Duo - General Recommendations and Authentications Methods

Body

Purpose

This article provides a comparison of the various Multi-Factor Authentication (MFA) methods supported by UH Login to help you determine which method best suits your devices and access needs. For more information about UH Login and Multi-Factor Authentication (MFA), go to UH Login Multi-Factor Authentication (MFA) Website (link), or go to Duo - How to Add a Device (link) if you are ready to get started.

Authentication Methods Overview
General Recommendations
Duo Push via the Duo Mobile App
Duo Passcode via the Duo Mobile App
Phone Call
SMS Passcode
YubiKey Hard Token

Authentication Methods Overview

UH Login supports the following MFA methods:

Duo Push, using the Duo Mobile app on a mobile device (smartphone or tablet)
Duo Passcode, using the Duo Mobile app on a mobile device (smartphone or tablet)
Phone Call, using either a mobile phone or landline
SMS Passcode, using a mobile phone that supports SMS (text messaging)
YubiKey Hard Token, which is inserted into your computer's USB port

Review the following table for more information on the requirements for each method, and whether or not the method can be used when completely offline (no Internet or telephone service).

Method	Requires a Smartphone (Duo Mobile App)	Requires Internet Access (Mobile Data or WiFi)	Requires Telephony (Mobile Network or Landline)	Can be Used Offline
Duo Push	Yes	Yes	No	No
Duo Passcode	Yes	No	No	Yes
Phone Call	No	No	Yes	No
SMS Passcode	No	No	Yes	No
YubiKey Hard Token	No	No	No	Yes

Default Device Selection Behavior

If you pick a different authentication method, Duo will remember what you last used and will use that method by default the next time you are presented with the Duo prompt.

The first time you login, Duo will automatically send a Duo request to what they deem the most secure authentication method you have configured for your account. Listed below are the most to least secure methods of authentication as published by Duo:

Duo Mobile push approval
YubiKey passcodes
Duo Mobile generated passcodes
Non-Yubikey Hardware token passcodes
SMS passcodes
Phone call approval

For example, if you have a Duo Push device setup, the Duo UP will automatically send a push to that device. You may click on the Other options link to see your other options.

General Recommendations

Use the Duo Mobile app

It is highly recommended to setup and use the Duo Mobile app if you have access to a smartphone or tablet. The Duo Mobile app allows you to authenticate via push notifications if you have access to mobile data or WiFi. The Duo Mobile app also allows you to generate and use passcodes even if you find yourself completely offline!

Add multiple devices

It is recommended to add an additional device. Should your primary authentication device be lost or stolen, you may find yourself unable to login.

Duo Push via the Duo Mobile App

If you have a supported mobile device, Duo Push is the recommended method. As long as your mobile device has mobile network or Wi-Fi service, authentication requests can be pushed to your device via the Duo Mobile app.

You can download the Duo Mobile app to an iOS or Android device that meets the minimum requirements:

iOS: Please see Duo Guide for iOS (link) for the supported version of iOS.
Android: Please see Duo Guide for Android (link) for the supported version of Android.

Once you have downloaded the Duo Mobile app and registered your mobile device, authentication requests will be "pushed" to your device through the Duo Mobile app. You would then open the app and tap on Approve or Deny to approve or deny the authentication request.

Duo Passcode via the Duo Mobile App

The Duo Mobile app can be used to generate a passcode that can be used to login. Passcodes can be generated without requiring internet access, and can be used even if your mobile device is in airplane mode or otherwise not connected to a Wi-Fi or mobile network with internet access. This is a great option to use when working in areas where access to the internet might not be guaranteed.

Phone Call

You can opt to authenticate via a phone call to a landline or mobile phone. When it is time to authenticate, you will receive a call on your registered phone number. You would then press 1 on your phone's keypad to approve the authentication, or press 9 to deny the authentication request.

SMS Passcode

If you do not have a smartphone, but you have a mobile phone with SMS/text messaging capabilities, you can use an SMS passcode to authenticate. When requested, one (1) passcode will be sent to your phone as a SMS text message. Once an SMS passcode is received, the passcode can be saved and used even if your mobile device is no longer connected to a mobile network.

YubiKey Hard Token

A hard token (sometimes called an authentication or security token) is a hardware security device that is used to authorize a user. UH provides YubiKey hard tokens for purchase. The UH hard token is a USB device and must be inserted into your USB port to be used. You would then touch the hard token anytime you wanted to authenticate.

If you do not have an available USB port, you cannot authenticate with the UH hard token. Hard tokens are not recommended and should be purchased only if you cannot use any of the other above means for authenticating.