MFA FAQs

If your question is not listed below, please contact the Support Center (help@ucsc.edu or 831-459-4357)

General

Device Selection

Using MFA

Troubleshooting

DC-VPN Users


GENERAL


What is Multi-Factor Authentication (MFA)? Multi-Factor Authentication (MFA) is a method of system access control in which a user is only granted authorization after successfully providing a second authentication method beyond the basic username/password. MFA combines knowledge (something you know) with possession (something you have). At UCSC, MFA will combine CruzID and Gold password with cell phone, landline phone, tablet, hardware token or one time use passcode. Duo Security is the vendor facilitating the ‘possession’ half of MFA at UCSC.

back to top


Why do I need this?  Passwords are becoming increasingly easy to compromise. They can be stolen, “phished”, guessed, and hacked. New technology and hacking techniques combined with the limited pool of passwords most people use for multiple accounts increases vulnerability. UCSC is also scheduled to begin using the new UCPath system in late 2019. In order to access the UCPath system, it requires Multi-Factor Authentication (MFA). In order to avoid conflict with the launch of the UCPath project, all users must be enrolled in MFA by the deadline in October 2019.

back to top


What devices are supported? UCSC supports a range of electronic devices including:

  • iOS smartphones and tablets
  • Android smartphones and tablets
  • Blackberry devices
  • Windows phones
  • Basic cell phones with and without text message capabilities
  • Landlines (Desk Phones)
  • Hardware tokens

It is strongly recommended that you add an additional device to your MFA account to serve as a backup. This additional device could be a desk/landline, tablet or trusted family/friend phone number. Please follow the Add a New Device instructions. Be sure to Manage Devices and set up the correct phone number as your default. If you are a DC-VPN user and want to receive a phone call to your backup (not default) device enter ‘phone2’ (or push2, sms2) into the Second Password field.

back to top


How often do I need to use MFA? As of now, most online services are set to timeout after 12 hours. However,  some appliations contain sensitive data and will require an additional MFA authentication. Also, some of these applications may time out sooner than 12 hrs.

back to top


What is a passcode? How does it differ from a password A passcode is a one-time use number utilized for MFA (provided by Duo) via Duo Mobile App - Passcode option, text message or token. For most online applications and after authenticating first with your CruzID and gold password, the passcode will be entered into the 2nd login window, under the `Enter a Passcode` field. DC-VPN users will enter the passcode into the Cisco AnyConnect ‘Second Password’ field. For Cisco AnyConnect DC VPN, the password field refers to your UCSC Gold password which is reused for all logins.

back to top


I don’t have a smartphone, basic cell phone, landline, tablet and/or am unable to use MFA All users are required to use MFA. If you have concerns about meeting this requirement, please open a Support Ticket, call: 831-459-HELP (9-4357), or email: help@ucsc.edu.

back to top


I recently graduated, and did not sign up for MFA. Do I still have to? No. As soon as the Registrar's Office categorizes you as a prior student instead of active, you will no longer be prompted to MFA.

back to top


I missed my requirement deadline. What do I do? Have your authentication device (such as your phone) ready. If you do not have an authentication device, contact the ITS Support Center ( help@ucsc.edu or 831-459-4357) for assistance. Log into any application that requires you to use your Gold password. Follow the instructions for setting up and enrolling a device  on our device enrollment page. . You need to successfully set up your verification device before you can enter the application. If you can only use a hardware token, contact the ITS Support Center. After you have set up your device, you can now start using it to authenticate. For instructions on how to authenticate into CruzID Gold systems, please view our authenticate with MFA page..

back to top


If I use my personal phone number for MFA, where does that phone number go? Can/will it be used for other purposes? Phone numbers provided for MFA are stored by the Duo Security vendor. They are not used by or transmitted to any other UCSC service or system. See Duo's General Privacy Notice for more information on their privacy policies.

back to top


Why isn't "X" feature offered? What is the comprehensive list of features offered by Duo Security? The Duo plan the campus is on is called Duo MFA. To see if a feature is supported on our current plan please visit the documentation section on Duo Security's website

back to  top


How does DUO use my data? Please visit the DUO Privacy section of their website to see details.

back to top


DEVICE SELECTION


What methods can I use to authenticate? Based on preferences and device availability, there are several convenient authentication methods. Users must first enroll their desired devices in CruzID Manager.

