Current staff Current staff
Site search

Multi-factor authentication (MFA)

  1. Home
  2. Information and services
  3. Information technology
  4. UQ accounts and passwords

MFA provides an extra layer of protection to make sure it’s really you when you log in to UQ websites and systems.

At UQ, staff are required to use multi-factor authentication (MFA). Logging in using MFA requires 2 factors to identify you:

  1. Something you ‘know’ (your username and password).
  2. Something you ‘have’ (e.g. a code sent to your mobile phone).

By using MFA, your account is protected from unauthorised access if one of these factors is compromised.

Why is MFA important

UQ takes cyber security very seriously. Not only does MFA help protect your personal information, pay details, research and work, it also protects University information, data and systems.

Passwords are increasingly easy to compromise. They can often be stolen, guessed or hacked — you might not even know someone is accessing your account. MFA helps keep your account secure even if your password is compromised. 

Top of page

Using MFA

In 2019, UQ is rolling MFA out to all ongoing, fixed-term and casual professional and academic staff. A deployment plan has been developed in consultation with faculties, institutes and other organisational areas.

Most people find mobile phone apps the most convenient way to use MFA. If you have a UQ mobile phone, you're expected to use it for your MFA needs.

If you're unable to take your mobile phone into a particular location (e.g. your research lab), you can submit an IT request (staff login required) for a MFA token.

Top of page

Activating MFA

UQ uses Duo to provide its MFA services.

Most people find using the Duo Mobile smartphone app the most convenient way to use MFA. To activate MFA on your mobile device, you’ll need:

  • your mobile device (smartphone)
  • a computer or other device.

If you don’t have a smartphone, or are unable to use one in your work area, you can submit an IT request (staff login required) for a MFA token. When you collect the token, you’ll be shown how to use it to register and log in with MFA.

To activate MFA, watch the video guide or read the steps:

Watch: How to activate MFA

  1. On your mobile device, download the Duo Mobile app  from Google Play or the App Store.
  2. On your computer, go to the MFA portal.
  3. Enter your date of birth and click ‘Submit’.
  4. Click ‘Start setup’.
  5. Select the type of device you wish to add and click ‘Continue’.
  6. Enter your mobile phone number and click ‘Continue’. This number will be used to recover your account if you lose access to it.
  7. Select your device's operating system and click ‘Continue’.
  8. Click ‘I have Duo Mobile Installed’.
  9. On your mobile device, open the Duo Mobile app and tap the plus icon (+) to add a new account.
  10. The app will open a QR code scanner, similar to a camera. Focus it on the QR code (square barcode) on your computer screen.
  11. When the tick appears to confirm the app has registered the QR code, tap ‘Continue’.
  12. On your computer, click ‘Continue to Login’.

You'll now need to use your registered device when you log in to UQ websites and systems that require MFA.

Top of page

Logging in with MFA

When you log in to a UQ website or system that requires MFA, you’ll be asked how you would like to authenticate.

If you select:

  • ‘Send me a push’, a notification will appear on your mobile device that asks you to accept or deny access.
  • ‘Enter a passcode’, you’ll need to open the Duo Mobile app and enter the passcode from the app on the login screen of the website or system.

If you have multiple devices registered, you can choose which one you want to use.

If you prefer to always use a particular authentication method, you can select that in your device settings on the MFA portal.

VPN users: If you enter a passcode or use a MFA token, the authentication process for logging in to the VPN is slightly different. Follow the VPN authentication instructions

Top of page

Managing devices used for authentication

Once you’re registered, you can go to the MFA portal to:

  • add, remove or change the device you use for MFA
  • select or change your preferred authentication method.
Top of page

Frequently asked questions (FAQs)

Here are our answers to common questions about MFA:

Setting up MFA

What devices can I use for MFA?

You can use the Duo app on mobile devices such as smartphones. Duo is compatible with Apple iOS 11 and higher, and Android 6.0 and higher.

What happens if I don't register a device?

Until you register your mobile device and/or computer, or receive a hardware token from ITS, you'll be unable to access some UQ websites and systems.

What can I do if I don't have a smartphone or don’t want to use my personal device?

