For logging into your Mac, the login window will ultimately look the same and be ready for you to enter your username and password, ie - your eServices information. There is no longer any option for password hints, though accounts created from Active Directory never had them previously, so this is a change that will largely be unnotived.
All campus owned non-lab computers will be encrypted with Apple’s FileVault 2 disk encryption. When you log into your assigned computer for the first time, your user account will be granted what is called a Secure Token. This is what allows for your user account to decrypt the computer after a reboot or other startup. If the Mac is going to be used by multiple users, you will want to inform ITS during the transition to ensure that all users are granted a Secure Token and are able to use the computer after a reboot or other startup.
One change that you will encounter if your computer previously had FileVault enabled will be that the FileVault unlock window will have changed to look identical to the standard login window. This change is to ensure that a layer of security by not exposing one half of your login information in the form of the username. Where this might be a little confusing is that the computer does not complete the entire login process from the FileVault unlock window and you will ultimately be entering your credentials twice after a reboot or other startup. Since you should be leaving your Mac on for remote management and application maintenance, you will not encounter this situation often, so the security benefit has been determined to outweigh the slight inconvenience it might cause.
At this time, the only users who will need to go through Duo Multi Factor Authentication will be those who have been granted VPN access to their campus owned Mac desktop. Due to how macOS does not discriminate between local and remote logins, those who utilize VPN access to their campus Mac desktop will have to go through Duo at every login.
Unlocking your active session
Up until now, TouchID has been able to be configured only during the initial login. After discussion and verification of how it works, TouchID will be fully functional to setup during the initial login and also able to be configured in System Preferences. For more information on TouchID, you can read further at this link.
For security reasons, unlocking with an Apple Watch will still not be allowed, since it does not conform to the standards we have to be compliant with.