  • Push Notification: via Duo Mobile App: If the Duo Mobile App is installed on a smartphone or tablet, a push notification is received to either approve or deny the authentication attempt. No manual entry of a passcode is required at login.  * This is the most popular method using only a single button to MFA (vs. typing a passcode per login).
  • Text Message (SMS): A batch of one-time use passcodes is sent via text message. An unused passcode is then entered into the ‘Second Password’ field of Cisco AnyConnect.
  • Phone Call: A telephone call to any cell phone or landline will prompt approval or denial of the authentication attempt.
  • Passcodes: via Duo Mobile App: If the Duo Mobile App is installed on a smartphone or tablet, a single passcode is retrieved by tapping the key image next to "University of California Santa Cruz" in the mobile app. This passcode is entered into the ‘Enter a Passcode’ field on the Duo Authentication page.
  • Hardware Token: a small lightweight keyfob that can be attached to your keychain. Pressing the button on the keyfob will generate a passcode for you to use with MFA.  Tokens can be obtained by contacting the  ITS Support Center .

back to top


How many devices can I set up? Can I choose them all for multiple backup options?  You can set up an unlimited amount of devices. We encourage you to set up as many as you need.

back to top


There are so many authentication methods, how do I know which one to choose? Most users with smartphones prefer to use the Duo Mobile Push Notification authentication method as it requires a single touchpoint rather than retyping a passcode to login. There are several other options including text messages (SMS), phone calls, and more. Review the Device Overview and Authentication Quick Guide to determine which authentication method works best for you. Remember, you can always change your preferred authentication method after enrollment by logging into CruzID Manager to Manage Devices or elect to use different phone numbers (FAQ: Can I use multiple devices with MFA?).

back to top


How do I find/download the free Duo Mobile App? Select appropriate link ( iOS, Android, Windows, Blackberry) or search for “Duo Mobile” in your smartphone’s application store and then install it using standard app installation instructions. App size varies by platform (iOS 7.4MB, Android 9.9MB, Windows 4.22MB, Blackberry 115KB)

back to top


I don't want to install the Duo Mobile App! Can I enroll my smartphone without doing this?  Yes you can. Instead of following the instructions for enrolling a smartphone, follow the directions for enrolling a basic cell phone.  This will allow you to receive passcodes on your smartphone via SMS and as well as allow you to authenticate via a phone call. 

If you ever decide to start using Duo Mobile, follow the instructions on how to add a new device: smartphone. The instructions will be similar, and you will be asked to overwrite the existing phone number in CruzID Manager. 

back to top


Can I MFA without a data and/or text plan for my device? The Passcode via Duo Mobile App option works without a data plan, text plan, or even a connection. The app can generate the required code without the need of either a telephone signal or data plan, and it can do so anywhere in the world.

back to top


Do I need a smartphone? No. Duo provides a great deal of flexibility and you do not need a smartphone to use it. Duo can send a text message to a regular cell phone or place a phone call to your basic cell phone or landline phone.

back to top


How do text message passcodes (SMS) work? SMS passcodes are sent via text message. With the proper prompt, a text message is sent containing 10 one time use passcodes. A user can only have 10 valid passcodes at a time. Each new batch of 10 passcodes voids any remaining passcodes from the prior batch

back to top


I don't have a cell phone? If you don’t have a cell phone, you can use a tablet, your landline phone or hardware token to MFA. When using a landline, you will receive an automated phone call that requires you to hit 1 to confirm your identity. The hardware token will generate a passcode that you enter into the ‘Enter a Passcode’ field on the Duo Authentication page.

