Frequently Asked Questions

Using MFA

Why did Western choose Duo authenticator?

The Duo authenticator is a service that allows for a second factor authentication to be prompted for our users when using a username and a password on Western services that require MFA. These services include Office 365 as well as a number of other Western services that other authenticators do not support.

The Duo authenticator is part of a larger organization known as Cisco Systems. Western has engaged in a long-term agreement with Cisco Systems for a variety of network services and the 2FA application falls within the context of that contract.

Duo is a feature-rich and industry standard technology used across North American Higher Education and private sectors. Other authenticators do not have the same abilities and cross compatibility that Duo provides.

How does the MFA Process Work?

Overall, the MFA process is straightforward and largely inobtrusive. Typically, the MFA process would include the login to your system as usual with an extra step in the form of acknowledging that access via your mobile device.

What is the most popular method for the second factor of MFA?

The most popular method for the second factor of MFA is the Duo mobile app. This app works on most devices (iOS and Android) and is the most convenient of all options to use. This option can work whether the mobile device is connected to a network or not (please see documentation for how this works). Even in instances where consumers have opted for a different second factor as their default (call-back or a hardware token), they often end up changing to the mobile app option for ease-of-use and convenience reasons.

I receive a message that says "Access is not allowed because you are not enrolled". What should I do?

This message indicates that you have not enrolled any devices for MFA. To enroll a device and resolve this error, follow Steps 1 & 2 on our Setup MFA page.

If you require any assistance with enrolling a device, please contact the WTS Helpdesk.

How do I approve my log in?

Select your device type for a guide:

I receive a message that says “Your Duo account is disabled and cannot access this application. Please contact your IT help desk”. What should I do?

Your account will lock after 3 failed log in attempts and will unlock after 15 minutes. Contact the WTS Helpdesk for further assistance.

Why am I not receiving push notifications in the Duo Mobile app?

You may have trouble receiving push requests if there are network issues between your phone and the Duo service. Many phones have trouble determining whether to use the WiFi or cellular data channel when checking for push requests, and simply turning the phone to airplane mode and back to normal operating mode again often resolves these sort of issues, if there is a reliable internet connection available. Similarly, the issue may be resolved by turning off the WiFi connection on your device and using the cellular data connection.

Check the time and date on your phone and make sure they are correct. If the date and time on your phone are manually set, try changing your device's configuration to sync date and time automatically with the network.

It is recommend that you also check your devices notification settings to confirm that notifications are being allowed for the Duo Mobile app.

You may also want to try to reactivate.

To do so:

Log into the Identity Manager
Authenticate using your secondary device
Click Security > Manage My MFA
Click Launch Duo Manager
Follow the instructions on the website

If you can't get Duo Push working, you can log in with a passcode generated by the Duo Mobile app.

Why has my Hardware Token stopped working?

Hardware tokens can become desynchronized with Duo if a number of passcodes are generated without being used. We can resynchronize your token to restore functionality. Please contact the WTS Helpdesk with 3 sequential codes the hardware token has generated.

Can I use MFA without a mobile device?

You can also enroll a tablet, a landline telephone (i.e. your office phone), obtain a security key, or request a Hardware Token.

Is MFA accessible?

Duo self-enrollment and authentication are compatible with screen readers. Additionally, the Duo Mobile app is accessible to voiceover functionality on Apple and Android devices.

Does the MFA process work in areas where some access is limited (international locations such as Iran, as an example)?

Yes. There are several ways to achieve the second factor of authentication without the guarantee of connectivity (bearing in mind that being able to reach the email service in the first place may be an issue depending on the location’s overall internet access), including:

(1) Offline codes generated with the Duo Mobile app that can be generated and used without any sort of mobile connectivity
(2) The use of a hardware token that can be carried with you
(3) The WTS Helpdesk can be contacted and a temporary code(s) can be generated for access

We recommend you visit our Travelling with MFA page ahead of any planned travel to be sure you have everything you need.

How can I protect services/applications I manage with MFA?

Create a Service Desk ticket with Web Operations to enquire about deploying MFA on services/applications that you manage.

I have received a request to approve a login that I did not initiate, what do I do?

If you have received a request to approve a login that you did not initiate and you do not recognize, deny this request and change your Western University password.

If you have approved the request, in addition to changing your password, please contact WTS Helpdesk as soon as possible so our security team can be made aware and take appropriate action.

Managing my MFA devices

I replaced the phone that I enrolled in Duo. What should I do now?

Log into Western Identity Manager
You will need to verify by SMS or phone call to authenticate into the Duo settings

Note: If you don't have a secondary device you will need to get a bypass code by contacting WTS Helpdesk
If you have the same phone number, you can click the I have a new phone button. If you have a different phone number, you will need to add a device
Select an option.
Click one of the options and follow the instructions
Once you have added the new device you may remove the old one

NOTE: You must have at least one device listed. The old device cannot be removed until you add a new device if it is your only device listed.

Add an additional device

Log into Western Identity Manager.
You will need to authenticate into the Western Identity Manager Duo settings
Click add a device and follow the instructions to setup the device.

Remove a device that has been enrolled

Log into Western Identity Manager.
You will need to authenticate into the Western Identity Manager Duo settings
Once you're authenticated, click on the device you want removed and delete it.
NOTE: The option to remove a device only appears when you have more than one device set up.

For more information, pease go to these sites:
Add new authentication device
Remove authentication device

Duo Mobile App

Where can I download the Duo Mobile app?

You can download the Duo Mobile app by searching "Duo Mobile" in your device's app store and select Duo Mobile . Only Apple iPhones/iPads, Android, and Windows Mobile devices have a supported app. Use the links below to view the Duo Mobile app in the app store.

Why am I not getting Duo push notification?

The Duo Mobile app relies on having push notifications enabled on your mobile device. When setting up the app for the first time, you will be prompted to enable push notifications. If you had declined, you can enable the notifications by reviewing your device's notification preferences within Settings.

Published on and maintained in Cascade.

MFA