Topics Map > University of Chicago > IT Services > Accounts, Identity, & Security

2Factor Authentication (2FA) - FAQ

This article explains answers to a set of frequently asked questions regarding 2Factor Authentication, including common issues that users of 2FA may encounter.

Will 2FA affect all the applications I can access?

What is Shibboleth?

What is Duo?

How long does 2FA last?

How do I add a new device?

What if I lose my phone?

I replaced my cell phone. How do I activate 2FA on my new phone?

Can I opt out of 2FA?

Can I use multiple devices with 2FA?

I disabled push notifications for Duo on my phone and want to receive them again. How do I re-enable push notifications?

How do 2FA text passcodes work?

Can I use Duo without incurring any data or text message costs?

I will be traveling and won't have reliable cellular network access. Can I still use 2FA if I don't have network access via my phone?

Do I need to still change my password regularly if I use 2FA?

Is there more I can do to secure my account?

What is a hardware token, how much does it cost, and where can I get one?

My hardware token stopped working.

Are alumni eligible to use 2FA?

What if I have other questions or issues?


Will 2FA affect all the applications I can access?

No. 2FA will only affect Shibboleth-protected sites.

What is Shibboleth?

Shibboleth is internationally-used software that provides a way to pass on your authentication from one site to another using Single Sign-On. At the University of Chicago, this allows you to log on to one University site with your CNetID and password, and then not need to use your password to sign on to other university sites because your credentials are passed to those sites by Shibboleth. Please note that in order to truly log out of a university site that uses Shibboleth authentication, you must quit your browser entirely. See the article Shibboleth Authentication Overview for more information.

What is Duo?

Duo is a mobile application used by the University of Chicago to facilitate 2FA. Using Duo, users can approve or deny log in requests, either through the app itself and via push notifications sent by the app. If a user is not connected to the Internet, he or she can also generate passcodes that can be used to log in. Duo Mobile is available for iOS devices on the App Store and for Android devices on Google Play; it is also available as an app on the Blackberry and Windows platforms.

How long does 2FA last?

After you have logged in using your CNetID and password, you may allow 2FA to last for 30 days by selecting the Remember this device for 30 days option near the bottom of the Two-Factor Authentication screen.

Choosing the Remember this device for 30 days option means that after authenticating via 2FA only once, you will be able to access all Shibboleth-enabled university sites without having to authenticate again through 2FA for 30 days.

A list of the most widely-used sites that use Shibboleth can be found in the article 2Factor Authentication (2FA) - Top UChicago University Sites Using Shibboleth.

How do I add a new device?

Visit the 2Factor Authentication website click Manage Devices. Register your new phone, tablet, desk phone or token.

What if I lose my phone?

Contact the IT Services Service Desk immediately if you lose your phone or suspect that it's been stolen. The Service Desk person will disable it for 2FA and help you log in using another phone or hardware token. While it's important that you contact ITS Service Desk if you lose your phone, remember that your password will still protect your account. For more detailed instructions, see the article Lost/Broken/Replacement Device Procedure.

I replaced my cell phone. How do I activate 2FA on my new phone?

You can activate 2FA on your new device using one of the following methods, depending on your particular situation.

I am replacing my cell phone, but not changing operating systems or phone numbers.

  1. Go to the 2Factor Authentication website and click Go to 2Factor (Register and Manage Devices) from the left panel.
  2. Log in, and find your phone number in the list of registered devices. Select Re-Activate next to your number.
  3. A prompt will ask you to download the Duo app from the App Store or Google Play
    If you have already downloaded the app, select the checkbox at the bottom of the page.
  4. Launch the app on your device. Use the in-app camera to scan the barcode that appears on your computer monitor.

I am getting a new device with either a different operating system or a different phone number than my old device.

  1. Go to the 2Factor Authentication website and click Go to 2Factor (Register and Manage Devices) from the left panel.
  2. Click Remove to remove your old device from 2FA.
  3. Add your new device as if you were adding a device for the first time. A guide to doing this is available in the article Downloading the App and Enrolling a Smartphone.

