UH Login Multi-Factor Authentication (MFA) - Logging in with MFA

This article explains how to login through the UH Login page using the different MFA methods. Please note that ITS strongly recommends that you setup at least two devices for MFA.

*As of December 30, 2023, the traditional Duo prompt has been replaced with the Duo Universal Prompt (UP).

New Default Device Behavior

The Duo Universal Prompt (UP) does not allow you to set a default device like the traditional Duo prompt allowed.  The first time you login after the December 30 update, Duo will automatically send a Duo request to what they deem the most secure authentication method you have configured for your account.  Listed below are the most to least secure methods of authentication as published by Duo:

  • Duo Mobile push approval
  • YubiKey passcodes
  • Duo Mobile generated passcodes
  • Non-Yubikey Hardware token passcodes
  • SMS passcodes
  • Phone call approval

For example, if you have a Duo Push device setup, the Duo UP will automatically send a push to that device.  You may click on the Other options link to see your other options:

If you pick a different authentication method, Duo will remember what you last used and will use that method by default the next time you are presented with the Duo UP.

 

New "Remember me" behavior

With the Duo UP, there is no longer a "Remember me for 7 days" checkbox.  Instead, the first time you login under the Duo UP, you will see the following screen after authenticating:

  • If you click on the "Yes, this is my device" choice, you will not be prompted again to authenticate with Duo for 7 days (equivalent to checking the "Remember me for 7 days" checkbox)
    • On your next login after the 7 days has passed, you will be presented with the Duo UP, but will not be presented with the "Yes, this is my device/No, other people use this device" choice. Instead, from this time on, there will be a "Remember me" checkbox that should be checked (equivalent to checking the “Remember me for 7 days” checkbox).


       
    • Should you clear your browser’s cookies/cache, you will be presented with the “Yes, this is my device/No, other people use this device” choice again.
  • If you click on "No, other people use this device", you will not be asked this question again for 7 days (unless the browser's cookies/cache are cleared), and will be presented with Duo each time you login (equivalent to NOT checking the "Remember me for 7 days” checkbox).
  • If you clicked on the "No, other people use this device" choice accidentally, but you had actually wanted to remember their device, the only way to get Duo to prompt "Yes, this is my device" again is to either a) wait 7 days, or b) clear browser's cookies/cache. For instructions to clear your browser’s cookies/cache, please visit https://hawaii.edu/askus/1801.

There is more information on the new "Remember me" behavior at: https://guide.duo.com/universal-prompt#remembered-devices.

Available MFA methods

The following are the different MFA methods that are available:

 

Duo Push (smartphone, tablet)

If you have a Duo Push device setup, the Duo UP will default to automatically sending you a push.  You will be presented with the following screen after entering your UH username and password:

A notification will appear on your Duo Push device:

  • iOS: Press and hold on the notification, then tap on Approve to approve or Deny if it is a fraudulent request. You may have to unlock your device.
  • Android: Tap on Notifications. You may have to unlock your phone. Tap on Approve to approve or Deny if it is a fraudulent request.

Optionally, and if it appears, click on the Yes this is my device option if you are using your own computer. This will prevent the Duo UP from prompting again for 7 days. See the New “Remember Me” behavior section for more information.

Unless clicking “Other options” and selecting a different authentication method, Duo UP will automatically push future authentication requests to your Duo Push device. See the New Default Device behavior section for more information.

For further information on the Duo Mobile app, please refer to Duo's guides:

iPhone: https://guide.duo.com/iphone
Android: https://guide.duo.com/android

Phone call (mobile phone)

Note: if you have a Duo Push device setup, you will first have to click on Other options before you can use the phone call method.
 


If you have a mobile phone device that does not have Duo Push setup, you will see the following screen. Click on the Call phone button.

A phone call will be placed to your mobile phone. Answer the call, then press 1 on the mobile phone's keypad to approve or press 9 to report a fraudulent request.

Optionally, and if it appears, click on the Yes this is my device option if you are using your own computer. This will prevent the Duo UP from prompting again for 7 days.

SMS text codes (mobile phone)

To select SMS text codes the first time you login under the UP, you will need to click on Other options:

Then, click on Text message passcode.

A passcode will be automatically sent to your phone.  Enter this passcode and click on Verify.

Optionally, and if it appears, click on the Yes this is my device option if you are using your own computer.  This will prevent the Duo UP from prompting again for 7 days.

If it is not the first time you are using SMS passcodes, the following screen will appear instead. Click on Send a passcode.

A passcode will be automatically sent to your phone.  Enter this passcode and click on Verify.

Duo App-generated codes (smartphone, tablet)

The Duo App will generate codes that will allow you to login, even if your smartphone or tablet does not have wifi or cellular data service.

At the Duo Push screen, click on Other options.

Click on Duo Mobile passcode.

Open the Duo Mobile app on your phone or tablet.  If needed, expand the "University of Hawaii" section so that the (6 digit) code is displayed:

Enter the displayed code into the Passcode box, and click Verify.

Optionally, and if it appears, click on the Yes this is my device option if you are using your own computer. This will prevent the Duo UP from prompting again for 7 days.

Landline

If you had last logged in with a different method, you may have to click on Other options.

Then select Phone call (Call "Landline" option):

If you have a landline setup on your Duo account, or if Landline was your last used authentication method, you will see the below screen. Click on Call phone.

 


A phone call will be placed to your designated landline phone. Answer the call, then press 1 on the Landline's keypad to approve or press 9 to report a fraudulent request.

Optionally, and if it appears, click on the Yes this is my device option if you are using your own computer. This will prevent the Duo UP from prompting again for 7 days.

UH Hard Token

The UH hard token is a usb device that you would insert into your computer's usb port. You would then "touch" a specific area of the hard token to authenticate. UH hard tokens can be purchased through the ITS Site License office.  Please visit www.hawaii.edu/sitelic/tokens. Both USB A and USB C hard tokens are available.

To authenticate using a hard token, follow these steps:

  1. Insert the hard token into your computer's USB port prior to any login attempts. Note for macOS users: the first time you insert a hard token into a Mac, you may be told, "Your keyboard is unrecognizable" or "Your keyboard cannot be identified". This message can be ignored; close the window by clicking on the red dot in the upper left.
     
  2. If it is the first time you are trying to authenticate using a hard token, you will need to click on Other options when you get to the Duo MFA window.


     
  3.  At the next screen, click on Yubikey passcode.


  4.  You will see the following screen.


  5. Click within the Passcode box so that there is a cursor blinking in the box.  Press down on the token's gold area with any finger (see below for where to press).

     
  6. USB A hard token USB C hard token
    USB A Hard Token  USB C Hard Token

  7. A (long) code will automatically be entered into the box, and the "Verify" button will automatically be pressed, and you should now be logged in.

  8. Optionally, and if it appears, click on the Yes this is my device option if you are using your own computer. This will prevent the Duo UP from prompting again for 7 days.

 

This article is part of the Getting setup for Multi-Factor Authentication (MFA) article.
Please rate the quality of this answer: Poor Fair Okay Good Excellent
Not the answer you were looking for? Try different keyword combinations and if you still can’t find your answer, please contact us.
Article ID: 1765
Created: Wed, 14 Mar 2018 1:54pm
Modified: Tue, 26 Mar 2024 10:31am