Multi-factor authentication
The best way to keep your UVic account secure is to enable multi-factor authentication (MFA). This type of security is also called two-factor authentication (2FA) or two-step verification. MFA adds an extra layer of security to your account by adding an extra step into your sign in process.
You must enable UVic MFA to access online resource like Brightspace, UVic email, and Microsoft 365. We recommend enroling as soon as possible when you get prompted.
When you use MFA, you’ll sign in to your account using your passphrase, then confirm that it’s you using a personal device like a phone. This makes it much harder for someone else to gain access to your account. Keeping your account secure is important for your own online safety and the safety of the UVic community.
Who can use UVic MFA?
Students, faculty, staff, emeritus and UVic affiliates can use UVic MFA.
How to use UVic MFA?
UVic uses Duo for our MFA service. You can register a mobile device or Duo hardware token to be your second factor. You should choose a device you usually have with you or add more than one device to make sure you can always access your account. Your phone is probably the best option to choose because you’ll usually have it with you.
When you sign in to UVic resources, you’ll get a UVic Duo MFA prompt. You’ll need to either approve a push notification on your mobile device or enter in a code from your hardware token to finish your sign in process.
UVic MFA will work even if you don’t have access to Wi-Fi or cellular data.
Sign up for UVic MFA
You can use UVic MFA through the Duo Mobile app, an authenticator app, or a Duo hardware token. You can add or remove devices from your Duo profile if you want to add a back-up or get a new phone.
You must complete the whole Duo enrolment process, otherwise your NetLink ID will be locked. If you plan to use your phone for UVic MFA, make sure it’s compatible with Duo or a supported TOTP app
You’ll need to do three things to start using UVic MFA:
- Set up a device (phone or tablet) or hardware token (your “second factor”)
- Turn MFA on in your Online tools profile
- (Recommended) Make bypass codes
It typically takes about 20 minutes to sign up. If you need help signing up for UVic MFA, we made a video to guide you through the process. You can also contact the Computer Help Desk.
Set up a device or token
You’ll need to set up at least one device to use to authenticate. Most people use the Duo Mobile app on an iPhone or Android phone that they already carry around. To install Duo Mobile on your phone or tablet:
- Go to (Apple App Store) or (Google Play Store)
- Select Get or Install to download and install the free Duo Mobile app
Make sure you install the correct app. It will be called Duo Mobile and is published by Duo Security LLC. The logo is green with DUO written in white text.
If you already use another authenticator app, UVic MFA does support some alternative authenticator apps for passcodes only. Duo Mobile is required if you want to use push notifications for authentication. You can if you want to streamline account security for all your online services.
If you don’t have a compatible iPhone, iPad or Android device, you can use a Duo hardware token instead. A hardware token is a small single-purpose device that generates a one-time passcode when you press a button.
- If you’re a student or emeritus, you can buy a hardware token at the
- If you’re an employee, you can request a hardware token through your department.
If you can’t use your phone or access a Duo hardware token, there is support available for students with financial or accessibility needs.
You can use multiple devices (phones, tablets, tokens) if you want. It can be useful to have a backup! But you must add at least one.
Turn MFA on in your UVic profile
- Go to account security settings in Your profile.
- Select Manage multi-factor authentication. Confirm you’re ready to enrol in UVic MFA and select Enable Duo.
- Follow the on-screen steps to enrol your first device.
Make bypass codes
Bypass codes are codes that you can use to get into your account if you don’t have access to your phone or token—for example, if you forget it at home one day.
You don’t have to make bypass codes, but we strongly recommend that you generate a set of single-use codes, write them down and keep them someplace safe.
It typically takes about 5 minutes to create your bypass codes. If you need help generating codes, we made a video to guide you through the process. You can also contact the Computer Help Desk.
Alternative authenticator apps
UVic MFA supports several popular authenticator apps that use Time-based One-time Passwords/Passcodes (TOTPs) for generating one-time passcodes. Personal TOTP hardware tokens are not supported.
You can use a TOTP authenticator app if:
- you don't need the option for push notifications
- you don’t want to use a physical Duo hardware token
- you already use an authenticator app and want to keep your accounts together
- Duo Mobile isn't available in your app store
Since TOTP authenticator apps don't provide push notifications for UVic MFA, you won't know about any suspicious login attempts on your account. Duo Mobile is the only way to be notified when someone has your passphrase and tries to sign in to your account.
How does it work?
Whenever you get a UVic Duo MFA prompt, open your TOTP authenticator app to generate a one-time use passcode. Enter the code into the hardware token field in the prompt window.
Install an authenticator app of your choice. It must support 6-digit TOTP to work with your UVic account. We recommend for ease of use and compatibility with UVic MFA.
The following others have also been tested:
Then add your UVic account to TOTP authentication apps by scanning a unique QR code or entering a secret key.
Once your authenticator app is set-up on your device, you can generate a QR code to add your UVic account.
- Go to account security settings in Your profile.
- Under the Authenticator tokens section, click Add a new authenticator token. You’ll be prompted to add an authenticator token.
- Choose the Authenticator App option from the drop-down menu under What type of authenticator token would you like to add?