For more information on replacing your device, see the article Lost/Broken/Replacement Device Procedure.

Can I opt out of 2FA?

Yes. You may opt out of 2FA at any time. Visit the 2Factor Authentication website and remove all of your registered devices.

Can I use multiple devices with 2FA?

Yes. In fact, we strongly encourage you to register multiple devices. Register your mobile phone, your landlines, and your tablet.

I disabled push notifications for Duo on my phone (iOS) and want to receive them again. How do I re-enable push notifications?

To re-enable push notifications on your iPhone if you have disabled them, go into Settings on your phone and select Notification Center. From there, you can re-enable push notifications for the application. For more detailed instructions, see the article Re-Enabling 2FA Push Notifications for the iPhone.

How does the 2FA text passcodes service work?

You may choose to have a set of ten passcodes sent to your registered smartphone from the Manage Devices screen from the 2FA website: http://2FA.uchicago.edu. Simply find your smartphone from the list of your registered phones and click Text Passcodes. A list of ten one-time-use passcodes will be sent to your phone via text. To use one of the one-time passcodes, click Passcode at the Duo Prompt screen and click Log in to continue. It is important that you keep track of which codes you use; each passcode will be invalidated after you one use. You can print out the list of passcodes to keep in a secure location for your use any time you don't have access to your regular devices. For more detailed instructions, see Using Passcodes Without a Phone Data Connection.

Can I use Duo without incurring any data or text message costs?

Yes. After selecting the Duo app on your smartphone, select the Duo key icon in the upper right corner of the screen to generate a passcode. Generating passcodes does not send any kind of message, use data, or incur any data or text message costs. You can generate passcodes even when you are not connected to a network. More information is provided in the article Using Passcodes Without Phone Data Connection.

I will be traveling and won't have reliable cellular network access. Can I still use 2FA if I don't have network access via my phone?

Yes. You can click the key icon on the upper right side of the screen in Duo on the iOS and Android, or the Generate Passcode button on Microsoft OS devices to generate a numeric passcode that you can use even if your phone does not have any network connection. Alternatively, you can use the 2FA text passcodes feature. For more information, see How do 2FA text passcodes work? to learn how to generate a list of single-use passcodes that you can use if you won't have any access to your phone at all.

Do I still need to change my password regularly if I use 2FA?

While you must either use 2FA or change your password regularly, your security will be enhanced by doing both. Additionally, if you suspect your account or password has been compromised, you should report it to security immediately.

Is there more I can do to secure my account?

Yes, you can become SilverAssured! Silver Assurance functions similarly to 2FA in that it helps to verify your identity, but it uses standards and processes different from those used by 2FA to make that determination. 2FA is a user-based security measure in that it verifies that you, a user, are the person you say you are based on a combination of information only you could provide, such as your CNet credentials and a passcode. By contrast, InCommon Silver is institutionally and user-based. Not only do you have to prove you are you by, for example, registering in person for Silver Assurance at the Identity and Privileges Office on campus, your institution must also demonstrate that it strives to meet best practices for electronic security and identity management.

You may read more about SilverAssurance and how to obtain it in the InCommon Silver FAQ.

What is a hardware token, how much does it cost, and where can I get one?

A hardware token is a physical device that generates a numeric passcode. You can use the passcode to log in at the 2FA prompt. They are available from the ID & Privileges Office at Regenstein Library for $30.

My hardware token stopped working.

Contact the IT Services Service Desk or visit the TECHB@R if your token stops working or if you can't log in with the passcodes it generates.

Are alumni eligible to use 2FA?

No, alumni who are not also current students, staff, or faculty are not eligible to use 2FA.

What if I have other questions and issues?

Search our Knowledge Base for answers, or contact the ITS Service Desk with any other issues.

See Also




Keywords:lost_phone, hardware, token, shibb, shibboleth, passcode, silverassured   Doc ID:40955
Owner:Astrid F.Group:University of Chicago
Created:2014-06-09 15:18 CDTUpdated:2017-03-27 12:55 CDT
Sites:University of Chicago, University of Chicago - Sandbox
Feedback:  2   2