back to top


I am travelling internationally. Will I be able to receive a phone call/text message? Phone calls and text messages are also sent to select non-US phone numbers. Our current plan with Duo Security allows each user to utilize up to 20 telephony credits per phone call and/or text message. For more information please view the telephony rate card on Duo Security's site. To avoid high roaming charges when out of the country, you can utilize the Duo Mobile App - Passcode functionality, as it does not rely on cellular service to generate passcodes. If that is not an option, a batch of 10 passcodes via text message (SMS) can be sent ahead of your travels. You can also use a hardware token to generate passcodes. For more information on how to be prepared when traveling, please review our International Travel webpage.

back to top


Where can I obtain a Duo hardware token? UCSC staff and faculty can obtain a hardware token by contacting the ITS Support Center or their local Divisional Liaison or Local IT Specialist. Students can also obtain a hardware token through the ITS Support Center. 

back to top


I have a YubiKey, can I use this instead of a Duo token? Yubikeys are allowed to be used with Duo, but they are not officially supported by UCSC. You can attempt to setup your key using our YubiKey self-service guide.

back to top


I enrolled my smart phone only as a phone. Now I've decided that I want to use the Duo app on my phone. What do I do?  You must completeley remove your device and then re-enroll it as a smart phone. 

 

back to top


USING MFA


I want to change/rename/manage my MFA default device. Please follow the Manage Devices instructions.

back to top


Whom do I contact for help if I have problems authenticating? First make sure that you have your devices enrolled properly by following the Manage Devices instructions. Once you have enrolled all your devices properly, follow our instructions on how to authenticate for the first time. If you still have trouble authenticating contact the Support Center (help@ucsc.edu or 831-459-4357).

back to top


How do I enroll in MFA? Enrollment happens in CruzID Manager. Please review our  Enrollment Instructions.

back to top


How do I change/remove/add a new device? Please follow the Add a New Device or Manage Devices Instructions.

back to top


What precautions should I take when using MFA at a shared computer such as at the library? Shared  computers, like those in labs, public libraries, shared workstations in offices, or a computer borrowed from a friend, should always follow secure practices for SSO. Please see our (SSO) Single Sign-On page for more details.

 

back to top


I already use DUO for an application, will I need to re-enroll? If you use Duo for a UC Santa Cruz application (like DC-VPN) then you will not need to enroll. If you use Duo for anything else (non-UCSC application, i.e. ,UCOP ) then you do need to re-enroll. But you will use the same Duo app that is already on your phone - no need to reinstall it.

back to top


If I authenticate using my personal phone (smart or cell), will I be charged?  Charges depend on your carrier and plan but are very nominal. The Push notification is 2kb. The SMS text is standard text pricing. The phone call is the cost of a standard call. To avoid charges you can use the Duo Mobile app passcodes or the Duo token.

back to top 


I don't understand when I do (or do not) have to MFA? Knowing when to or not to MFA can be complicated. This image will help to explain some of those factors.

back to top


 

I added the Remember Me for 14 Days feature. How do I disable it? The Remember Me feature relies on a browser cookie from Duo. By clearing your browser's cookies and cache, this will disable this feature.
  • In Safari the Cookie settings can be found under Safari > Preferences > Privacy > Block all Cookies.
  • In Firefox by going to Firefox > Preferences > Privacy & Security: Scroll down to the Cookies and Site Data section. Make sure the following checkbox is checked: Delete cookies and site data when Firefox is closed. 
  • In Internet Explorer at Tools > Internet Options > Privacy. Adjust the slider for the Internet zone to allow third-party cookies to be stored. 
  • In Chrome under Settings >  Show advanced settings > Content settings > Cookies. Make sure that the setting Keep local data only until you quit your browser is on.

