MFA FAQs
If your question is not listed below, please contact the Support Center (help@ucsc.edu or 831-459-4357)
General
- What is Multi-Factor Authentication (MFA)?
- Why do I need this?
- What devices are supported?
- How often do I need to use MFA?
- What is
a passcode ? How does it differ from a password? - I don’t have a smartphone, basic cell phone, landline, tablet and/or am unable to use MFA.
- I recently
graduated, and did not sign up for MFA. Do I still have to? - I missed my requirement deadline. What do I do?
- If I use my personal phone number for MFA, where does that phone number go? Can/will it be used for other purposes?
- Why isn't "X" feature offered? What is the comprehensive list of features offered by Duo Security?
- How does DUO use my data?
Device Selection
- What methods can I use to authenticate?
- How many devices can I set up? Can I choose them all for multiple backup
options. - There are so many authentication methods, how do I know which one to choose?
- How do I find/download the free Duo Mobile App?
- I don't want to install the Duo Mobile App! Can I enroll my smartphone without doing this?
- Can I MFA without a data and/or text plan for my device?
- Do I need a smartphone?
- How do text message passcodes (SMS) work?
- I don’t have a cell phone?
- I am
travelling internationally. Will I be able to receive a phone call/text message? - Where can I obtain a Duo hardware token?
- I have a YubiKey, can I use this instead of a Duo token?
- I enrolled my smart phone only as a phone. Now I've decided that I want to use the Duo app on my phone. What do I do?
Using MFA
- I want to change/rename/manage my MFA default device.
- Whom do I contact for help if I have problems authenticating?
- How do I enroll in MFA?
- How do I change/remove/add a new device?
- What precautions should I take when using MFA at a shared computer such as at the library?
- I already use Duo for an application, will I need to re-enroll?
- If I authenticate using my personal phone (smart or cell), will I be charged?
- I don't understand when I do (or do not) have to MFA?
- I added the Remember Me for 14 Days feature. How do I disable it?
- If there is an unexpected outage, how do I MFA?
Troubleshooting
- I am having trouble installing the Duo Mobile app on my smartphone.
- I keep getting kicked out of CruzID Manager.
- I started enrollment using the Duo Mobile app, but never scanned the QR image. How do I continue enrollment?
- I was automatically sent a Push/Phone call and now I keep getting sent to the same page over and over again.
- Can I use multiple devices with MFA?
- I have a new phone and the Duo Mobile app stopped working. What should I do?
- I upgraded/reset my smartphone. How do I get Duo Mobile notifications to work again?
-
I lost my phone? -
I forgot my phone at home? - My batch of text passcodes (SMS)
aren’t working. - I’m trying to use the Call Me (phone call) method to authenticate but can’t seem to do so, even though I followed the prompt.
- My hardware token stopped working.
- I no longer need my security token.
- Sometimes the Duo authenticate window (iFrame) does not show up
- What are cookies? How do I manage cookies for my browser and how do they affect the remember me for 14 days function?
- How do I manage cookies for my browser and how do they affect Single Sign On(SSO)?
- I am getting an Invalid Certificate (iPhone) / No Internet Connection (Android) error when I try to MFA on my phone.
DC-VPN Users
- How does MFA work for DC VPN?
- Authentication instructions for Cisco AnyConnect DC VPN.
- I’m already enrolled in MFA for DC-VPN. When it’s time for my group to enroll in DUO, do I have to re-enroll?
- I use DC VPN occasionally, but do not see the MFA link under Advanced in CruzID Manager.
- I’m locked out of Duo | MFA | DC VPN, what should I do?
- When I enter in ‘push’ into the DC VPN ‘Second Password’ field nothing happens?
- How often do I need to use MFA?
- What VPN clients are supported by MFA?
- How do I receive a phone call to my backup device?
GENERAL
What is Multi-Factor Authentication (MFA)? Multi-Factor Authentication (MFA) is a method of system access control in which a user is only granted authorization after successfully providing a second authentication method beyond the basic username/password. MFA combines knowledge (something you know) with possession (something you have). At UCSC, MFA will combine CruzID and Gold password with cell phone, landline phone, tablet, hardware token or one time use passcode. Duo Security is the vendor facilitating the ‘possession’ half of MFA at UCSC.
