Multi-factor authentication (MFA)

You can use almost any modern Windows, macOS, Android and iOS devices and FIDO2-compatible USB/NFC keys as passkeys and security keys. Your phone's passkey can be when signing in to any compatible computer, but computer passkeys (also known as security keys) work only when signing in using the registered device.

Authentication with your device uses the same method you use to unlock the device itself. Before you start to register a security key or passkey for MFA, your device must use some way to unlock it, e.g., fingerprint or facial recognition. If you can unlock the device with your chosen method, it has been set up properly and you can continue to register the device.

Windows: Settings > Accounts > Sign-in options (intranet: Login with PIN code or fingerprint)

macOS: System Settings > Touch ID & Password (Apple: Use Touch ID on Mac)

iOS: Settings > Face ID / Touch ID & Passcode (Apple: Use Face ID on your iPhone or iPad Pro, Apple: Use Touch ID on iPhone and iPad)

Android: Use the search in the settings app to find out where biometrics are set up. Samsung Galaxy: Security and Privacy > Biometrics ​> Fingerprints (Samsung: Use the fingerprint sensor on your Galaxy phone or tablet)

Start the registration by opening https://idm.utu.fi and click on "Multi-factor authentication (MFA) settings". Log in, and if you've already registered some MFA method, you need to use it at the login.

After you've logged in, click the "Signing in" link.

On the next page you can register your passkey by clicking on "Set up Security key".

After clicking on "Register" (1.) your browser starts the passkey registration where you must choose to use a phone or tablet (2.), read the QR code using the device's camera (3.), and give a recognisable description for the method (4., for the label you should enter the device and method, e.g., "iPhone 15 Passkey").

After this your phone is on the "Security key" list with the given name.

Start the registration by opening https://idm.utu.fi and click on "Multi-factor authentication (MFA) settings". Log in, and if you've already registered some MFA method, you need to use it at the login.

After you've logged in, click the "Signing in" link.

On the next page you can register your security key by clicking on "Set up Security key".

After clicking on "Register" (1.) your browser starts the security key registration where you can choose which authentication method you want to use (2.), use the authentication method confirm its use (3.), and give a recognisable description for the method (4., for the label you should enter the device and method, e.g., "Laptop fingerprint").

On Windows the computer's PIN code and/or facial recognition can be alternatives in addition to the fingerprint recognition, but all methods work equally for MFA even if you use one of them during registration.

After this the device is on the "Security key" list with the given name.

The one-time codes used by the university's MFA are compatible with all authenticator applications. If you already use an authenticator app, use it also with your UTU account.

Recommended applications for Androids and iPhones (iOS):

• FreeOTP: Google Play Store / Apple App Store
• Microsoft Authenticator: Google Play Store / Apple App Store
• Google Authenticator: Google Play Store / Apple App Store
• Apple iCloud Keychain (part of iOS)

Download the applications from your phone's application store, or click on the links above to get the authentic application.

If you cannot use a smartphone, you can use the KeePass password manager on your computer (available for university's Windows computers from the Software Center).

Start the registration by opening https://idm.utu.fi and click on "Multi-factor authentication (MFA) settings". Log in, and if you've already registered some MFA method, you need to use it at the login.

After you've logged in, click the "Signing in" link.

On the next page click on "Set up authenticator application".

Next you're on the page where our authenticator application is registered for your UTU account. Open your authenticator app, add a new account and scan the QR code using the application, or copy the settings from the "Unable to scan" link. Detailed instructions for the recommended applications are available on the intranet page Authenticator applications.

Enter your phone model and application name to the "Device Name" field.

Enter the changing six-digit code shown by the authenticator app to the "One-time code" field and click "Submit" before the code expires (if the code expires in the application, you need to enter the new code to the registration form)

The registered application is on the "Authenticator application" list with the given name.

When you've registered one or more MFA methods for use, you can use them to log in to services requiring MFA. The MFA confirmation is asked after you've signed in with your UTU account and password.

The MFA method you have registered first is asked by default. You can change to a different type by clicking on the "Use another MFA method" link.

You can practice and try out the different MFA methods at https://mfa-test.utu.fi.

Signing in with passkeys and security keys

The "Security key" list shows you the passkeys and security keys registered to your UTU account. You cannot select a certain key, since your browser handles the authentication process. Click the "Sign in with Security Key" button (1.), choose which kind of key you want to use (2.) and follow the instructions shown by the browser for the chosen MFA method.

Signing in with an authenticator app

Open your registered authenticator application and enter the code shown for the "UTU SSO" account to the "One-time code" field and click "Log in" before the code expires. If the code expired in the app, enter the new valid code from the app to the field.

If you have registered multiple authenticator applications, select the one you want to use to enter the code.