External IT Knowledge - UTORMFA Security Profiles

UTORMFA Security Profiles

Applications are managed by standard, enhanced, or hybrid multi-factor authentication requirements, depending on the data classification and criticality of the application.

For applications protected by the enhanced security profile:

You will be prompted to authenticate with UTORMFA every login.
You will need to authenticate again if your application has a time out.
If you are not enrolled in MFA, you will be denied access to the application.
Permissible authentication methods: Duo Push, Duo Mobile Passcode, hardware tokens and Security Keys (U2F and WebAuthn).
Authentication will “fail close” in the event of a Duo outage.

For applications protected by the standard security profile:

If you are connected to a trusted U of T network (excluding Wi-Fi and virtual private network (VPN) connections), you will not be prompted to authenticate with UTORMFA and you can continue to access the application as usual.
If you are not connected to a trusted U of T network, you will be prompted with UTORMFA. Optionally, you may decide to trust your device and will only receive a UTORMFA prompt every seven days.
If you have not enrolled into UTORMFA, you will not be prompted.
Permissible authentication methods: Duo Push, Duo Mobile Passcode, hardware tokens and Security Keys (U2F and WebAuthn).
Authentication will “fail open” in the event of a Duo outage. (See Note 2)

For applications protected by the hybrid security profile:

Hybrid profile protects a group of users with “Enhanced” protection as defined above.
All other users of that application are protected with “Standard” as defined above.

Note 1 – UTORMFA authentication methods:

Push: You will receive a push notification on your UTORMFA registered mobile device. Tap on “approve” on the mobile device to complete the login process.
Mobile Passcode: You can find the passcode from your UTORMFA account in the Duo mobile app on the registered mobile device. Type it into the text field, then click on “Log in” to log into the service.
Hardware Token: U of T will issue hardware tokens to users upon request and approval. If you have been issued a hardware token, you can click on the button on the hardware token to generate a One-time Passcode. Enter the One-time Passcode into the text field and click on “Log in” to log in the service.
Security Keys (Webauthn & U2F): Insert your security key into your computer and touch it to activate the key. (An example of a Security Key would be the YubiKey)

Note 2 – There are two fail mode available for each UTORMFA-protected web applications, fail-open and fail-close. Application owners can decide which fail mode should be used for their applications.

Fail-open: If there’s a service outage of UTORMFA, the Weblogin service will detect it and allow users to bypass the UTORMFA login screen to access the application.
Fail-close: If there’s a service outage of UTORMFA, the Weblogin service will detect it and deny users’ access to the application.

To determine what login experience you should expect, please consult our list of applications using a hybrid or enhanced security profile.