Why do I need this? Passwords are becoming increasingly easy to compromise. They can be stolen, “phished”, guessed, and hacked. New technology and hacking techniques combined with the limited pool of passwords most people use for multiple accounts increases vulnerability. UCSC is also scheduled to begin using the new UCPath system in late 2019. In order to access the UCPath system, it requires Multi-Factor Authentication (MFA). In order to avoid conflict with the launch of the UCPath project, all users must be enrolled in MFA by the deadline in October 2019.
What devices are supported? UCSC supports a range of electronic devices including:
- iOS smartphones and tablets
- Android smartphones and tablets
- Blackberry devices
- Windows phones
- Basic cell phones with and without text message capabilities
- Landlines (Desk Phones)
- Hardware tokens
It is strongly recommended that you add an additional device to your MFA account to serve as a backup. This additional device could be a desk/landline, tablet or trusted family/friend phone number. Please follow the Add a New Device instructions. Be sure to Manage Devices and set up the correct phone number as your default. If you are a DC-VPN user and want to receive a phone call to your backup (not default) device enter ‘phone2’ (or push2, sms2) into the Second Password field.
How often do I need to use MFA? As of now, most online services are set to timeout after 12 hours. However, some appliations contain sensitive data and will require an additional MFA authentication. Also, some of these applications may time out sooner than 12 hrs.
What is a passcode? How does it differ from a password A passcode is a one-time use number utilized for MFA (provided by Duo) via Duo Mobile App - Passcode option, text message or token. For most online applications and after authenticating first with your CruzID and gold password, the passcode will be entered into the 2nd login window, under the `Enter a Passcode` field. DC-VPN users will enter the passcode into the Cisco AnyConnect ‘Second Password’ field. For Cisco AnyConnect DC VPN, the password field refers to your UCSC Gold password which is reused for all logins.
I don’t have a smartphone, basic cell phone, landline, tablet and/or am unable to use MFA All users are required to use MFA. If you have concerns about meeting this requirement, please open a Support Ticket,
I recently
I missed my requirement deadline. What do I do? Have your authentication device (such as your phone) ready. If you do not have an authentication device, contact the ITS Support Center ( help@ucsc.edu or 831-459-4357) for assistance. Log into any application that requires you to use your Gold password. Follow the instructions for setting up and enrolling a
If I use my personal phone number for MFA, where does that phone number go? Can/will it be used for other purposes? Phone numbers provided for MFA are stored by the Duo Security vendor. They are not used by or transmitted to any other UCSC service or system. See Duo's General Privacy Notice for more information on their privacy policies.
Why isn't "X" feature offered? What is the comprehensive list of features offered by Duo Security? The Duo plan the campus is on is called Duo MFA. To see if a feature is supported on our current plan please visit the documentation section on Duo Security's website.
How does DUO use my data? Please visit the DUO Privacy section of their website to see details.
DEVICE SELECTION
What methods can I use to authenticate? Based on preferences and device availability, there are several convenient authentication methods. Users must first enroll their desired devices in CruzID Manager.
- Push Notification: via Duo Mobile App: If the Duo Mobile App is installed on a smartphone or tablet, a push notification is received to either approve or deny the authentication attempt. No manual entry of a passcode is required at login. * This is the most popular method using only a single button to MFA (vs. typing a passcode per login).
- Text Message (SMS): A batch of one-time use passcodes is sent via text message. An unused passcode is then entered into the ‘Second Password’ field of Cisco AnyConnect.
- Phone Call: A telephone call to any cell phone or landline will prompt approval or denial of the authentication attempt.
- Passcodes: via Duo Mobile App: If the Duo Mobile App is installed on a smartphone or tablet, a single passcode is retrieved by tapping the key image next to "University of California Santa Cruz" in the mobile app. This passcode is entered into the ‘Enter a Passcode’ field on the Duo Authentication page.
- Hardware Token: a small lightweight keyfob that can be attached to your keychain. Pressing the button on the keyfob will generate a passcode for you to use with MFA. Tokens can be obtained by contacting the ITS Support
Center .
How many devices can I set up? Can I choose them all for multiple backup options? You can set up an unlimited amount of devices. We encourage you to set up as many as you need.
There are so many authentication methods, how do I know which one to choose? Most users with smartphones prefer to use the Duo Mobile Push Notification authentication method as it requires a single touchpoint rather than retyping a passcode to
How do I find/download the free Duo Mobile App? Select appropriate link ( iOS, Android, Windows, Blackberry) or search for “Duo Mobile” in your smartphone’s application store and then install it using standard app installation instructions. App size varies by platform (iOS 7.4MB, Android 9.9MB, Windows 4.22MB, Blackberry 115KB)
I don't want to install the Duo Mobile App! Can I
If you ever decide to start using Duo Mobile, follow the instructions on how to add a new device: smartphone. The instructions will be similar, and you will be asked to overwrite the existing phone number in CruzID Manager.
