Topics Map > University of Chicago > IT Services > Accounts, Identity, & Security
2Factor Authentication (2FA) - FAQ
This article explains answers to a set of frequently asked questions regarding 2Factor Authentication, including common issues that users of 2FA may encounter.
No. 2FA will only affect Shibboleth-protected sites.
Shibboleth is internationally-used software that provides a way to pass on your authentication from one site to another using Single Sign-On. At the University of Chicago, this allows you to log on to one University site with your CNetID and password, and then not need to use your password to sign on to other University sites because your credentials are passed to those sites by Shibboleth. Please note that in order to truly logout of a University site that uses Shibboleth authentication, you must quit your browser entirely. See the article Shibboleth Authentication Overview for more information.
Duo is a mobile application used by the University of Chicago to facilitate 2FA. Using Duo, users can approve or deny log in requests, either through the app itself and via push notifications sent by the app. If a user is not connected to the Internet, he or she can also generate passcodes that can be used for log in. Duo Mobile is available for iOS devices on the App Store and for Android devices on Google Play; it is also available as an app on the Blackberry and Windows platforms.
You may allow 2FA to last for 30 days by selecting the "Remember this device for 30 days" option near the bottom of the Two-Factor Authentication screen, which appears after you have logged in using your CNetID and password.
Choosing the "Remember this device for 30 days" option means that after authenticating via 2FA only once, you will be able to access all University sites that are Shibboleth-enabled without having to authenticate again through 2FA for 30 days.
A list of the most widely-used sites that use Shibboleth may be found here.
Visit 2FA.uchicago.edu and click on Manage Devices. Register your new phone, tablet, desk phone or token.
Contact the IT Services Service Desk immediately if you lose your phone or suspect that it's been stolen. The Service Desk person will disable it for 2FA and help you log in using another phone or hardware token. While it's important that you contact ITS Service Desk if you lose your phone, remember that your password will still protect your account. For more detailed instructions, see the article Lost/Broken/Replacement Device Procedure.
If you are replacing your cell phone and neither changing operating systems nor changing phone numbers, in order to activate Duo go to the 2FA website, select Go to 2Factor (Register and Manage Devices) option from the left hand panel, log in, and find your phone number in the list of registered devices. Select the Re-Activate button next to your number. You should then be asked to download the DUO app from the App Store or Google Play; if you have already downloaded the app, there is an option you can check at the bottom of the page. You will then launch the app on your device and use the in-app camera to scan the barcode that appears on the screen. If you are getting a new device with either a different operating system or a different phone number than your old device, from the Manage Devices page you should instead Remove your old device and add your new device as if you were adding a device for the first time. A guide to doing this is available here: Downloading the App and Enrolling a Smartphone. For more information on replacing your device, see the article Lost/Broken/Replacement Device Procedure.
Sure! You may choose to opt-out of 2FA at any time. Visit 2FA.uchicago.edu and remove all of your registered devices.
Yes! In fact, we strongly encourage you to register multiple devices. Register your mobile phone, your landlines, and your tablet.
I disabled push notifications for Duo on my phone (iOS) and want to re-allow them. How do I re-enable push notifications?
To re-enable or re-allow push notifications on your iPhone if you have disabled them, go into Settings and select Notification Center. From there you can re-enable the push notifications for the application. For more detailed instructions, see the article Re-Enabling 2FA Push Notifications for the iPhone.
You may choose to have a set of 10 passcodes sent to your registered smartphone from the Manage Devices screen from the 2FA website: http://2FA.uchicago.edu. Simply find your smartphone from the list of your registered phones and click on the Text Passcodes button. A list of 10 one-time-use passcodes will be sent to your phone via text. To use one of the one-time passcodes, select Passcode at the Duo Prompt screen and click Log in to continue. It is important that you keep track of which codes you use; the passcode will be invalidated after you enter it. You can print out the list of passcodes to keep in a secure location for your use anytime you don't have access to your regular devices. For more detailed instructions, see Using Passcodes Without Phone Data Connection.
Yes. After selecting the Duo app on your smartphone, select the Duo key icon in the upper right-hand corner of the screen to generate a passcode. Generating passcodes does not send any kind of message or use data and you can generate passcodes even when you are not connected to a network. Using DUO to generate passcodes will not incur any data or text message costs. More information is provided on the page Using Passcodes Without Phone Data Connection.
I'm going to be traveling and won't have reliable cellular network access. Can I still use 2FA if I don't have network access via my phone?
Yes. You can click on the key on the upper right-hand side of the screen in DUO on the iOS and Android or the Generate Passcode button on Microsoft OS devices to generate a numeric passcode that you can use even if your phone does not have any network connection. Alternatively, you can use the 2FA text passcodes feature (for more information, see question above "How does the 2FA text passcode service work?") to generate a list of single-use passcodes that you can use if you won't have any access to your phone at all.
Yes! Additionally, if you suspect your account or password has been compromised, you should report it to security immediately.
Yes - you could become SilverAssured! Silver Assurance functions similarly to 2FA in that it helps to verify that you are you, but it uses standards and processes different from those used by 2FA to make that determination. 2FA is a user-based security measure in that it verifies that you, a user, are the person you say you are based on a combination of information only you could provide (your University credentials + a passcode, for example). By contrast, InCommon Silver is institutionally and user-based. Not only do you have to prove you are you (by, for example, registering in person for Silver Assurance at the Identity and Privileges Office on campus), your institution must also demonstrate that it strives to meet best practices for electronic security and identity-management.
You may read more about SilverAssurance and how to obtain in the InCommon Silver FAQ.
A hardware token is a physical device that generates a numeric passcode. You can use the passcode to log in on the 2FA prompt. They are available from the ID & Privileges Office at Regenstein Library for $30.
No, alumni who are not also current students, staff, or faculty are not eligible to use 2FA.