Duo MFA Frequently Asked Questions (FAQ)
Introduction
Multi-factor Authentication (MFA) adds an extra layer of protection when signing in to University of Alberta applications. When you enter your CCID and password, Duo MFA confirms your identity using a second factor, helping keep your account and the university community secure.
As part of the MFA for Single Sign-On (SSO) update, you may now see Duo prompts when accessing any application that uses SSO, including Canvas. Most users will only need to authenticate during their first SSO login on a new device, though some high-security systems will still require MFA every time.
This article answers common questions about using Duo MFA and explains what to expect when signing in to university services.
Applicability
Duo MFA is required when accessing University of Alberta applications that use Single Sign-On (SSO). Any user who signs in to an SSO-enabled service may be prompted to authenticate with Duo.
Most applications will only prompt for MFA during your first SSO login on a new device, or when your browser or device does not have a valid trusted-device token. Certain high-security systems will continue to require MFA on every login, regardless of device settings.
If you are new to Duo MFA, you will be prompted to enroll the first time you access an SSO-enabled application. Duo Mobile is the recommended authentication method, and fobs remain available for users who cannot install the app.
Details
The following resources provide step-by-step guidance for enrolling a device and signing in with Duo MFA when accessing university applications:
FAQs
What does MFA for Single Sign-On (SSO) mean?
MFA for Single Sign-On (SSO) means that Duo MFA is now applied at the SSO login layer rather than by individual applications. When you sign in with your CCID and password, you may be prompted once with Duo before accessing any SSO-enabled applications. Most users will only be asked to authenticate during their first SSO login on a new device, while certain high-security applications will continue to require MFA every time you sign in. This approach provides a more consistent and secure experience across university services.
Why am I now seeing Duo MFA prompts for Canvas?
Canvas now uses the University’s Single Sign-On (SSO) system, which means it follows the same MFA requirements as other SSO-enabled applications. Instructors and other users may see a Duo prompt when accessing Canvas, particularly when signing in on a new device or if their browser does not have a valid trusted-device token. This ensures consistent security across all university systems accessed through SSO.
Why am I seeing fewer Duo MFA prompts than before?
With the move to MFA for Single Sign-On (SSO), most users will see fewer prompts because Duo now remembers trusted devices for a set period. Once you authenticate on a new device, a security token is stored in your browser so you do not need to authenticate again unless the token expires or is removed. You may still be prompted when using a different browser or device, signing out manually, or if your browser clears cookies or cache.
Why do some applications always require Duo MFA even on a trusted device?
Certain high-security applications, such as PeopleSoft Financials, BearTracks, Password Vault, and IdentityIQ, require MFA every time you sign in. These systems handle sensitive data and follow stricter security standards, so Duo cannot rely on a trusted-device token for authentication. Even if you have already authenticated in your browser, these applications will continue to prompt for MFA to keep your data secure.
What is a trusted device?
A trusted device is one that you use regularly and that meets security requirements, such as having a password or PIN enabled and not being shared with others. When you enable the “remember this device” option in Duo, your browser stores a time-limited security token that allows you to access SSO-enabled applications without repeated MFA prompts. You should not enable this option on public or shared computers.
What applications require me to authenticate with Duo MFA?
Duo MFA is required when signing in to applications that use the University of Alberta’s Single Sign-On (SSO) system. This includes systems that have historically required Duo, such as PeopleSoft applications (Campus Solutions, Human Capital Management, Finance, and BearTracks), IdentityIQ, and MyCCID, as well as Google Workspace services.
With the implementation of MFA for SSO effective January 19, you may now see Duo prompts when accessing any SSO-enabled platform, including Canvas. Most users will only need to authenticate during their first SSO login on a new device, though certain high-security applications will continue to require MFA every time you sign in.
This approach provides consistent protection across university services while reducing unnecessary prompts.
What kind of device can I use with Duo MFA?
The University of Alberta uses the Duo Mobile app for multi-factor authentication. You can use Duo Mobile on a supported smartphone or tablet, including iPhones running iOS 16 or later, iPads running iPadOS 16 or later, and Android phones or tablets running Android 11 or later. Duo Mobile is the recommended option because it provides a fast and secure way to approve login requests.See Installing the Duo Mobile MFA app on your mobile device for more information.
If you are unable to use a supported mobile device, you may request a Duo MFA fob, which generates passcodes that allow you to sign in. Either method will allow you to authenticate when accessing applications protected with Duo MFA.