Can I MFA without a data and/or text plan for my device? The Passcode via Duo Mobile App option works without a data plan, text plan, or even a connection. The app can generate the required code without the need of either a telephone signal or data plan, and it can do so anywhere in the world.
Do I need a smartphone? No. Duo provides a great deal of flexibility and you do not need a smartphone to use it.
How do text message passcodes (SMS) work? SMS passcodes are sent via text message. With the proper prompt, a text message is sent containing 10 one time use passcodes. A user can only have 10 valid passcodes at a time. Each new batch of 10 passcodes voids any remaining passcodes from the prior batch
I don't have a cell phone? If you don’t have a cell phone, you can use a tablet, your landline phone or hardware token to MFA. When using a landline, you will receive an automated phone call that requires you to hit 1 to confirm your identity. The hardware token will generate a passcode that you enter into the ‘Enter a Passcode’ field on the Duo Authentication page.
I am
Where can I obtain a Duo hardware token? UCSC staff and faculty can obtain a hardware token by contacting the ITS Support Center or their local Divisional Liaison or Local IT Specialist. Students can also obtain a hardware token through the ITS Support Center.
I have a YubiKey, can I use this instead of a Duo token? Yubikeys are allowed to be used with Duo, but they are not officially supported by UCSC. You can attempt to
I enrolled my smart phone only as a phone. Now I've decided that I want to use the Duo app on my phone. What do I do? You must completeley remove your device and then re-enroll it as a smart phone.
USING MFA
I want to change/rename/manage my MFA default device. Please follow the Manage Devices instructions.
Whom do I contact for help if I have problems authenticating?
How do I enroll in MFA? Enrollment happens in CruzID Manager. Please review our Enrollment Instructions.
How do I change/remove/add a new device? Please follow the Add a New Device or Manage Devices Instructions.
What precautions should I take when using MFA at a shared computer such as at the library?
I already use DUO for an application, will I need to re-enroll? If you use Duo for a UC Santa Cruz application (like DC-VPN) then you will not need to enroll. If you use Duo for anything else (non-UCSC application,
If I authenticate using my personal phone (smart or cell), will I be charged? Charges depend on your carrier and plan but are very nominal. The Push notification is 2kb. The SMS text is standard text pricing. The phone call is the cost of a standard call. To avoid charges you can use the Duo Mobile app passcodes or the Duo token.
I don't understand when I do (or do not) have to MFA? Knowing when to or not to MFA can be complicated. This image will help to explain some of those factors.
I added the Remember Me for 14 Days feature. How do I disable it? The Remember Me feature relies on a browser cookie from Duo. By clearing your browser's cookies and cache, this will disable this feature.
- In Safari the Cookie settings can be found under Safari > Preferences > Privacy > Block all Cookies.
- In Firefox by going to Firefox > Preferences > Privacy & Security: Scroll down to the Cookies and Site Data section. Make sure the following checkbox is checked: Delete cookies and site data when Firefox is closed.
- In Internet Explorer at Tools > Internet Options > Privacy. Adjust the slider for the Internet zone to allow third-party cookies to be stored.
- In Chrome under Settings > Show advanced settings > Content settings > Cookies. Make sure that the setting Keep local data only until you quit your browser is on.
If there is an unexpected outage, how do I MFA? You can use the DUO token and enter in the passcode to MFA into an application. You can also use the passcode feature in the DUO mobile app. Both, the token and the passcode feature in the DUO mobile app do not require cellular connection or wifi to work.
TROUBLESHOOTING
I am having trouble installing the Duo Mobile App on my smartphone. Installing the free Duo Mobile App should be similar to any other app
I keep getting kicked out of CruzID Manager. CruzID Manager has a timeout of 20 minutes. If you are planning to enroll in MFA using the Duo Mobile App, please install this app on your smartphone or tablet before beginning enrollment.
I started enrollment using the Duo Mobile App, but never scanned the QR image. How do I continue enrollment? If you have not entered in a phone number, you will need to start enrollment over again following Enroll: Smartphone instructions. If you have entered
I was automatically sent a Push/Phone call and now I keep getting sent to the same page over and over again. This functionality does not work for DC VPN Cisco AnyConnect. To remove this selection follow the Undo ‘Automatically sent Push/Phone Call’ instructions.
