Multi-factor authentication (MFA)

Multi-factor authentication (MFA) protects your UTU user account and the information available to you, by asking for an additional confirmation at login. With MFA you can access services that require stronger authentication.

There are two kinds of MFA methods:

  1. Passkeys and security keys use identification features in devices: fingerprint readers, facial recognition, possession of a USB/NFC key. We recommend registering passkeys and security keys for you personal devices first, since they are the easiest to use daily.
  2. Authenticator applications print out six-digit one-time codes you enter to the MFA login. Registering an authenticator is recommended because of its compatibility.

We recommend that you enroll at least two MFA methods. This way you can still log in using your backup method if your primary method isn't with you or is out-of-order. You can choose during login how you want to give the additional confirmation – for example by using your mobile phone's facial recognition, your computer's fingerprint reader, or using an authenticator application when using a Horizon remote desktop.

Registering passkeys and security keys

Required preparations

You can use almost any modern Windows, macOS, Android and iOS devices and FIDO2-compatible USB/NFC keys as passkeys and security keys. Your phone's passkey can be when signing in to any compatible computer, but computer passkeys (also known as security keys) work only when signing in using the registered device.

Authentication with your device uses the same method you use to unlock the device itself. Before you start to register a security key or passkey for MFA, your device must use some way to unlock it, e.g., fingerprint or facial recognition. If you can unlock the device with your chosen method, it has been set up properly and you can continue to register the device.

Windows: Settings > Accounts > Sign-in options (intranet: Login with PIN code or fingerprint)

macOS: System Settings > Touch ID & Password (Apple: Use Touch ID on Mac)

iOS: Settings > Face ID / Touch ID & Passcode (Apple: Use Face ID on your iPhone or iPad Pro, Apple: Use Touch ID on iPhone and iPad)

Android: Use the search in the settings app to find out where biometrics are set up. Samsung Galaxy: Security and Privacy > Biometrics ​> Fingerprints (Samsung: Use the fingerprint sensor on your Galaxy phone or tablet)

Registering a mobile device as a passkey

Start the registration by opening https://idm.utu.fi and click on "Multi-factor authentication (MFA) settings". Log in, and if you've already registered some MFA method, you need to use it at the login.

After you've logged in, click the "Signing in" link.

On the next page you can register your passkey by clicking on "Set up Security key".

After clicking on "Register" (1.) your browser starts the passkey registration where you must choose to use a phone or tablet (2.), read the QR code using the device's camera (3.), and give a recognisable description for the method (4., for the label you should enter the device and method, e.g., "iPhone 15 Passkey").

After this your phone is on the "Security key" list with the given name.

Registering a computer as a security key

Start the registration by opening https://idm.utu.fi and click on "Multi-factor authentication (MFA) settings". Log in, and if you've already registered some MFA method, you need to use it at the login.

After you've logged in, click the "Signing in" link.

On the next page you can register your security key by clicking on "Set up Security key".

After clicking on "Register" (1.) your browser starts the security key registration where you can choose which authentication method you want to use (2.), use the authentication method confirm its use (3.), and give a recognisable description for the method (4., for the label you should enter the device and method, e.g., "Laptop fingerprint").

On Windows the computer's PIN code and/or facial recognition can be alternatives in addition to the fingerprint recognition, but all methods work equally for MFA even if you use one of them during registration.

After this the device is on the "Security key" list with the given name.

Registering an authenticator application

Installing an authenticator application

The one-time codes used by the university's MFA are compatible with all authenticator applications. If you already use an authenticator app, use it also with your UTU account.

Recommended applications for Androids and iPhones (iOS):

Download the applications from your phone's application store, or click on the links above to get the authentic application.

If you cannot use a smartphone, you can use the KeePass password manager on your computer (available for university's Windows computers from the Software Center).

Registering the authenticator application

Start the registration by opening https://idm.utu.fi and click on "Multi-factor authentication (MFA) settings". Log in, and if you've already registered some MFA method, you need to use it at the login.

After you've logged in, click the "Signing in" link.

On the next page click on "Set up authenticator application".

Next you're on the page where our authenticator application is registered for your UTU account. Open your authenticator app, add a new account and scan the QR code using the application, or copy the settings from the "Unable to scan" link. 

More detailed instructions for the recommended applications are available on the MFA intranet page.

Enter your phone model and application name to the "Device Name" field.

Enter the changing six-digit code shown by the authenticator app to the "One-time code" field and click "Submit" before the code expires (if the code expires in the application, you need to enter the new code to the registration form)

The registered application is on the "Authenticator application" list with the given name.

Signing in with MFA

Using the different MFA methods

When you've registered one or more MFA methods for use, you can use them to log in to services requiring MFA. The MFA confirmation is asked after you've signed in with your UTU account and password.

The MFA method you have registered first is asked by default. You can change to a different type by clicking on the "Use another MFA method" link.

You can practice and try out the different MFA methods at https://mfa-test.utu.fi.

Signing in with passkeys and security keys

The "Security key" list shows you the passkeys and security keys registered to your UTU account. You cannot select a certain key, since your browser handles the authentication process. Click the "Sign in with Security Key" button (1.), choose which kind of key you want to use (2.) and follow the instructions shown by the browser for the chosen MFA method.

Signing in with an authenticator app

Open your registered authenticator application and enter the code shown for the "UTU SSO" account to the "One-time code" field and click "Log in" before the code expires. If the code expired in the app, enter the new valid code from the app to the field.

If you have registered multiple authenticator applications, select the one you want to use to enter the code.