Multi-factor authentication (MFA)
MFA provides an extra layer of protection to make sure it’s really you when you log in to UQ websites and systems.
At UQ, staff are required to use multi-factor authentication (MFA). Logging in using MFA requires 2 factors to identify you:
- Something you ‘know’ (your username and password).
- Something you ‘have’ (e.g. a code sent to your mobile phone).
By using MFA, your account is protected from unauthorised access if one of these factors is compromised.
In 2019, UQ is rolling MFA out to all ongoing, fixed-term and casual professional and academic staff. A deployment plan has been developed in consultation with faculties, institutes and other organisational areas.
Why is MFA important
UQ takes cyber security very seriously. Not only does MFA help protect your personal information, pay details, research and work, it also protects University information, data and systems.
Passwords are increasingly easy to compromise. They can often be stolen, guessed or hacked — you might not even know someone is accessing your account. MFA helps keep your account secure even if your password is compromised.
Watch our video to learn more:
About MFA at UQ
UQ uses Duo to provide its MFA services.
For most people, the Duo Mobile app is the most convenient way to use MFA. You can choose to either receive a "push" notification or generate a passcode.
If you have a UQ mobile phone, you're expected to use it for your MFA needs. If you're unable to take your mobile phone into a particular location (e.g. your research lab), you can submit an IT request (staff login required) for a Duo token.
| MFA option | Duo mobile app - Push notification | Duo mobile app - passcode | Duo token |
|---|---|---|---|
 |
 |
 |
|
| How does this work |
Duo sends a login request to your smartphone. Simply tap Approve (green tick) to authenticate. You can set your preferences to automatically ‘push’ a request to your phone. |
Duo sends a 6-digit numeric passcode to your smartphone. Enter the number into your MFA login screen on your browser. | Duo sends a 6-digit numeric passcode to your token. You then need to enter the number into your MFA login screen on your browser. |
| Platforms |
|
|
Independent |
| Network connection needed? | Internet access required | None | None |
| Pros |
Convenient if you have your phone with you all the time. Simply tap ‘Accept’ when promoted (no need to type a string of numbers into your browser |
Convenient if you have your phone with you all the time. |
Can be used in locations (such as research labs) where a mobile phone is not allowed. Convenient if traveling overseas. |
| Cons | Need to enter the string of numbers into your browser when prompted. |
Need to enter the string of numbers into your browser when prompted. May not always have token if accessing the system when not in your office. |
|
| User cost | None | None | None |
Activating MFA
UQ uses Duo to provide its MFA services.
Most people find using the Duo Mobile smartphone app the most convenient way to use MFA. To activate MFA on your mobile device, you’ll need:
- your mobile device (smartphone)
- a computer or other device.
If you don’t have a smartphone, or are unable to use one in your work area, you can submit an IT request (staff login required) for a MFA token. When you collect the token, you’ll be shown how to use it to register and log in with MFA.
To activate MFA, watch the video guide or read the steps:
- On your mobile device, download the Duo Mobile app
from Google Play or the App Store. - On your computer, go to the MFA portal.
- Enter your date of birth and click ‘Submit’.
- Click ‘Start setup’.
- Select the type of device you wish to add and click ‘Continue’.
- Enter your mobile phone number and click ‘Continue’. This number will be used to recover your account if you lose access to it.
- Select your device's operating system and click ‘Continue’.
- Click ‘I have Duo Mobile Installed’.
- On your mobile device, open the Duo Mobile app and tap the plus icon (+) to add a new account.
- The app will open a QR code scanner, similar to a camera. Focus it on the QR code (square barcode) on your computer screen.
- When the tick appears to confirm the app has registered the QR code, tap ‘Continue’.
- On your computer, click ‘Continue to Login’.
You'll now need to use your registered device when you log in to UQ websites and systems that require MFA.
Logging in with MFA
To learn about logging in with MFA, watch the video guide or read the information below:
When you log in to a UQ website or system that requires MFA, you’ll be asked how you would like to authenticate.
If you select:
- ‘Send me a push’, a notification will appear on your mobile device that asks you to accept or deny access.
- ‘Enter a passcode’, you’ll need to open the Duo Mobile app and enter the passcode from the app on the login screen of the website or system.
If you have multiple devices registered, you can choose which one you want to use.
If you prefer to always use a particular authentication method, you can select that in your device settings on the MFA portal.
VPN users: If you enter a passcode or use a MFA token, the authentication process for logging in to the VPN is slightly different. Follow the VPN authentication instructions.
Managing devices used for authentication
Once you’re registered, you can go to the MFA portal to:
- add, remove or change the device you use for MFA
- select or change your preferred authentication method.
Frequently asked questions (FAQs)
Here are our answers to common questions about MFA:
Setting up MFA
What devices can I use for MFA?
You can use the Duo Mobile app on mobile devices such as smartphones. Duo Mobile is compatible with Apple iOS 11 and higher, and Android 7.0 and higher.
What can I do if I don't have a smartphone or don’t want to use my personal device?
