Using MFA Guide
Welcome to the MFA Usage Guide! Thank you for helping to secure your account.
This document will share how to use MFA to authenticate to MFA protected applications.
If you haven't already, ensure that you are an enrolled MFA user. To become an enrolled user, please complete the enrollment process detailed in the MFA Enrollment Guide. Ensuring you are an enrolled MFA user is required before any authentications can occur.
What To Expect Once Enrolled:
Once you enable MFA on your account, you may see an extra page after you sign into a University of Regina application. This page prompts you to authenticate on your default device, or to authenticate using another method on your device or using another device that you have previously set up. How frequently you are asked to authenticate on your default device varies, depending upon:
- The website you're accessing (for added security, some sites always require a MFA).
- Your individual browser settings (whether or not you clear cookies).
- Whether or not you use more than one computer and web browser (MFA is requested at least every 7 days for each computer and each browser you use to access protected MFA applications).
- Whether you check the Remember me for 7 days box during the login process.
How to Authenticate:
The University of Regina MFA project provides flexibility to use several different second factors authentication options. To see how to authenticate with any of the supported second factors, please see the below guide for using MFA with each of the supported second factors:
- Duo Mobile App for Push (recommended) - if you chose Duo Mobile Push notifications, a push notification is sent to the mobile device, and you can review the request and tap Approve to authenticate. Internet or cellular access is required.
- Duo Mobile App for Passcode (recommended) - launch the Duo app on your mobile device and click the down arrow to see your current six-digit passcode. Enter the passcode on the MFA screen to authenticate. Because this method is time-based, you don't need cellular service or internet access.
- Hardware Tokens - press a button on the token to obtain a passcode, then enter the passcode on the MFA screen to authenticate. This method is restricted to users with a justified business need for hardware token.
- Backup codes (recommended) - requires users to generate backup codes which are stored offline (such as on paper) in your primary device (mobile device or hardware token) is unavailable. A code from the list of backup codes is entered on the MFA screen to authenticate.
For more details on second factors, please see the resources page on selecting a second factor.
Authentications with Duo Mobile Push
By using the Duo Mobile authentication app, you can securely log in to your apps by approving a push notification send to your mobile device.
Duo Push is the fastest and easiest way to complete two-factor authentication using your smartphones. It is the recommended method of authenticating as it is the most convenient and secure method of accessing your accounts with MFA.
You must already have enrolled mobile device in order to use Duo Mobile Push.
Here’s how it works:
- Enter your username and password into your login page.
- Choose 'Duo Push' as your second factor on the next screen prompt.
- Then, tap 'Approve' on the push notification sent to your phone.
The second factor authentication using Duo Mobile Push can take just a few seconds; see how in the video for iPhone or Android, below.
Need more details? Feel free to follow along:
Step 1) From a supported browser, go to the login page of an MFA protected application.
Enter your username, and password, and press login.
Step 2) If you have more than one device enrolled, you'll see a device selector. Select the device you want to use from the drop down list. If you only have one device enrolled, you will not have this option.
If you do not wish to see the MFA prompt for 7 days on the application you are trying to use, select, "Remember me for 7 days".
Step 3) Then, please choose the authentication mechanism Duo Push by pressing "Send Me a Push".
The browser screen will indicate that a push has been sent to your device. A blue bar at the bottom of the Duo screen will say "Pushed a login request to your device..."
Step 4) You will receive a notification to the mobile device you selected.
Tap on the notification or open the Duo Mobile App.
Verify the MFA push to your phone by making sure you initated the authenication request by verifying the username, IP address, application name, and time that the push was requested are correct. If the push is valid, then press Accept.
You will now be logged into the application.
Note: If you get a push that you did not initiate, ensure you tap the red "Deny" button. Never approve any authentication requests you did not initiate personally.
Authentications with Duo Mobile Passcodes
If you select Duo Mobile App Passcode as your authentication method, you use a six-digit authentication code generated by the Duo Mobile app on your smartphone or table to authenticate. This code is read from your Duo Mobile app on your smartphone, and typed into the MFA prompt on in your browser to validate your identity.
Internet or cellular access is not required. This is a great option to use when you are traveling and may not have wifi or mobile data.
To use the Duo Mobile Passcode to authenticate, you must be already enrolled with at least one mobile device (smartphone or tablet).
