate by Duo Push or one-time passcode.

Please contact help desk listed in the Tri-Campus central help desk page. Please be careful not to push unless you are logging in.

The bypass code service enables UTORMFA users to generate 10 codes that enable them to login if their mobile device is unavailable.

You should generate bypass codes as soon as possible. Codes cannot be generated after a device is lost or stolen. They must be generated when your mobile device is in your possession.

Print out or write down bypass codes and store them in a safe place. Do not save the codes on your computer.

Visit http://bypass.utormfa.utoronto.ca to generate bypass codes.

See the “Policy” tab.

No, you don’t need to do anything as long as your UTORid is not changed.

It depends on the policy of the application:

• If you are connected to a U of T network (excluding Wi-Fi and VPN connections), and the application is listed as a standard policy application, you will not be prompted to authenticate with Duo and you can continue to access the application as usual
• If you are not connected to a U of T network and the application is listed as a standard policy application, you will only be prompted to authenticate with Duo once every 24 hours, if you decide to trust the device that is accessing the U of T application. Additionally, if you have not enrolled yourself into Duo, you will not be prompted for MFA
• If you are trying to access an enhanced policy application, you will be prompted to authenticate with Duo every single time that you are timed out. Additionally, if you are not enrolled in MFA, you will be denied access to the U of T application

Please look at the “Policy” tab for application categorization.

When you access a UTORMFA protected service, check the check box next to “Remember me for 1 day” before you log in. This will allow you to bypass UTORMFA on this device for one day.

Yes, all students are required to use UTORMFA.

Students are given 14 days from the conversion of their JOINid to UTORid to sign up for UTORMFA. After this period, students will not be able to log in to any services until they have completed the UTORMFA enrolment process.

If you do not have a compatible mobile phone, you can request a hardware token: https://onesearch.library.utoronto.ca/ic/utormfa-hardware-token

It is recommended that you set up your bypass codes immediately after enrolling in UTORMFA. You can do this at the bypass codes website: https://bypass.utormfa.utoronto.ca/
These can be stored in your wallet and be used if your phone is not available. If you do not have your bypass codes or your phone, please contact the Tri-campus Help Desk for assistance.

Bypass codes provide a simple alternative to your phone in situations where your phone is not permitted. It is also being communicated to faculty and instructors that procedures may need to change in order to accommodate the need for MFA during an exam or assessment.

Yes, the MFA solution provided by U of T does not depend on your phone number and will work internationally.

UTORMFA will remain active for one session plus one month after their last registered session. At this point, their UTORMFA account will be disabled.