Two-factor authentication: FAQ
Two-factor authentication (also known as 2FA) is an extra security measure used to protect UU’s data and apps. In this FAQ, you can find solutions to common 2FA issues.
This FAQ is divided into the following categories:
- General questions about two-factor authentication
- Practical matters
- Office 365 and 2FA
- VPNs and working from home
- Forgotten or lost passwords/two-factor authentication
- Questions about the YubiKey
1. General questions about two-factor authentication
We often use only a password (something you know) in order to log in to our app or services. This is an example of one-factor authentication. However, if someone cracks or guesses it, your data can be accessed by others. The two-factor authentication system adds an extra security layer in addition to your password: something you possess.
This second factor could be a mobile phone that generates a single-use code via an app or a physical USB stick (known as a YubiKey)*. You must then enter this code (also known as a token) after you have entered your password, so it’s an additional security measure. Banks have been using two-factor authentication for some time (e.g. a TAN or an identifier).
Two-factor authentication (also known as 2FA) therefore means you need two things to log in:
- something you know (your Solis ID and password)
- something you have (mobile phone app or YubiKey)
This means that your data – and ours – is much more secure as it is harder for malicious parties to access both your password and your two-factor authentication.
For more information on the most suitable method for you, see the section entitled ‘Which method is best for me?’
A variety of applications and services feature two-factor authentication as an extra layer of security and the number of services using 2FA is increasing. If two-factor authentication is required, you will be notified of this fact on screen when you log in. This notification (depending on the method you have chosen) looks like this:
Take the following steps when making use of an application or service that is protected by two-factor authentication:
- Log in as normal using your Solis ID and password.
- Ensure that you have your two-factor authentication with you (such as your mobile phone). You will need it to make use of any applications or services protected by 2FA.
- Generally, you will use two-factor authentication once a day for all services secured with 2FA.
There are three methods of two-factor authentication. Via https://mysolisid.uu.nl you can choose your prefered method and set it up. We recommend using the NetIQ app for your phone. You can only use one method at a time.
Do you have a visual or physical disability and would you like some advice on which method to use? If so, please contact the ICT Service Desk.
Method 1: your mobile phone using the NetIQ app (recommended)
This method is most convenient if you always have a mobile phone with you and you’d rather not have to enter a code. If an application asks you for two-factor authentication, you need only click on the ‘Accept’ button on your mobile phone. This method requires an internet connection on your mobile phone.
Method 2: the Google Authenticator app
This method is the most convenient if you always have a smartphone with you and you already use two-factor authentication via Google Authenticator for other applications and services. You will be provided with a six-digit code via your phone that you must then enter into the computer. This method does not require an internet connection on your mobile phone.
Method 3: a YubiKey (a physical USB stick that you must have with you)
If an application or service asks you for two-factor authentication, you must insert the USB stick into your computer’s USB port and press a button on the YubiKey. This will grant you access without having to enter a code or use a mobile phone.
Please note: you might still be using SMS as a verification method, we then recommend to switch to one of the methods mentions above. See this manual for more information: Two-factor-authentication: change method
You can do this in the MySolisID portal. If you visit https://mysolisid.uu.nl/mfa, the correct menu will automatically open and you will then be given step-by-step instructions to set up two-factor authentication.
Yes, this is usually the case. In any event, you will need a second device as you have to scan a QR code using your mobile device (e.g. smartphone) in order to activate two-factor authentication. The code that you scan using your mobile device must therefore be displayed on a different device.
You can change your chosen 2FA method by logging in to http://mysolisid.uu.nl/ and then clicking on “Two-factor authentication”. Then click on “settings” to view your recovery code (click “show”). Write or copy this down carefully and then click “Go back to overview”. Then you can click on “Deactivate with recovery code” and follow the rest of the instructions.
Once your 2FA has been deactivated you can set it up again using a different method. Go to https://mysolisid.uu.nl/mfa and follow the instructions for your chosen method.
More information can de found here: Two-factor-authentication: change method
2. Practical matters
I am using a single device.
This will not work. You need one device which displays the QR code and a tablet or smartphone to scan the QR code.
I am using two devices.
Tips for scanning the QR code properly:
- Make sure you do not move your phone while it is scanning. It can take a while to scan the code as your camera needs to focus on the QR code.
- Hold the phone one arm’s lengthfrom the screen – don’t hold it too close.
- Make sure that you capture the entire QR code while scanning.
- Make sure that only the QR code is shown on the screen while scanning.
- Do not hold any objects in front of the camera while scanning (such as your finger).
- Increase the brightness of your computer screen. This increases the contrast of the QR code, making it easier for your camera to scan.
Are you having camera problems?
- If your camera is not working, you cannot use the NetIQ or Google Authenticator app. In this case, use a Yubikey.
- The app does not open my camera automatically. Close and relaunch the app.
- Still not working? Restart your phone and try again.
If you have waited too long, you will no longer be able to scan the QR code. Close your PC browser and the app and start again.
It depends. There are two ways to use applications:
- If you are working on your own laptop or PC with a locally installed application (it will be in your Start menu or on your desktop in this case. By default, this is the case on UU laptops or desktops) your 2FA on that device – after the first login – will remain valid as long as your UU password will: 180 days (unless you change your password in the meantime).
- If you are using the web version, i.e. opening programs via your internet browser (e.g. Firefox, Edge, Chrome, etc.), your login will remain valid for as long as your session lasts. If you are inactive for more than 30 minutes, the session will end automatically. If you restart the web application, you will need to log in again with 2FA.
