Common questions about multi-factor authentication (MFA), the move from Duo to Microsoft, and the sign-in experience used across University of Maine System (UMS) accounts and applications.
Contents
Detailed Information
What is multi-factor authentication (MFA)?
Multi-factor authentication (MFA) adds a second proof of identity beyond your password, such as a passkey or an app notification. It protects your account even if someone learns your password. MFA is required on all UMS accounts and on applications that use Microsoft sign-in.
ℹ️ For more information: What is Multi-Factor Authentication (MFA)?
Why are we moving from Duo to Microsoft Entra?
UMS is moving multi-factor authentication from Duo to Microsoft Entra. This brings your sign-ins into one consistent Microsoft experience, extends MFA protection across more accounts and applications, and adds stronger, more modern sign-in options. It also lets UMS retire older systems and make better use of tools already included in our Microsoft license.
What is different from Duo?
Duo and the new Microsoft system do the same core job: after your password, they ask you to confirm it is really you. Many of the same options you may have used with Duo, such as passkeys or an authenticator app, are available with Microsoft too.
The biggest difference is that Microsoft does more than just the verification step. It also provides single sign-on (SSO). Single sign-on means one sign-in gives you access to many connected UMS applications, so you are asked to verify far less often as you move between them. Duo handled only the verification step and did not connect your sign-ins together this way.
A few things you will notice:
What are the benefits of moving from Duo?
- Stronger protection: passkeys and security keys are phishing-resistant, meaning they cannot be tricked by a fake sign-in page.
- Fewer prompts: one sign-in works across connected applications instead of separate prompts for each.
- More choices: use a passkey, a security key, or the Microsoft Authenticator app, whichever fits your devices.
How do I move from Duo?
If you are already set up with Duo, you can keep using Duo for now. No immediate action is required.
If you would like to switch to the new Microsoft sign-in, add a sign-in method:
- Go to your Security info page (aka.ms/mysecurityinfo) and sign in.
- Select Add sign-in method.
- Follow the setup guide for your device.
ℹ️ For more information: Add MFA Sign-in Method: Getting Started, or browse all How-To Guides.
Optionally, once your new method is working, you can remove Duo as a sign-in option. In your list of sign-in methods, Duo is listed as UMS MFA (external mfa). See Remove an MFA Sign-In Method from Your UMS Account.
What sign-in methods can I use?
You can use any of the following:
- Passkeys (recommended): Windows Hello on a UMS Windows computer, iCloud Keychain on Apple devices, Google Password Manager in Chrome, or a YubiKey security key.
- Microsoft Authenticator app: an acceptable fallback using a push notification you approve on your phone.
Text message (SMS), phone call, and email codes are not offered as MFA methods.
ℹ️ For more information: MFA Authentication Methods
How do I set up MFA for the first time?
Go to your Security info page (aka.ms/mysecurityinfo), sign in, and select Add sign-in method. Then follow the on-screen instructions for your selected method.
ℹ️ For more information: Add MFA Sign-in Method: Getting Started, or browse all How-To Guides.
I got a new phone. What do I do?
How you move your MFA depends on the method you use. See Got a New Phone? How to Move Your MFA.
I do not have a smartphone. What are my options?
You can request a YubiKey security key that plugs into your computer. See Getting a Hardware Security Key (YubiKey).
I lost my phone or I am locked out.
If you have a backup sign-in method, use it to sign in and then remove the lost device from your Security info page. If you have no backup method, contact the IT Service Desk.
ℹ️ For more information: What to Do If You Lose Your Phone or Security Key (MFA)
I am seeing an error message when I sign in.
Common sign-in errors and how to resolve them are explained in a dedicated article.
ℹ️ For more information: Common Sign-In Error Messages
Will MFA work when I travel internationally?
Yes. Passkeys and the Microsoft Authenticator app work without a cellular signal, so they work while traveling. As a precaution, set up your sign-in method before you leave.
Does this affect my personal devices?
You can save a synced passkey to your personal phone or computer for convenience. Never save a passkey to a shared or public computer, such as a lab machine, because anyone using that computer could then sign in as you.
Why do I keep getting asked to sign in again?
This is normal and depends on the device you are using.
ℹ️ For more information: MFA Sign-In Experience: What to Expect
My question was not answered here.
If your question was not answered here, leave feedback below to let us know what is missing, or contact the IT Service Desk for help.
Environment
- All UMS accounts and applications that use Microsoft Entra sign-in
- Windows, macOS, iOS, Android, and web browsers