UTORMFA

To protect your University of Toronto accounts from compromise, please enrol in the Multi-Factor Authentication (MFA) service. Some services already require MFA in order to protect confidentiality, and increasingly it will become a requirement for routine access to your account. This protects your personal information, and the institutional data to which you have access.

What is MFA? It is a process that protects your account by requiring two identity factors to successfully log in. You have very likely already used some form of MFA (also called 2FA), such as when a company sends an SMS to your phone containing a one-time code that you enter to gain access to a service. This protects your account because a successful log in requires both the correct username + password and a positive response to the authentication request sent to your personal device (phone or tablet).

Duo logo

U of T has selected the Duo service to deliver this functionality. For most people, the most convenient option is to use your personal mobile phone with the Duo app installed. If you don’t have a mobile phone, or don’t want to use it as a Duo approval device, you can request a dedicated hardware token that you will carry with you any time you need access to your UofT account.

To begin, visit this site and click on Self-Enrollment:
https://uoft.me/mfa

You will start by installing the Duo Mobile app on your device. Please make sure you fully complete the process, about 10 minutes. Starting and abandoning enrollment could leave your account in an inaccessible state.
iPhone Apple App Store https://apps.apple.com/ca/app/duo-mobile/id422663827
Android Google Play Store https://play.google.com/store/apps/details?id=com.duosecurity.duomobile

Your phone number is used only to identify the device and is not shared or otherwise used. At the end of the process, we recommend selecting the Push option: “When I log in: Automatically send this device a Duo Push”

Before you lose your phone…

Once Duo Mobile is set up on your mobile device, there are two important steps to take to make sure you can always access your U of T account.

Generate bypass codes that you can use for a one-time log in if you don’t have your device with you:
https://bypass.utormfa.utoronto.ca/

Enable Duo Restore so you can easily recover your profile when you replace your device.
iPhone/iPad: https://guide.duo.com/duo-restore#ios
Android: https://guide.duo.com/duo-restore#android

QUESTIONS?

How does it work?

  • If you want to access a service such as Quercus or webmail from your home computer, you will begin log in with your UTORid + password as usual. In a few seconds your phone will receive a push notification that someone wants to log in to your account. Pick up your phone and approve the request and you’re in.

Will I always need to use my phone to log in?

  • Not always; it depends on where you are and what you are accessing. Successful authentications will be cached for some time so you don’t need to keep reauthorizing. However it is safer to assume that you need your phone handy any time you need to access UTORid-based services.

What kind of device do I need?

  • Any Android phone or tablet running Android version 8 or above, any Apple iPhone or iPad running iOS/iPadOS 12 or above. Please contact us if you don’t have a compatible device or don’t want to use your personal phone for this purpose.

What if I lose or change my mobile phone?

  • You can register more than one device in Duo, such as a phone and a tablet, and either one can be used to approve logins. We recommend enrolling more than one device if you can.
  • In the event that you are separated from your device, you may use one-time bypass codes to log in. But, you must first generate a set of codes and save them in an accessible place. We strongly recommend you do this after you enrol in Duo.
  • It is important that your Duo settings get correctly migrated when you change devices. This means you need to configure the Duo Restore to save its settings to your phone’s cloud account.

Does Duo replace eToken for staff access to AMS/ROSI?

  • No. It may in the future, but for now these systems remain separate.

Does the Duo logo look a lot like the GO Transit logo?

  • Yes. Yes it does.