If you don't have a compatible mobile phone, or don't want to use your personal device, submit an IT request (staff login required) to request a hardware token. The hardware token can be used to generate a one-time passcode (OTP) which you will need to enter into the log in screen when prompted.

General use

Why do I need to use MFA?

Cyber attacks are becoming increasingly prevalent in today’s technology landscape. Passwords and usernames are often hacked and then used to log into other online accounts.

MFA will significantly increase your UQ account’s security and protect it from compromise.

If a hacker gets access to your UQ account, they could potentially obtain access to sensitive University data, or your personal information. Consequent data breaches can have severe personal, business and financial implications.

When do I need to use MFA?

You’ll be prompted when to use MFA when logging into UQ websites and systems.

Can I change the authentication method I use?

Yes. Use the MFA portal to register new MFA devices.

How do I log in if I can’t take a mobile phone into my workplace (e.g. a research lab)?

In some restricted environments at UQ, MFA will not be required when using computers located in the lab. In other cases, hardware tokens must be used instead of mobile phones.

If you encounter a situation where you're still required to MFA but unable to, contact the ITS Service Desk.

I need to log in to my UQ account in a location without mobile coverage or where mobiles aren’t allowed. What do I do?

The Duo app can be used to generate one-time passcodes that you can use as a second authentication factor.

Your mobile phone does not need to be connected to the internet to generate a one-time passcode. You can enter this one-time passcode when logging in and are prompted for MFA.

Does MFA use my data on my smartphone?

Duo push authentication requests require a minimal amount of mobile data – less than 2KB per authentication. This amount of data usage falls well within a typical push notification. For more information, see the DUO Knowledge Base.

Why does the Duo Mobile app need access to my camera?

When using MFA for the first time and registering your device, the Duo app will use your camera to scan a QR code displayed on the screen.

How does Duo store my data?

Duo is UQ's MFA provider. Duo is a cloud-based service, which is located outside Australia.

When you register to use the MFA service at UQ, some information is sent to Duo and stored on Duo servers. This information is used to provide you with MFA services, and is limited to:

  • your UQ account username (e.g. ‘uqabcde’)
  • details of the devices you use for authentication (e.g. your mobile phone number).

UQ takes data storage and privacy extremely seriously and will only provide Duo servers with the minimum required data to enable the service. By using this MFA service, you agree to the transfer of this information outside Australia.

New, damaged or lost devices

How do I log in if I leave my device at home?

Contact the ITS Service Desk to be issued a bypass code that you can use to authenticate. You will need to confirm your identity before a bypass code can be issued.

If you have temporarily misplaced your MFA device or left it at home, you can use the provided bypass code and then resume using your regular MFA device when possible.

What do I do if I’ve lost my phone or MFA-enabled device?

  1. Contact the ITS Service Desk to be issued a bypass code.
  2. Visit the MFA portal.
  3. Sign in and select the option to enter code for MFA.
  4. Remove the lost device.
  5. Choose the option to add a new device.
  6. You will need to confirm your identity before a bypass code will be issued.

How do I change my default device for Duo?

To add, remove, or change devices that you use as your second factors, please visit the Device Management Portal

Can I use MFA when travelling overseas?

Yes. If you are travelling overseas for work, we suggest you submit an IT request (staff login required) for advice to help you prepare.

Problems logging in

I'm not receiving push notifications from Duo. How do I fix this?

Rebooting your device will usually address the issue. If you have iOS content restrictions (such as parental controls) enabled, this may interfere with Duo push notifications. See Duo's instructions for advice on how to avoid this. 

If you are still experiencing issues, contact the ITS Service Desk for advice.

What do I do if my MFA token code isn't working?

Your MFA token may become out of sync if the button is pushed too many times. To re-sync your token, perform 3 authentication attempts, generating a new code each time and the 3rd one should re-sync the token and let you in.

If you are still experiencing issues, contact the ITS Service Desk for advice.

What do I do if I've clicked 'Remember me', but I'm still asked to log in?

The ‘Remember me’ option works by storing a cookie in your web browser. Therefore, this option will only work for the browser you selected it on. If you are using a different device, browser or incognito mode to where you selected ‘Remember me’, you will be prompted again.

You may be required to use MFA more frequently for some applications which have sensitive or protected information (such as our payroll system), as they require a higher level of protection.

Top of page

ITS Service Desk