The Google Authenticator code (token) changes every 30 seconds. This is also the validity period of the code. Saving the code therefore serves no useful purpose.
Tip: there is always some delay between the code being displayed and the time in which you must enter the code. For example, if a code disappears from Google Authenticator after 30 seconds, you will still have a few extra seconds to enter it on the computer. If this is too quick for you, we recommend using NetIQ.
If you really don’t have any other option, you can request a YubiKey. However, you must always carry it with you and remember not to leave it in the computer when you are finished. See the section ‘YubiKey’ in the FAQs for more information.
In this case, there is one thing you can do: use a YubiKey. See the section ‘YubiKey’ in the FAQs for more information.
If you use an app on your mobile phone for two-factor authentication, then it is advisable to go and fetch your phone. To ensure the safety of your data and UU’s data (after all, this is the whole point of two-factor authentication), it is not possible for somebody else to arrange temporary two-factor authentication.
If your battery has no charge left, the only option is to borrow a charger to enable you to enter the two-factor code (token) into the application or service in question.
You will need to de-activate 2FA on your old phone and then set it up again on your new phone.
Do you still have the recovery code you received when setting up 2FA (and access to your old phone)? If so, you can use this code to reset your two-factor authentication yourself via https://mysolisid.uu.nl/mfa. Firstly, you must use this code to deactivate the method that you originally set up. You can then set up 2FA again.
If you did not save the recovery code, please contact the IT servicedesk.
Please contact the ICT Service Desk as soon as possible. They will be able to assist you, and if your UU mail is linked to your phone, they may also be able to remotely erase your phone data.
Certainly. If you choose the YubiKey option, then you will have to pick it up from one of UU’s IT information desks. It is also possible to buy one if you are abroad, although you should discuss this with your supervisor first (due to issues such as cost).
No. The requirement applies to everybody and two-factor authentication is built into each system. No exceptions can be made.
No, this is not possible. Your two-factor authentication – including any codes or the YubiKey – is strictly unique to you.
Two-step authentication for Linux users at UU will be no different than for Windows or Mac users.
3. Office 365 and 2FAWithin now and 14 days you will be asked to enter your 2FA for the first time when starting Teams and Office 365 applications. This moment may differ per device.
None. The use of 2FA only applies to UU staff and students. They will need to login with their Solis-id, password and 2FA to gain access to Teams and Office 365. External users do not need to set up 2FA and can continue working within Teams as trusted users with their colleagues of Utrecht University.
That depends on the type of Yubikey you have. Some versions you can plug into your phone (this also depends on the connection you have on your phone). An example of such a model that you can plug into your phone is the USB-C variant. There are also NFC variants that work wirelessly (similar to the technology used with the campus card when you go printing). For advice on your specific situation, please contact the ICT Service Desk.
Often, they do. For specific situations (e.g. laboratories), customisation is available. If necessary, contact your information manager to look for a suitable solution.
That depends on the version. Outlook 2016 (Windows or Mac) and newer versions work without problems with 2FA. Older versions probably do not. Moreover, older versions (than 2016) are vulnerable due to the lack of crucial security updates.
Every UU employee and student has several free licenses. This means that you can install the latest version of Office on various (private) devices at no extra cost as long as you work or study at UU. To install, log in to the Office 365 platform (https://www.office.com) with your Solis ID and password. You will then see the button “Install Office” at the top right.
4. VPN and working from home
Two-factor authentication is required to gain access via the AnyConnect VPN. You will therefore need two-factor authentication in addition to your Solis ID and password.
5. Forgotten or lost two-factor authentication
Do you no longer have the app or is it blank (e.g. Google Authenticator), do you have a different phone or have you lost your YubiKey? And have you lost or forgotten your recovery code? If so, please contact the ICT Service Desk.
Do you still have the recovery code you received when setting up 2FA? If so, you can use this code to reset your two-factor authentication yourself via https://mysolisid.uu.nl/mfa. Firstly, you must use this code to deactivate the method that you originally set up. You can then set up 2FA again.
You will need this recovery code if you lose your mobile phone or are no longer able to access your current two-factor authentication. You can use the recovery code to set up your two-factor authentication again.
You must store this code in a safe place that is only accessible to you. We do not recommend storing the recovery code in a UU location (such as the U or O drive), as this will mean you can’t access it if you ever need it. Some password managers allow you to save recovery codes.
Are you going to be going abroad for a long period of time, such as a holiday or a business trip? If so, then we recommend copying the recovery code and taking it with you.
6. Questions about the YubiKey
A YubiKey is useful if you are unable to use two-factor authentication via a smartphone app.
You can request one via the ICT Service Desk, or you can also buy one yourself. Here are a few options:
Please contact the ICT Service Desk for advice.
In that case, you probably can’t use a YubiKey. Please contact the ICT Service Desk for advice.
USB Type A connectors are the standard and available from UU. If this does not suit your device, it’s also possible to request a USB-C type connector. If you require yet another type of USB connector, then we recommend discussing your options with your supervisor.
No, the YubiKey is strictly personal and can only be used by the person who requested it. It may not be loaned to third parties or used by others.
Please contact the ICT Service Desk as soon as possible.
If you encounter this problem often, it would be better to select a method that uses a smartphone app.
Is this not possible? In such cases, it is possible to get a YubiKey with NFC or a USB connector that is compatible with your mobile phone. However, as these are exceptional cases, UU does not have these in stock. To order one, please contact your supervisor.
Last modified: 27/07/2021