I don't use my mobile phone to access Peoplesoft or for work, do I still need to install Duo Mobile MFA on my device?
Yes. You will need Duo Mobile or a Duo MFA fob to authenticate when accessing any University application that uses Single Sign-On (SSO), even if you do not use your mobile phone for work or to access specific applications like PeopleSoft. Your mobile device is simply used as the second factor to confirm your identity, regardless of which computer or device you sign in from. If you cannot use a mobile device, a Duo MFA fob can be requested as an alternative so you can continue to access services protected with Duo MFA.
Why am I being asked to use Duo MFA to authenticate when logging in to Google Workspace Apps (Gmail, Drive, Calendar, etc), even though I've already done so within the past 14 days?
Duo MFA may still prompt you when accessing Google Workspace because authentication is now managed at the Single Sign-On (SSO) level rather than by individual applications. Most users will only need to authenticate during their first SSO login on a new device; however, you may be prompted again if your browser does not have a valid trusted-device token. This can happen if you use a different browser or device, sign out manually, or if your browser clears cookies or cache. These factors cause the security token to be removed, which requires you to authenticate again before continuing.
I don't have the "Send me a push" option in the Duo MFA web interface, and I don't have a passcode to log in with.
This usually means that your Duo Mobile device was not fully enrolled or is no longer recognized. To resolve this, you will need to complete your device enrollment before Duo can offer options such as “Send me a push” or passcode authentication. You can re-enrol your device by following the instructions in How to Re-enrol Your Duo Mobile MFA App, or contact IST for assistance if you are unable to complete the process.
I temporarily don’t have access to the device I use with Duo MFA and can’t log in.
If you temporarily do not have access to the device you use for Duo MFA, contact IST to request Duo MFA bypass codes. After verifying your identity, IST can provide single-use passcodes that will allow you to sign in until you regain access to your Duo-enabled device.
The device I use with Duo MFA was reset, lost, stolen, or replaced and I can’t log in, what should I do?
If your Duo MFA device has been reset, lost, stolen, or replaced, contact IST to have the old device removed from your Duo profile. Once it has been removed, you will be prompted to set up a new device the next time you sign in to an application protected with Duo MFA. If you need immediate access, IST can also provide temporary bypass codes after verifying your identity.
I have stopped receiving push notifications in the Duo Mobile MFA app.
If you are no longer receiving Duo Mobile push notifications, follow the troubleshooting steps in “How to Troubleshoot Duo Mobile Push Notifications.” These steps resolve the most common causes, such as notification settings or network issues. If you still do not receive notifications after completing the troubleshooting guide, please refer to your device manufacturer’s support resources or contact IST for assistance.
I can’t find or I am not able to install the Duo Mobile MFA app from the App Store on my device.
If you cannot find Duo Mobile in your device’s app store, or your device is listed as unsupported, it likely does not meet the current operating system requirements. Duo Mobile requires iPhones running iOS 16 or later, iPads running iPadOS 16 or later, and Android phones or tablets running Android 11 or later. Devices running older or non-standard versions of these operating systems may not be able to install the app. If you do not have access to a supported device, you may use a Duo MFA fob instead. A fob generates passcodes for authentication and can be obtained through approved pickup locations. See Installing the Duo Mobile MFA app on your mobile device for more information.
Why is Duo warning me that my device or operating system is out of date?
Duo may display a warning if your device or operating system is past its end-of-life or no longer meets recommended security standards. These warnings help ensure that your device remains secure and able to use Duo MFA reliably. In some cases, Duo will also block access on operating systems that are no longer supported, for example, Windows 8 and earlier cannot be used with Duo. If you are unsure whether your device is supported or need help updating your software, please contact IST for assistance.
I got locked out of Duo MFA from too many failed login attempts, what should I do?
If too many failed login attempts occur, Duo will temporarily lock your account for security reasons. The lockout will clear automatically after a short period, and you can try signing in again. If you continue to experience issues after the lockout ends, please contact IST for assistance.
I thought my Samsung device was encrypted, but the Duo Mobile MFA app is saying that my device is not encrypted and I can’t use it with Duo MFA.
Some Samsung devices may appear encrypted but do not meet the security requirements needed for Duo Mobile to function. If Duo indicates that your device is not fully encrypted, follow the steps in How to Fully Encrypt a Samsung Device to complete the process. Once your device meets the required encryption standards, you should be able to use Duo Mobile without issues.