- Add a name for the authenticator app you’re using. (optional)
- On your device: open your authenticator app and add a new account. Options will vary depending on your app:
- In Your profile: scan the QR code or copy the secret key provided into your authenticator app. Click Submit.
Common issues
Once you’re signed up for UVic MFA, you can instruct Duo to remember your device. When you see the "Is this your device?" prompt, you can choose “Yes, this is my device” to remember it for 7 days.
This option works well for your most common devices or web browsers. If you use multiple computers or switch to a new web browser, you’ll see the regular UVic Duo MFA prompt.
If your enrolment process is interrupted before it finishes, there are a couple things you can try to restart the process:
- If you’re still on the Enrol in Duo Multi-factor Authentication page, nothing’s been done to your account yet. You can just start the enrolment process over
- If you’re getting stuck on the Add First Device to Duo page, click the “I’m having issues enrolling a device” option, then click Unenrol. This will take you back to the start and you can try again.
- If you accidentally close the browser window before adding a device or selecting Unenrol, your NetLink ID might get locked. You can unlock your account using the NetLink ID recovery tool.
UVic MFA works even if your phone doesn’t have an internet or data connection. You can use the Duo Mobile app to generate single use six-digit passcodes just like a Duo hardware token.
- Open the Duo Mobile app and press the show button next to the passcode field. You might need to click on 番茄社区 if you have more than one account added to your Duo Mobile app.
- Copy the six-digit code into the Duo prompt window in your web browser. You can use the Refresh passcode button anytime you need a new single use passcode.
Still unsure? We made when your phone has no internet or data service.
You can update your enroled devices online.
You’ll need to approve a Duo prompt to make any changes to your devices, so make sure you have another device or bypass code handy. If you don’t have one, contact the Computer Help Desk.
Once you’re in the device management settings, you can remove your old phone and add a new one. If your new phone has the same phone number, you can Reactivate Duo Mobile.
You’ll need to install the Duo Mobile app on your new phone to complete the reactivation.
Deleting the app won’t remove UVic MFA from your NetLink ID, but it can lock you out of your account. Try to make sure you have another device added or a bypass code before deleting the app. If you deleted the app without one, contact the Computer Help Desk.
If you do have a second device or a bypass code, you can reactivate your device. You’ll need to reinstall the Duo Mobile app first.
There are a few ways to access your UVic account if you lose your phone or Duo hardware token:
- If you’ve added another device to your Duo account, you can use that to sign in.
- If you made bypass codes, you can use one to sign in.
- If you don’t have a second device or bypass codes, you can contact the Computer Help Desk.
Once you’ve signed in, you can unenrol the lost phone or hardware token to remove it from your Duo account. You can always re-add your lost device if you find it later.
If you receive a Duo push notification when you aren’t trying to sign in to a UVic service, someone might be trying to access your account. Deny the push notification. When Duo asks, “Was this a suspicious login?”, press Yes. This will stop the other person’s sign in attempt.
You should change your NetLink ID passphrase immediately.
There are a few reasons why you might not be getting push notifications on your phone:
- The Duo Mobile app isn’t responding. Try restarting the app and you should see an approval request waiting for you.
- Notifications are turned off. Double check your notification settings. You might have them turned off or they’re being blocked by Focus mode or Do not disturb.
- You don’t have Wi-Fi or cell service. If your phone has a weak connection, you can use the Duo Mobile app to generate one-time use codes like the Duo hardware token.
Duo has more notification information for and on their support site.
Hardware tokens generate codes for you when the button is pushed. Each code lasts long enough for you to use it while signing in. If the button gets pressed too many times without the code getting used, it can get out of sync with the UVic MFA service. This can also happen if the battery is failing or if the token is damaged.
You can re-sync your token online. You will need to approve a Duo prompt to make any changes to your devices, so make sure you have another device or bypass code handy. If you don’t have one, contact the Computer Help Desk.
If you can't find the Duo Mobile in your app store, it may be restricted due to your region or unavailable on your device.
Try setting up an alternate authenticator app. Some authenticator apps support a wider variety of devices.
You can also contact the Computer Help Desk.
If you need a guide for setting up Duo Mobile on your smartphone, this video walks you through the entire process from start to finish.
If you need a guide for creating and using bypass codes, this video walks you through the entire process from start to finish.
Accommodation requests
UVic MFA account security is for everyone. If you have accessibility needs or financial barriers that make it difficult for you to enrol in Duo, please submit an accommodation request.
International use
If you’re travelling or living outside Canada, you can still use UVic MFA. You can still use Duo Mobile without data or Wi-Fi.
You can also swap SIM cards in your phone. The Duo Mobile app is tied to your phone’s hardware security module (HSM), so picking up different SIM cards in other countries won’t disable your UVic MFA access.
There are some specific countries or regions where the Duo Mobile app is blocked due to economic and trade sanctions enforced by the U.S. Office of Foreign Assets Control. These restrictions also include other online services through UVic, like Microsoft 365 and Remote VPN access.
If you’re travelling to a restricted country or region, please contact the Computer Help Desk before you leave. This list of countries or regions currently includes:
- Cuba
- North Korea
- Iran
- Sudan
- Syria
- Crimea region
- Sevastopol region
- Donetsk region
- Luhansk region
Contact Computer Help Desk
If you need help, please contact the Computer Help Desk.