Frequently Asked Questions
UtahID Help
General
What is the difference between UtahID and Single Sign-on (SSO)?
- UtahID is the State of Utah’s identity provider and the standard method of authentication.
- Single Sign-on is a system that allows a user to access multiple independent services (i.e., applications) from a secure single login session.
Passwords
How do I reset my UtahID password?
If you know your current UtahID password and you want to reset it, you can simply log in to UtahID, go to Change Password in the Security tab, confirm your current password, and type in a new password.
If you’ve forgotten your password, first go to the UtahID login page and select Forgot Password. You’ll be asked to type in your username/email and your last name. You can receive a one-time passcode (OTP) in a few ways, depending on the contact information you set up in your profile:
- via an email to the primary or backup email address in your profile, or
- via a text to the primary or backup phone number in your profile.
When my UtahID account is locked after three failed password tries, how long is the account locked?
If you are locked out of your UtahID account, the first lockout is ten minutes, the second lockout is thirty minutes, and the third lockout is ninety minutes.
What are the password requirements?
- The minimum number of characters is eight.
- Your password must include at least one character from at least three of the four following character sets: uppercase letters, lowercase letters, numbers, and special characters.
Is there a help desk to reset my password for me?
No; to ensure the security of your identity and credentials, the DTS Help Desk will no longer be able to reset passwords. Instead, we have multiple options to reset your password, and if you are unable to reset your password using those options, you’ll need to create a new UtahID.
Will I be required to change my password on a set schedule?
You may be required to reset your password depending on the services you access.
Validate Email/Mobile Phone
Am I required to validate my email address to set up a UtahID account?
Yes. For security and account maintenance, including password recovery, it is a requirement to validate your email address to set up a UtahID account.
Am I required to validate my mobile phone number to receive text messages?
Yes. For security and account maintenance, including password recovery, you are required to validate an entered mobile phone number to receive text messages.
Two-Factor or Multifactor, Authentication
What does two-factor, or multifactor, authentication mean?
Two-factor, or multifactor, authentication is using two or more different factors to achieve authentication. Factors include:
- something you know (e.g., a password or a PIN),
- something you have (e.g., a cryptographic identification device, a hard or soft token), or
- something you are (e.g., biometric identifiers like your fingerprint or voice).
Source(s): NIST SP 800-53 Rev. 4 under Multifactor Authentication. See Authenticator.
What options for two-factor authentication are approved for citizen use?
- an SMS text message,
- an email, or
- a UtahID authenticator (mobile app that generates a soft token/code).
UtahID Authenticator App FAQ
General Troubleshooting Tip: If you are receiving errors when trying to use the UtahID Authenticator app or if the notification is not being triggered, generally restarting your iPhone will resolve the issue. Otherwise, please read through the FAQ for other tips and resolutions.
Where can I find instructions on how to register The UtahID Authenticator app?
https://dts.utah.gov/utahid-help/utahid-authenticator
How do I complete the 2FA login process when using the UtahID Authenticator app?
After entering your UtahID username and password, you will be presented with the below screen:
Can the UtahID Authenticator app be installed on multiple mobile devices?
No it cannot. A UtahID account can only have a single installation of the UtahID Authenticator app tied to it.
After entering my UtahID and password, the message on the screen says “Please respond on your mobile device”, but I am not receiving a notification.
If a notification is not popping up on your mobile device, try going directly into the app and follow these steps (The below screenshots are from the iPhone app. The Android app may look slightly different):
- In the app under “My Accounts”, you should see a bell icon with a notification indicator. Tap on that row.
- The next screen will again show an indicator showing that you have a notification. Tap again.
- Finally, this last screen will show you the Pending Authentication Request, tap on it, and the next screen will show you the “Accept” and “Reject” buttons.
If the notification displayed in the above screenshots is not being displayed in the app, first close the app on your mobile device. Then back on the login screen, click “Start Over” to re-enter your username and password.
My UtahID is no longer being displayed on the “My Accounts” screen in the app. How can I add it back?