Can I use multiple devices with MFA? Yes. It is strongly recommended that you add an additional device phone to your MFA account to serve as a backup. This device could be a desk/landline, tablet or a trusted family/friend's phone number. Please follow the Add a New Device Instructions. Be sure to Manage Devices and set up the correct phone number as your default.
I have a new phone and the Duo Mobile App stopped working. What should I do? If you have a new phone with the same phone number, you will need to follow Manage Devices instructions. Select Device Options and then Reactivate Duo Mobile. If you have a backup device and need to add a new phone number, follow Add a New Device: Smartphone instructions. Contact the Support Center (help@ucsc.edu or 831-459-4357 option 1) if you do not have a second device configured.
I upgraded/reset my smartphone. How do I get Duo Mobile notifications to work again? If you have a new phone with the same phone number, you will need to follow Manage Devices instructions. Select Device Options and then Reactivate Duo Mobile.
I lost my phone? We recommend everyone have a back up device associated with their account. If you have lost the only phone associated with your account, please contact the Support Center (help@ucsc.edu or 831-459-4357 option 1), Monday-Friday, 8:00am-5:00pm. Note: Sending an email will resolve your issue faster than a phone call. The Support Center can verify you quickly through your email account. Phone calls take longer as you will have to answer a series of questions to prove your identity. It is strongly recommended that you add an additional device to your MFA account to serve as a backup. This device could be a desk/landline, tablet, token or trusted family/friend phone number.
I forgot my phone at home? Use your backup device to authenticate with. If you did not setup a backup device, a temporary
My batch of text passcodes (SMS)
I’m trying to use the Call Me (phone call) method to authenticate but can’t seem to do so, even though I followed the prompt. Some phones on campus are not upgraded to digital/VOIP. For these phones. tones must be enabled in order to accept/approve the phone call authentication. This is done by first selecting '9'. You do not need to wait for the message to complete to select '1' (or '9' + '1' if you need to enable tones).
My hardware token stopped working. A hardware token is a physical device that generates a numeric passcode. These tokens can occasionally get out of sync if too many unused passcodes are generated. You can attempt to resync on your own by trying to authenticate three times, entering a valid passcode from your token each time into the 'Enter a Passcode' field. For more information, please view the Duo site's page on hardware token re-synchronization
I no longer need my security token. Security tokens are university property and must be disassociated with user accounts. Please return your security token to the Support Center in Kerr Hall Rm 54.
Sometimes the Duo authenticate window (iFrame) does not show up. Try these steps:
- Try to authenticate in an Incognito window (or equivalent). Does it go away? If not, go to step 2.
- Enable/disable your browser plug-ins until you find the culprit
- Let us know so that we can add it to our list of known culprits. Call, 831-459-HELP (9-4357) or submit a ticket to the Support Center. Users who are more likely to get this are users who use various browser extensions or complex browser setups that may in some way alter the normal load of the page.
What are cookies? How do I manage cookies for my browser and how do they affect the Remember Me for 14 Days function?
Cookies are used by the MFA service to remember you and the time left in your browsing session.
Depending on your browser and cookie settings, this affects the “Remember me for 14 days” function causing it to not remember you.
If you are having to MFA multiple times even after checking the Remember me Checkbox, the settings below may improve your log-in experience.
Before you can test the Remember Me for 14 days function or test how often you get asked to authenticate, you must be enrolled in MFA.
To ensure the Remember Me for 14 days function works as expected, you must enable third party cookies from Duo Security. This is done differently for each browser. Some browsers will allow you to whitelist cookies specifically from duo. Adding them to your browser’s whitelist is enough to get the feature to work properly.
Edge and Safari don’t allow you to whitelist cookies from specific sites. Cookies for these browsers will need to be completely on or completely off.
Enabling all Cookies in Safari:
- Once Safari is opened, click safari on the toolbar in the upper left, then click on Preferences…
- Click on the Privacy tab.
- Make sure that the cookies and website data box is unchecked.
Enabling all cookies in Edge:
- Open Edge
- Click on the upper right ellipses (...)
- Click Settings, then on the left hand pane click on the lock icon. (Privacy and Security)
- Scroll down to cookies and select Don’t block cookies from the drop down.
Whitelisting only UCSC and Duo Security’s Third party cookies in Chrome:
- Open Chrome
- Click on the vertical ellipses in the upper right corner
- Go to Settings, scroll all the way to the bottom and click advanced.