To authenticate, launch the Duo Mobile app on your device and then tap the key icon to get the authentication code. You can learn how to use the Duo Mobile Passcode in the below video.
Detailed step-by-step instructions for using Duo Mobile Push:
Step 1) From a supported browser, go to the login page of an MFA protected application.
Enter your username, and password, and press login.
Step 2) If you do not wish to see the MFA prompt for 7 days on the application you are trying to use, select, "Remember me for 7 days".
Step 3) Then, please choose the authentication mechanism Duo Mobile Push by pressing "Enter a passcode".
A blue bar at the bottom of the screen will appear and state "
Step 3) Open the Duo Mobile app on your mobile device.
In the Duo Mobile app, a "Duo Protected / University of Regina" section will appear.
Tap the down arrow (circled in red) on the right side of the screen to expand the "Duo Protected / University of Regina" section.
A six-digit passcode is displayed (circled in red). This is your Duo Mobile Passcode.
Step 4) Enter this code in the Duo Prompt on your computer screen, and click the green "Login" button.
You will now be logged into the application.
Authentications with Hardware Tokens
If you are a MFA user who has an enrolled hardware token, you can use the hardware token to generate passcodes for use with the U of R Duo MFA.
Hardware tokens aren't recommended unless a user does not have a mobile device.
To authenticate using a hardware token:
- Ensure that you have your hardware token handy.
- Enter your username and password into your login page.
- Choose 'Enter a Passcode' as your second factor on the next screen prompt.
- Press the green button on the Duo Hardware Token to generate a code.
- Type in the code into the space provided on the on-screen Duo prompt, and click Log In
For more details, see the below steps to authenticate using a hardware token:
Step 1) From a supported browser, go to the login page of an MFA protected application.
Enter your username, and password, and press login.
Step 2) If you do not wish to see the MFA prompt for 7 days on the application you are trying to use, select, "Remember me for 7 days".
Note: Using the "Device:" drop-down menu to select your token is not necessary before entering the passcode.
Step 3) Then, please choose the authentication mechanism Duo Passcode by pressing "Enter a passcode".
Step 4) Use Duo Hardware Token to Generate Code
Press the green button on the Duo Token. A 6 character code will appear on screen.
Note: This code will remain on screen for 30 seconds.
Note: Pressing the button again will generate a new code, and invalidate previously generated codes.
Step 5) Enter this code in the Duo Prompt on your computer screen, and click the green "Login" button.
You will now be logged into the application.
Authentications with Backup Codes
If you do not have access to your primary authentication device, you can use backup codes to authenticate. For example, if your mobile phone has a dead battery, you can use backup codes to authenticate until your phone is charged. Or if you normally use a hardware token, but have left it at home, you can use backup codes until you can retrieve your hardware token.
Instructions on how to create backup codes are found in the Enrollment Guide under Step 5: Create Backup Codes.
Backup codes must be generated in the backup code portal. You are allowed to generate up to 10 codes at a time, and they are valid for 1 year. Each code can be used only once, and then it is invalid.
Before you can authenticate with a backup code, ensure that you have valid backup codes generated.
The backup code is read from your list of backup codes, then typed into the MFA prompt on in your browser to validate your identity.
These codes are not intended for daily use, rather they are designed for emergency 'backup' use.
To authenticate, you will need to:
- Ensure that you have backup codes handy.
- Enter your username and password into your login page.
- Choose 'Enter a Passcode' as your second factor on the next screen prompt.
- Then type in a valid backup code and press 'Login'.
Detailed step-by-step instructions for using Backup Codes:
Step 1) From a supported browser, go to the login page of an MFA protected application.
Enter your username, and password, and press login.
Step 2) If you do not wish to see the MFA prompt for 7 days on the application you are trying to use, select, "Remember me for 7 days".
Step 3) Then, please choose the authentication mechanism Duo Passcode by pressing "Enter a passcode".
Step 4) Find your previously generated list of backup codes.
Codes should be generated proactively; preferably at enrollment time, but can be generated after enrollment as well.
These are generated in the backup code portal, and will appear as follows:
Codes are valid for 1 use or 1 year, whichever occurs first.
To generate codes, please see the enrollment guide.
Step 5) Enter Backup Code into MFA Prompt
Select an unused and unexpired backup code from your list of previously generated backup codes.
Enter this code into the MFA prompt as circled, below. The code will be 9 digits.
