Logins require the use of a mobile app to mitigate security breaches
UofT staff and students will soon be required to enroll in UTORMFA, a multi-factor authentication process, which adds a layer of security for sites that use a UTORid login. The recommended option requires downloading an app on an Apple or Android mobile device. Enrollment in UTORMFA is already required for new students as of October; all students are required to enroll by February 28, 2023, and are ‘strongly encouraged’ to do so as soon as possible.
As most students are aware, there have recently been a number of phishing attacks sent from hacked UofT email accounts; implementing multi-factor authentication should make security breaches like this much less likely. However, many are unsure as to what happens if they don’t have a compatible device, or how the system is going to work. Students are encouraged to download the Duo Mobile app, which sends push notifications to verify logins; however, other options include requesting a hardware token, generating a login code with Duo, and using an emergency bypass code in the event of a lost or unavailable mobile device.
Duo Mobile supports Android 8.0 or greater and iOS 13.0 or greater. To begin the process, simply download the app and go to enroll.utormfa.utoronto.ca. It shouldn’t take longer than ten minutes, and students are advised to complete it all at once; leaving mid-process will lead to your account being locked.
Students who do not have a compatible device can pick up a hardware token at the help desk at Robarts Library; the hardware token generates codes to verify logins. The first hardware token is free, but a second would cost $25 if the first is lost or stolen. Students who are not on campus and cannot use a mobile device would have to order a hardware token by visiting the help desk website. For those who have the app but don’t have wifi or data, there is also an option to generate codes with the app instead of sending a push notification.
Some services only require UTORMFA for off-campus logins, and will only ask every seven days on a trusted device, whereas others require authentication for every login. The policy depends on the security level of the application, but it is not entirely clear which services fall into which category.
For questions and support, students can visit the Information Commons Help Desk at Robarts Library or contact them by email.