If you’ve uninstalled and reinstalled the app, that is the most likely cause of your UtahID no longer being displayed. To add it back, follow these steps:
- From a laptop or PC, remove Push Authentication. Instructions can be found here: https://dts.utah.gov/utahid-help/utahid-removing-mfa-options#authtwofa
- Once Push Authentication has been removed, you can now-reregister. This is the only way to return to the screen with the QR Code, which is required to register the app. Instructions can be found here: https://dts.utah.gov/utahid-help/utahid-authenticator
IMPORTANT: When re-registering the UtahID Authenticator app, you will be given a new set of Recovery Codes. Remember to save these Recovery Codes, and replace your old set of codes.
I’m trying to authenticate using the UtahID Authenticator app, but I’m receiving an error message stating that “there are no registered devices found”. How can I fix this?
Typically, restarting your iPhone will resolve this. After a restart, try logging in again and you should receive the 2FA notification.
Why is the UtahID Authenticator app also asking for Face ID or Touch ID?
When initially installing the UtahID Authenticator, depending on the model of your iPhone you will be asked if you also want to enable Face ID or Touch ID when using the app. If you enable either of these features, then in addition to tapping “Accept”, you will also need to authenticate on your iPhone by either using Face ID (allowing the iPhone camera to recognize your face), or Touch ID (tapping your fingerprint on the Home button) to continue.
How can I use the UtahID Authenticator app in an AT (Testing) environment?
Push authentication has to be registered individually in each environment. This is due to how the application interacts with the messaging services and the authentication environment.
You should be prompted to register a device when logging into the AT and DEV environments if Push is the only thing on your production account.
If you do not see a prompt, then to manually register a device in AT or Dev you can do the following:
- Login to id.utah.gov.
- On the security tab find the multifactor options and "Add a new factor"
- This will log you out. Do not log back in yet.
- Browse to the AT or Dev site of your choice.
- Upon login it will prompt you to register a new MFA device
- Register Push.
You can do this for both AT and DEV if you want to use push with both of those environments.
Yubikey FAQ
Where can I find instructions on how to register my Yubikey?
https://dts.utah.gov/utahid-help/utahid-yubikey
How do I login using a Yubikey?
After entering your username and password, you’ll see the below prompt. If you haven’t already inserted the Yubikey into a USB port, do so now, then press it to activate.
How much does it cost to replace a lost or stolen Yubikey? Or to order more for additional staff?
DTS will be maintaining an inventory of Yubikeys through a subscription service.
How can I remove a Yubikey from my UtahID account?
The instructions are documented here: https://dts.utah.gov/utahid-help/utahid-removing-mfa-options#yubikeytwofa Please note that user can only remove a Yubikey from their own UtahID account. At this time there is not an Administrator option to do so.
If an employee with a Yubikey leaves, can it be re-issued to another employee?
Yes. The employee should first remove the Yubikey option from their UtahID. The instructions are documented here: https://dts.utah.gov/utahid-help/utahid-removing-mfa-options#yubikey.
However, if they fail to do so, the Yubikey can still be registered by the new employee. The instructions are documented here: https://dts.utah.gov/utahid-help/utahid-yubikey.
After inserting the Yubikey, my browser asks me if I want to store the password. Should I?
NO. After inserting the Yubikey, if you are asked to update the stored password in your browser, DO NOT allow the browser to do so. It will actually replace your stored UtahID password. Since this new password does not match your actual UtahID password, you will receive the “Your User Name and/or Password are incorrect.” error message, and continued attempts to use this incorrect password will lock you out.
How can I use the Yubikey in an AT (Testing) environment?
The Yubikey key works across multiple environments. The authentication process will be no different between AT and Production environments.
Authentication General Questions
What if I lost or misplaced my mobile phone or Yubikey and need to login?
When registering the UtahID Authenticator app or Yubikey, you’ll be presented with 10 one-time use recovery codes to be used in this scenario. Save them in a place where you do not need your mobile phone or UtahID in order to access them. Printing a copy is also recommended. These recovery codes can be used to login if your mobile phone or Yubikey are unavailable. Be aware that each code can only be used once. It is very important to have access to your recovery codes, as it will be the easiest method to access your account.
After entering your username and password, you will be presented with the option to “respond on your mobile device” or to sign in “using a security key”:
- Click “Cancel”
- Click on “Try a different way”
- Click on “Recovery Codes”
- Enter one of your Recovery Codes, and then click the “Continue” button
What if I forgot to save my Recovery Codes during initial registration? Can I still retrieve them? Or if I’m running low on Recovery Codes? Can I generate more?