If you don't have a compatible mobile phone, can’t use a mobile phone in your work area, or don't want to use your personal device, submit an IT request (staff login required) to request a Duo token. The Duo token can be used to generate a one-time passcode (OTP) which you will need to enter into the log in screen when prompted.
What is a Duo token?
A token is a small device which is about the same size as a USB key. It works by generating a 6-digit one-time passcode (OTP) which you will need to enter into the log in screen when prompted.
What happens if I don't register a device?
Until you register your mobile device and/or computer, or receive a Duo hardware token from ITS, you'll be unable to access some UQ websites and systems.
General use
Why do I need to use MFA?
Cyber attacks are becoming increasingly prevalent in today’s technology landscape. Passwords and usernames are often hacked and then used to log into other online accounts.
MFA will significantly increase your UQ account’s security and protect it from compromise.
If a hacker gets access to your UQ account, they could potentially obtain access to sensitive University data, or your personal information. Consequent data breaches can have severe personal, business and financial implications.
When do I need to use MFA?
You’ll be prompted to use MFA when logging into the majority of UQ websites and systems. Currently, all sites that you log into via UQ Authenticate (previously known as single sign-on) will require MFA.
Why don’t all UQ sites use MFA?
Our goal is to connect all UQ websites and systems to MFA, to enhance the security at UQ. As we continue to implement these new security measures, you will see more sites (such as SI-net and UniFi) connect to MFA.
Can I change the authentication method I use?
Yes. Use the MFA portal to register new MFA devices.
How do I log in if I can’t take a mobile phone into my workplace (e.g. a research lab)?
In some restricted environments at UQ, MFA will not be required when using computers located in the lab. In other cases, hardware tokens must be used instead of mobile phones.
If you encounter a situation where you're still required to MFA but unable to, contact the ITS Service Desk.
I need to log in to my UQ account in a location without mobile coverage or where mobiles aren’t allowed. What do I do?
The Duo Mobile app can be used to generate one-time passcodes that you can use as a second authentication factor.
Your mobile phone does not need to be connected to the internet to generate a one-time passcode. You can enter this one-time passcode when logging in and are prompted for MFA.
Does MFA use my data on my smartphone?
Duo Mobile push authentication requests require a minimal amount of mobile data – less than 2KB per authentication. This amount of data usage falls well within a typical push notification. For more information, see the DUO Knowledge Base.
Why does the Duo Mobile app need access to my camera?
When using MFA for the first time and registering your device, the Duo Mobile app will use your camera to scan a QR code displayed on the screen. For more information, see the DUO Knowledge Base.
How does Duo store my data?
Duo is UQ's MFA provider. Duo is a cloud-based service, which is located outside Australia.
When you register to use the MFA service at UQ, some information is sent to Duo and stored on Duo servers. This information is used to provide you with MFA services, and is limited to:
- your UQ account username (e.g. ‘uqabcde’)
- details of the devices you use for authentication (e.g. your mobile phone number).
UQ takes data storage and privacy extremely seriously and will only provide Duo servers with the minimum required data to enable the service. By using this MFA service, you agree to the transfer of this information outside Australia. For more information, see the DUO Knowledge Base.
New, damaged or lost devices
How do I log in if I leave my device at home?
Contact the ITS Service Desk to be issued a bypass code that you can use to authenticate. You will need to confirm your identity before a bypass code can be issued.
If you have temporarily misplaced your MFA device or left it at home, you can use the provided bypass code and then resume using your regular MFA device when possible.
What do I do if I’ve lost my phone or MFA-enabled device?
- Contact the ITS Service Desk to be issued a bypass code.
- Visit the MFA portal.
- Sign in and select the option to enter code for MFA.
- Remove the lost device.
- Choose the option to add a new device.
- You will need to confirm your identity before a bypass code will be issued.
How do I change my default device for Duo?
To add, remove, or change devices that you use as your second factors, please visit the Device Management Portal.
Can I use MFA when travelling overseas?
Yes. If you are travelling overseas for work, we suggest you submit an IT request (staff login required) for advice to help you prepare.
Problems logging in
I'm not receiving push notifications from Duo. How do I fix this?
Rebooting your device will usually address the issue. If you have iOS content restrictions (such as parental controls) enabled, this may interfere with Duo push notifications. See Duo's instructions for advice on how to avoid this.
If you are still experiencing issues, contact the ITS Service Desk for advice.
What do I do if my MFA token code isn't working?
Please contact the ITS Service Desk for assistance.
What do I do if I've clicked 'Remember me', but I'm still asked to log in?
The ‘Remember me’ option works by storing a cookie in your web browser. Therefore, this option will only work for the browser you selected it on. If you are using a different device, browser or incognito mode to where you selected ‘Remember me’, you will be prompted again.
You may be required to use MFA more frequently for some applications which have sensitive or protected information (such as our payroll system), as they require a higher level of protection.
What do I do if I can't see the option to enter a code for MFA?
It's likely you have selected the option to automatically send a push notification to your device when you log in.
On the MFA prompt, click 'Cancel' and select the 'Enter a passcode' option.
If you prefer to always use a particular authentication method, you can select that in your device settings on the MFA portal.