If there is an unexpected outage, how do I MFA? You can use the DUO token and enter in the passcode to MFA into an application. You can also use the passcode feature in the DUO mobile app. Both, the token and the passcode feature in the DUO mobile app do not require cellular connection or wifi to work. 

back to top


TROUBLESHOOTING


I am having trouble installing the Duo Mobile App on my smartphone. Installing the free Duo Mobile App should be similar to any other app installation on your smartphone. If you are having trouble navigating app installation, please contact the Support Center (help@ucsc.edu or 831-459-4357). Please Note: If there is a fundamental hardware or software problem with your personal device to be used with MFA, that must be fixed on your end first before ITS can assist. (i.e., my camera doesn’t work, my cell reception is bad, my wifi controller is not working).

back to top


I keep getting kicked out of CruzID Manager. CruzID Manager has a timeout of 20 minutes. If you are planning to enroll in MFA using the Duo Mobile App, please install this app on your smartphone or tablet before beginning enrollment.

back to top


I started enrollment using the Duo Mobile App, but never scanned the QR image. How do I continue enrollment? If you have not entered in a phone number, you will need to start enrollment over again following Enroll: Smartphone instructions. If you have entered in your phone number, but not scanned the QR image, follow the Add a New Device: Smartphone instructions. If you need additional assistance contact the Support Center (help@ucsc.edu or 831-459-4357)

back to top


I was automatically sent a Push/Phone call and now I keep getting sent to the same page over and over again. This functionality does not work for DC VPN Cisco AnyConnect. To remove this selection follow the Undo ‘Automatically sent Push/Phone Call’ instructions.

back to top


Can I use multiple devices with MFA? Yes. It is strongly recommended that you add an additional device phone to your MFA account to serve as a backup. This device could be a desk/landline, tablet or a trusted family/friend's phone number. Please follow the Add a New Device Instructions. Be sure to Manage Devices and set up the correct phone number as your default.

back to top


I have a new phone and the Duo Mobile App stopped working. What should I do? If you have a new phone with the same phone number, you will need to follow Manage Devices instructions. Select Device Options and then Reactivate Duo Mobile. If you have a backup device and need to add a new phone number, follow Add a New Device: Smartphone instructions. Contact the Support Center (help@ucsc.edu or 831-459-4357 option 1) if you do not have a second device configured.

back to top


I upgraded/reset my smartphone. How do I get Duo Mobile notifications to work again? If you have a new phone with the same phone number, you will need to follow Manage Devices instructions. Select Device Options and then Reactivate Duo Mobile.

back to top


I lost my phone? We recommend everyone have a back up device associated with their account. If you have lost the only phone associated with your account, please contact the Support Center (help@ucsc.edu or 831-459-4357 option 1), Monday-Friday, 8:00am-5:00pm. Note: Sending an email will resolve your issue faster than a phone call. The Support Center can verify you quickly through your email account. Phone calls take longer as you will have to answer a series of questions to prove your identity. It is strongly recommended that you  add an additional device to your MFA account to serve as a backup. This device could be a desk/landline, tablet, token or trusted family/friend phone number.

back to top


I forgot my phone at home? Use your backup device to authenticate with. If you did not setup a backup device, a temporary one time passcode can be issued to you if no other authentication method exists, please contact the Support Center (help@ucsc.edu or 831-459-4357 option 1). Note: Sending an email will resolve your issue faster than a phone call. The Support Center can verify you quickly through your email account. Phone calls take longer as you will have to answer a series of questions to prove your identity. It is strongly recommended that you add an additional device to your MFA account to serve as a backup. This device could be a desk/landline, tablet, token or trusted family/friend phone number.

back to top


My batch of text passcodes (SMS) aren’t working. All passcodes are one time use. If you need to generate another batch of passcodes the  authenticate with MFA page has more details. DC-VPN users can quickly generate a new batch of text passcodes using Cisco AnyConnect by typing ‘sms’ in the ‘Second Password’ field.

back to top


I’m trying to use the Call Me (phone call) method to authenticate but can’t seem to do so, even though I followed the prompt.   Some phones on campus are not upgraded to  digital/VOIP. For these phones. tones must be enabled in order to accept/approve the phone call authentication. This is done by first selecting '9'. You do not need to wait for the message to complete to select '1' (or '9' + '1' if you need to enable tones).