Then click the green "Log In" button.
You will now be logged into the application.
If you are using backup codes because you can not access your primary device and you will not be able to access this primary device (mobile phone, tablet, or hardware token), it is recommended you either add a new device to your account, or contact IT Support to ensure that your ability to authenticate is not interrupted.
Further Information:
Instructions on how to create bypass codes
Authentications with CASPUR
CASPUR access will start using MFA in late 2021. MFA enrollment will be required by Feb. 16, 2022 in order to access CASPUR.
Note: CASPUR does not support "Remember Me" functionality. This means that you will receive an MFA prompt for each report accessed.
Note: CASPUR is not compatible with Security Keys such as Yubikeys. All other second factors are supported.
How to Authenticate with CASPUR and MFA:
Once CASPUR is launched on your system, please select the report you wish to run from the menu. You will be prompted to authenticate with your uregina.ca username and password.
Enter your uregina.ca username and password, then press ‘Ok’.
If you username and password is accepted, you will then be prompted by the CASPUR Multi-Factor Authentication popup.
You will have two choices: Push (selected by default) or Passcode.
Option 1: Authenticate to CASPUR with Push
To authenticate with Duo Mobile, ensure the ‘Push’ radio button is selected, then click the ‘Proceed’ button.
You will then receive a Duo notification to your mobile device.
You will be prompted to approve your login to CASPUR by pressing the green “Approve” button.
You will then be logged into CASPUR and able to run your requested report.
Note: You must have a mobile device enrolled in MFA to use the Push option.
Option 2: Authenticate to CASPUR with Passcode
To authenticate to CASPUR using a passcode, ensure the ‘Passcode’ radio button is selected.
You will then need to enter a passcode from one of three choices:
1) Duo Mobile application on your mobile device,
2) Hardware token, or,
3) Backup codes.
Instructions on how to authenticate to CASPUR using passcodes from each of these choices is below.
Passcode from Duo Mobile Application:
To use the Duo Mobile passcode to authenticate to CASPUR, open the Duo Mobile app on your mobile device.
In the Duo Mobile app, a "University of Regina" section will appear.
Tap the “University of Regina" section to expand.
Ensure the radio button for Passcode is selected. Enter the displayed passcode from the app into the passcode field of the CASPUR MFA screen.
Once the passcode is entered, click the ‘Proceed’ button.
You will then be logged into CASPUR and able to run your requested report.
Press the green button on the Duo Token. A 6 character code will appear on screen.
Ensure the radio button for Passcode is selected. Enter the displayed passcode from the app into the passcode field of the CASPUR MFA screen.
Once the passcode is entered, click the ‘Proceed’ button.
You will then be logged into CASPUR and able to run your requested report.
To authenticate to CASPUR using backup codes, ensure that you have backup codes handy. Backup codes would normally only be used when a hardware token or mobile device stops working or is not accessible.
You will need to create backup codes before you can use them to authenticate to CASPUR. Instructions on how to create backup codes are found in the Enrollment Guide under Step 5: Create Backup Codes.
Select a valid (unexpired, previously unused) backup code from your list.
Ensure the radio button for Passcode is selected. Enter the selected backup code into the passcode field of the CASPUR MFA screen.
Once the passcode is entered, click the ‘Proceed’ button.
You will then be logged into CASPUR and able to run your requested report.
Authentications with SSH
MFA authentications will be required for users on all externally accessible SSH services starting Summer 2023.
How to Authenticate with SSH and MFA:
When authenticating via SSH to an MFA enabled system, you initially will have 2 familar options.
Option 1: Authenticate via passcodes
Enter your regular password to perform initial authentication.
Option 2: Authenticate via key
Specify the proper private key when connecting to the system.
Once passed the initial logon, DUO two-factor login will be presented. You can enter a number for one of the devices presented, or enter a passcode from a mobile passcode, a hardware token or a backup code.
Note: Remember me functionality is not an option for authentication through SSH at this time.
Note: If you would like to switch your account to key based SSH authentication, please contact the IT Support Centre at:
Phone: 306-585-4685
Email: IT.Support@uregina.ca
Technical Support Webform: https://ursource.uregina.ca/is/forms/ticket.html
UR Courses Support Webform: https://ursource.uregina.ca/is/forms/urcourses.html
In person: ED137 or Archer Library main floor