Yes. Login to id.utah.gov, and select “Security”. Scroll down to the “Multi-Factor” section, and follow the instructions listed under “Recovery Codes”.
Is it important for me to save my Recovery Codes and be able to access them?
YES
What if I cannot access my Recovery Codes?
When presented with the option to “respond on your mobile device” or to sign in “using a security key”:
- Click “Cancel”
- Click on “Try a different way”
- Click on “I don’t have any of these”
- The screen will present multiple options.
- The “Email code to Agency Security” option should only be a last resort if the user does not have access to their Recovery Codes, or is not on-site to receive a spare Yubikey. At this point in time, this Agency Security email is not monitored 24/7.
- Agency Security will reach out to the user with the security code. Please note that this is a one-time use security code.
- It is highly recommended that the security code is used to login to id.utah.gov. From there, the user should access the “Security” section, and re-generate Recovery Codes that can be used for the rest of the day.
I have access to another delegated Gmail account. Do I need to use 2FA when accessing it?
You’ll access the delegated Gmail account the same way, and 2FA will not be required.
However, if the owner of that delegated account needs to log in directly, for example to change the password, they will need to use 2FA. If the owner of the account is using the UtahID Authenticator app, they can add that account to the app. If the owner of the account is using a Yubikey, they can add that account to the Yubikey as well.
I’m receiving an error message that says “UtahID Session Expired”. How do I resolve this?
This is most likely due to your workstation being set to the wrong time. Once the time has been corrected, you should be able to login without issue.
Links
- General UtahID Help: dts.utah.gov/utahid-help
- Click on the “Multi-Factor Authentication” icon for 2FA specific instructions for registering the UtahID Authenticator app or Yubikey.
- Direct link to Multi-Factor Authentication section: dts.utah.gov/utahid-help/multi-factor-auth
2FA
Short for Two-Factor Authentication
Push
Push Notification Authentication enables authentication by sending a push notification directly to a secure application on the user’s device, alerting them that an authentication attempt is taking place. The UtahID Authenticator app is a Push solution.
Recovery Codes
When registering a Push or WebAuthn device a set of 10 codes are generated which are a one time use code and can be used in place of the device or app if needed. If you save these codes, please save in a secure place as they are as important as securing your token or mobile device
Security Key
A physical device attached to your computer that enables authentication when the user attempts to login. The physical device that will be used by DHS staff is the Yubikey 5 NFC.
WebAuthN
WebAuthn allows users to login to internet accounts using their preferred device (i.e. token, fob, etc). Web services and apps using WebAuthn provide an easier login experience via biometrics, mobile devices and/or FIDO security keys with much higher security over passwords alone. Yubikey is a WebAuthn solution.
Definitions
2FA
Short for Two-Factor Authentication
Push
Push Notification Authentication enables authentication by sending a push notification directly to a secure application on the user’s device, alerting them that an authentication attempt is taking place. The UtahID Authenticator app is a Push solution.
Recovery Codes
When registering a Push or WebAuthn device a set of 10 codes are generated which are a one time use code and can be used in place of the device or app if needed. If you save these codes, please save in a secure place as they are as important as securing your token or mobile device
Security Key
A physical device attached to your computer that enables authentication when the user attempts to login. The physical device that will be used by DHS staff is the Yubikey 5 NFC.
WebAuthN
WebAuthn allows users to login to internet accounts using their preferred device (i.e. token, fob, etc). Web services and apps using WebAuthn provide an easier login experience via biometrics, mobile devices and/or FIDO security keys with much higher security over passwords alone. Yubikey is a WebAuthn solution.
Miscellaneous
When receiving SMS/text messages, do carrier charges apply?
It depends on your cell phone carrier. Contact your provider for more information on this.
If I update my home or work address in UtahID, will it change it anywhere else?
Updating your home address in UtahID will not change your address anywhere else at this time. Please contact the agencies you do business with in order to submit address changes
What happens if my email address is not accessible or I no longer have access to my email account?
If your email is not accessible, you will be required to create a new UtahID with a different email address.
Contact Us
Toll Free: 800-678-3440
Salt Lake Area: 801- 538-3440