Multi-Factor Authentication (MFA)

Multi-Factor Authentication (MFA) is a way of ensuring that only you are able to access your accounts on specific applications. Today, when you log in to campus applications, you provide your username and your password. Multi-Factor Authentication requires you to provide an additional “factor” to prove that it really is you accessing your account. That additional “factor” may be a number that you receive via a text message, a number that appears on a mobile app, or even through a phone call.

Many of you already use some form of Multi-Factor Authentication when logging into your personal banking accounts or when logging into your social networking accounts such as Facebook, Twitter, or even Gmail.

Many banks, online services, universities, and colleges across the world are now moving to Multi-Factor Authentication for enhanced security. We’ve moved to Multi-Factor Authentication because it will better protect both your and RIT’s information.

At most universities and in the corporate world, the most common way of compromising accounts is through phishing. With Multi-Factor Authentication, even if someone surrenders their password in a phishing attack, the attacker will not be able to login to any RIT applications that use Multi-Factor Authentication.

If you have set up bypass/offline codes in advance, you can use those to log in if your phone is unavailable.  If you have not already set up bypass codes and your phone is unavailable, please visit the RIT Service Center in person, and we can issue you bypass codes that will allow you to use MFA until you have access to your phone again.  

See: How do I generate MFA Bypass/Offline Codes?

If your mobile device is connected to wifi (on campus or elsewhere), the Duo Security app will not use data from your phone plan.  When not connected to wifi, Duo does use a small amount of data to send push notifications.  In internal RIT tests, under daily use, Duo used approximately 100Kb of data - less than the size of a typical digital photo.

Standard text (SMS) message rates apply, for those who do not have a mobile plan with unlimited texts.  Similarly, it will use minutes from your cellular plan (if applicable) to have Duo call you for verification.

For the best experience, we do recommend allowing the Duo app to send push notifications on your smartphone.  Without push notifications, you would need to open the Duo app in advance of your login attempt in order to confirm your login.  With notifications on, you can approve valid login attempts by simply tapping the notification on your device and entering a code.

If you get a new phone, you will need to enroll the new phone and deactivate the old phone.  If you have already set up a secondary multi-factor option (such as a desk phone number, or a second device), or if you have the same phone number, you can register your new phone and deactivate your old one yourself. 

If you have already switched phones and have no multi-factor options configured that are available (for example, you changed your phone number as well), you will need to contact the RIT Service Center.

See: How do I reactivate or add another device to Duo?

YubiKeys (or other U2F security keys) are allowed, but ITS does not provide assistance with them.  For general information, visit Duo's guide to U2F keys.

• If you have the Duo app configured on your smartphone, you will only need to have the phone.  
• If you will not a mobile plan with data, you will need bypass/offline codes, see: How do I generate MFA Bypass/Offline Codes?
• If duo is set up to call your cell phone, you will need to be able to receive calls where you are traveling.  
• If you do not have a mobile device MFA configured at all and are unable to configure one, you will need to have a Duo token to bring with you and should request one from your department.