Multi-Factor Authentication (MFA) for Students

Multi-Factor or Two-Factor Authentication (MFA or 2FA) adds a level of security by combining two or more methods of authentication when you log into an account, email and /or application. There are different applications that enable MFA or 2FA and The University of Winnipeg has selected Cisco DUO for UWinnipeg MFA. Initially, UWinnipeg will be implementing MFA on M365/email but more applications will be enabled in the coming months. When you log to your UWinnipeg M365 or email, you will be asked to verify your identity using a second factor (like your mobile device). This prevents others from accessing your email even if your password has been compromised.

Two-factor authentication adds an additional layer of authentication beyond a username and password. 2FA involves something you know (password) plus something you have with you (like Duo Mobile on your smartphone) to prevent someone from logging in with only your password. With Duo 2FA, you still enter your username and password. The second factor provided by Duo is simply an added layer of security on top of your existing credentials. We recommend using Duo Push via the Duo Mobile app to perform 2FA.

The Duo universal prompt is an interactive prompt that lets you choose how to verify your identity each time you log in to a web-based application.

When you select Other option a second screen will allow you to select a different verification method or you can select Manage devices at the bottom of the prompt to setup a new phone or other options that may be available. (Note: All options displayed may not be available.)

Passcodes are numeric codes that can be generated either via the Duo Mobile app, SMS (text message), or a hardware token, depending on what your IT administrator permits. Passcodes may be used at any time and are particularly handy for authenticating when your 2FA device doesn't have internet or cellular service.

A push authentication request that is sent to the Duo Mobile App on an enrolled device. Push notifications include information like the geographical location of the access device, IP address of the access device, and the application being accessed so you can verify whether the push is real or fraudulent.

1. Enter your username and password
2. Use your phone / other method* to verify your identity
3. You are securely logged in

Passwords are no longer enough to secure accounts. They are increasingly easy to compromise. Weak, reused or easy to guess passwords put your accounts at risk. Enabling MFA on an account adds a layer of protection, even if your password is compromised a hacker will not be able to gain access to your account and you will be notified that someone is trying to log in.

No. Having a smartphone makes for an easier and more secure experience with Duo Push. However, it is also possible to enroll a non-smartphone mobile device to receive SMS passcodes.

Duo Mobile is a mobile application (app) that you install on your smartphone or tablet to generate passcodes for login or receive push notifications for easy, one-tap authentication on your mobile device. It works with Duo Security’s two-factor authentication (2FA) service to make your logins more secure.

If you have a smartphone or tablet, we recommend Duo Push, as it is quick, easy-to-use, and secure. See an introduction to Duo Security and a demonstration of Duo Push in this short video: https://www.youtube.com/watch?v=_T_sJXnSM98

Duo Push authentication requests require a minimal amount of data -- less than 2KB per authentication. For example, you would only consume 1 megabyte (MB) of data if you were to authenticate 500 times in a given month.

Android: The current version of Duo Mobile supports Android 8 and greater. (More Information)

iOS: The current version of Duo Mobile supports iOS 12.0 and greater. (More Information)

Apple Watch: requires Duo Mobile 3.8 or later. (More Information)

Yes, DUO can be configured on several devices or multiple devices of the same type.

For Android: https://play.google.com/store/apps/details?id=com.duosecurity.duomobile&hl=en

For iOS: https://apps.apple.com/us/app/duo-mobile/id422663827

If you get a new cell phone, you will need to re-activate Duo Mobile. You may enroll your new device yourself using the device management portal. For instructions on how to enroll a new device, please refer to the How To Document “Activate a New Phone or Add a Security Key / Phone Number / Duo Mobile for Smartphone or Tablet”

If you no longer have access to your cell phone that was registered, you will need to contact the Technology Service Desk (servicedesk@uwinnipeg.ca  or 204.786.9149) for assistance.

Lost or stolen cell phones should be reported to the Technology Service Desk (servicedesk@uwinnipeg.ca or 204.786.9149) as soon as they are noticed missing so that an update can be made to Duo.

Duo Mobile App does not support OTP applications like Google Authenticator.

To get more detailed help with DUO check out Duo Help Center.

There are several reasons this could be happening. Please try the following to troubleshoot:

1. Make sure your enrolled device has a cellular network or WiFi connection.
2. Have the Duo Mobile app open when you authenticate.
3. Try these additional push troubleshooting steps:
   1. iPhone: https://help.duo.com/s/article/2051
   2. Android: https://help.duo.com/s/article/2050
4. If the above solutions don’t work, try using another authentication method, such as passcodes provided in the Duo Mobile app.

See this Duo Knowledge Base article for information on authenticating without cell or internet service: https://help.duo.com/s/article/4449

Learn more about managing your devices using the universal prompt here: https://guide.duo.com/manage-devices. 

• Add or manage devices after enrollment
• Add another device
• Rename or remove a device
• Reactivate Duo Mobile on an existing device

No. Your password is only verified by your organization and never sent to Duo. Duo provides only the second factor, using your enrolled device to verify it’s actually you who is logging in.

No. The Duo Mobile app has no access to change settings or remotely wipe your phone. The visibility Duo Mobile requires is to verify the security of your device, such as OS version, device encryption status, screen lock, etc. We use this to help recommend security improvements to your device. You always are in control of whether or not you act on these recommendations.

Please refer to the Duo Information: https://help.duo.com/s/article/3814?language=en_US

Go to https://outlook.office.com to access your email.

Please refer to Duo's  Privacy Data Sheet.

Assume that someone is trying to illegally access your account. 

• Choose "Deny" in the Duo app to block the request then call the Technology Service Desk at 204.786.9149 and report the attempted login!

I receive the following error when I try to log in.

Make sure that when logging into your student email at the Microsoft prompt that you type in username@webmail.uwinnipeg.ca.

And then again at the following prompt: username@webmail.uwinnipeg.ca