back to top


My hardware token stopped working. A hardware token is a physical device that generates a numeric passcode. These tokens can occasionally get out of sync if too many unused passcodes are generated. You can attempt to resync on your own by trying to authenticate three times, entering a valid passcode from your token each time into the 'Enter a Passcode' field. For more information, please view the Duo site's page on hardware token re-synchronization . If your hardware token does not resync after the 4th attempt, Contact the ITS Support Center (help@ucsc.edu or 831-459-4357 option 1) if your token stops working or if you can't log in with the passcodes it generates.

back to top


I no longer need my security token. Security tokens are university property and must be disassociated with user accounts. Please return your security token to the Support Center in Kerr Hall Rm 54.

back to top


Sometimes the  Duo authenticate window (iFrame) does not show up.  Try these steps:

  1. Try to authenticate in an Incognito window (or equivalent). Does it go away? If not, go to step 2.
  2. Enable/disable your browser plug-ins until you find the culprit 
  3. Let us know so that we can add it to our list of known culprits. Call, 831-459-HELP (9-4357)  or submit a ticket to the Support Center.  Users who are more likely to get this are users who use various browser extensions or complex browser setups that may in some way alter the normal load of the page.

back to top


What are cookies? How do I manage cookies for my browser and how do they affect the Remember Me for 14 Days function? 

Cookies are used by the MFA service to remember you and the time left in your browsing session.  

Depending on your browser and cookie settings, this affects the “Remember me for 14 days” function causing it to not remember you.

If you are having to MFA multiple times even after checking the Remember me Checkbox, the settings below may improve your log-in experience.

Before you can test the Remember Me for 14 days function or test how often you get asked to authenticate, you must be enrolled in MFA.

To ensure the Remember Me for 14 days function works as expected, you must enable third party cookies from Duo Security. This is done differently for each browser. Some browsers will allow you to whitelist cookies specifically from duo. Adding them to your browser’s whitelist is enough to get the feature to work properly.

Edge and Safari don’t allow you to whitelist cookies from specific sites. Cookies for these browsers will need to be completely on or completely off.  

Enabling all Cookies in Safari:  

  1. Once Safari is opened, click safari on the toolbar in the upper left, then click on Preferences…
  2. Click on the Privacy tab.
  3. Make sure that the cookies and website data box is unchecked.

Enabling all cookies in Edge: 

  1. Open Edge
  2. Click on the upper right ellipses (...)
  3. Click Settings, then on the left hand pane click on the lock icon. (Privacy and Security)
  4. Scroll down to cookies and select Don’t block cookies from the drop down.  

Whitelisting only UCSC and Duo Security’s Third party cookies in Chrome:

  1. Open Chrome
  2. Click on the vertical ellipses in the upper right corner
  3. Go to Settings, scroll all the way to the bottom and click advanced.
  4. Scroll to the Privacy and Security section, then click on Site Settings
  5. Click on Cookies.
  6. At the See all cookies and site data section, scroll to allow then click add.
  7. Add the following entries:
    1. api-268194b0.duosecurity.com
    2. duo.com
    3. login.ucsc.edu
    4. duosecurity.com

Whitelisting only UCSC and Duo Security’s Third party cookies in Firefox:

  1. Open Firefox
  2. Click Firefox on the toolbar in the upper left, then click on Preferences…
  3. On the left-hand navigation bar, click on Privacy and Security
  4. Scroll down to Cookies and Site Data and select Manage Permissions.
  5. Under address of website type in the following:
    1. api-268194b0.duosecurity.com
    2. duo.com
    3. login.ucsc.edu
    4. Duosecurity.com

Whitelisting only UCSC and Duo Security’s Third party cookies in Internet Explorer:

  1. Open Internet Explorer
  2. Select the Gear icon in the upper-right, then select internet options.
  3. Select the privacy tab. Under the settings section there should be a sites button, click it.
  4. Under address of website type in the following addresses, and then click allow to add it to the whitelist:
    1. api-268194b0.duosecurity.com
    2. duo.com
    3. login.ucsc.edu
    4. duosecurity.com

back to top


How do I manage cookies for my browser? How do they affect Single Sign-On (SSO)?

Depending on how your browser is setup, some settings can interfere with SSO. This can cause issues with how often, or how rarely you get asked to authenticate with your device.

Your browser may try to hold onto your current browsing session. When your browser holds on to your session, you’ll stay logged in longer and won’t get prompted to MFA when you close and reopen your browser.

If you are working with sensitive data and would prefer to keep your browser from holding on to your session, please follow the following steps.

Prevent Chrome from holding on to a session:

  1. Open chrome, then go to Preferences.
  2. Scroll down to the On Startup Section. Then make sure that Continue where you left off is unchecked.

Prevent Firefox from holding on to a session:

  1. Open Firefox, then click on the menu button in the upper right corner, then click preferences.
  2. Under the General seI am getting an Invalid Certificate (iPhone) / No Internet Connection (Android) error when I try to MFA on my phone.ction under startup, make sure that restore previous session is unchecked.

back to top 


I am getting an Invalid Certificate (iPhone) / No Internet Connection (Android) error when I try to MFA on my phone. If you are a Resnet resident, you will need to re-connect to SafeConnect. Selecting the Logout of SafeConnect button on the ResNet website will bring up the log-in page when you are connected to ResWifi. You will need to login using your CruzID and Blue password.

back to top


 DC-VPN Users


How does MFA work for DC VPN? Cisco AnyConnect displays three fields for DC VPN users. When you attempt to access DC VPN the Username/Password fields remain unchanged. The third field ‘Second Password’ requires users enter in ‘push’, ‘sms’, ‘phone’, and/or a valid passcode. Please refer to the Quick Guide for specific connection instructions.

back to top


Authentication instructions for Cisco AnyConnect DC-VPN. Please follow the instructions for the selected authentication method (Duo Mobile App - Push Notification, Duo Mobile App - Passcodes, Text Message (SMS), Phone Call, Hardware Token)

back to top


I’m already enrolled in MFA for DC-VPN. When it’s time for my group to enroll in DUO, do I have to re-enroll? No. We will do a one time manual sync for all enrolled/existing users in DUO and populate our grouper group as needed.

back to top


I use DC VPN occasionally, but do not see the MFA link under Advanced in CruzID Manager. If you don’t see the MFA option in CruzID manager, Contact the Support Center in Kerr Hall Rm54 (help@ucsc.edu or 831-459-4357 option 1).

back to top


I’m locked out of Duo | MFA | DC VPN, what should I do? After several failed login attempts, users will be locked out for 30 minutes. If after 30 minutes, you are unable to authenticate via all your configured devices contact the Support Center (help@ucsc.edu or 831-459-4357). If you are having trouble receiving a push notification, please verify you have cell service or use an alternate authentication method.

back to top


When I enter in ‘push’ into the DC VPN ‘Second Password’ field nothing happens? There are a few reasons you might be having this problem. First make sure that you have your smartphone enrolled properly as your default device by following the Manage Devices instructions. After that verify that notifications are allowed ‘turned on’ for the Duo Mobile App. If you are still unable to receive push notifications, contact the Support Center (help@ucsc.edu or 831-459-4357 option 1).

back to top


How often do I need to use MFA? If you are using DC-VPN, MFA will be required each time a new connection to DC VPN is created. DC VPN session timeout is set to 12 hours. All DC VPN users are required to use MFA.

back to top


What VPN clients are supported by MFA? The Cisco AnyConnect client is the only supported DC VPN client.

back to top


I’m trying to use a phone call to authenticate but keep getting a timeout message from Cisco AnyConnect. Tones must be enabled in order to accept/approve the phone call authentication. This is typically done by selecting '9' from campus phones. You do not need to wait for the message to complete to select '1' (or '9' + '1' if you need to enable tones). If you still receive a timeout message from Cisco AnyConnect, try uninstalling/reinstalling the Cisco AnyConnect client. Windows users can do this by going to 'Start > Programs > Cisco Systems VPN Client > Uninstall VPN Client' and Mac users can go to 'Applications > Cisco > Uninstall AnyConnect'. Then follow VPN Client Installation instructions. If you need help doing this, please contact the Support Center (help@ucsc.edu or 831-459-4357).

back to top