- Scroll to the Privacy and Security section, then click on Site Settings
- Click on Cookies.
- At the See all cookies and site data section, scroll to allow then click add.
- Add the following entries:
- api-268194b0.duosecurity.com
- duo.com
- login.ucsc.edu
- duosecurity.com
Whitelisting only UCSC and Duo Security’s Third party cookies in Firefox:
- Open Firefox
- Click Firefox on the toolbar in the upper left, then click on Preferences…
- On the left-hand navigation bar, click on Privacy and Security
- Scroll down to Cookies and Site Data and select Manage Permissions.
- Under address of website type in the following:
- api-268194b0.duosecurity.com
- duo.com
- login.ucsc.edu
- Duosecurity.com
Whitelisting only UCSC and Duo Security’s Third party cookies in Internet Explorer:
- Open Internet Explorer
- Select the Gear icon in the upper-right, then select internet options.
- Select the privacy tab. Under the settings section there should be a sites button, click it.
- Under address of website type in the following addresses, and then click allow to add it to the whitelist:
- api-268194b0.duosecurity.com
- duo.com
- login.ucsc.edu
- duosecurity.com
How do I manage cookies for my browser? How do they affect Single Sign-On (SSO)?
Depending on how your browser is setup, some settings can interfere with SSO. This can cause issues with how often, or how rarely you get asked to authenticate with your device.
Your browser may try to hold onto your current browsing session. When your browser holds on to your session, you’ll stay logged in longer and won’t get prompted to MFA when you close and reopen your browser.
If you are working with sensitive data and would prefer to keep your browser from holding on to your session, please follow the following steps.
Prevent Chrome from holding on to a session:
- Open chrome, then go to Preferences.
- Scroll down to the On Startup Section. Then make sure that Continue where you left off is unchecked.
Prevent Firefox from holding on to a session:
- Open Firefox, then click on the menu button in the upper right corner, then click preferences.
- Under the General seI am getting an Invalid Certificate (iPhone) / No Internet Connection (Android) error when I try to MFA on my phone.ction under startup, make sure that restore previous session is unchecked.
I am getting an Invalid Certificate (iPhone) / No Internet Connection (Android) error when I try to MFA on my phone. If you are a Resnet resident, you will need to re-connect to SafeConnect. Selecting the Logout of SafeConnect button on the ResNet website will bring up the log-in page when you are connected to ResWifi. You will need to login using your CruzID and Blue password.
DC-VPN Users
How does MFA work for DC VPN? Cisco AnyConnect displays three fields for DC VPN users. When you attempt to access DC VPN the Username/Password fields remain unchanged. The third field ‘Second Password’ requires users enter in ‘push’, ‘sms’, ‘phone’, and/or a valid passcode. Please refer to the Quick Guide for specific connection instructions.
Authentication instructions for Cisco AnyConnect DC-VPN. Please follow the instructions for the selected authentication method (Duo Mobile App - Push Notification, Duo Mobile App - Passcodes, Text Message (SMS), Phone Call, Hardware Token)
I’m already enrolled in MFA for DC-VPN. When it’s time for my group to enroll in DUO, do I have to re-enroll? No. We will do a
I use DC VPN occasionally, but do not see the MFA link under Advanced in CruzID Manager. If you don’t see the MFA option in CruzID manager, Contact the Support Center in Kerr Hall Rm54 (help@ucsc.edu or 831-459-4357 option 1).
I’m locked out of Duo | MFA | DC VPN, what should I do? After several failed login attempts, users will be locked out for 30 minutes. If after 30 minutes, you are unable to authenticate via all your configured devices contact the Support Center (help@ucsc.edu or 831-459-4357). If you are having trouble receiving a push notification, please verify you have cell service or use an alternate authentication method.
When I enter in ‘push’ into the DC VPN ‘Second Password’ field nothing happens? There are a few reasons you might be having this problem.
How often do I need to use MFA? If you are using DC-VPN, MFA will be required each time a new connection to DC VPN is created. DC VPN session timeout is set to 12 hours. All DC VPN users are required to use MFA.
What VPN clients are supported by MFA? The Cisco AnyConnect client is the only supported DC VPN client.
I’m trying to use a phone call to authenticate but keep getting a timeout message from Cisco AnyConnect. Tones must be enabled in order to accept/approve the phone call authentication. This is typically done by selecting '9' from campus phones. You do not need to wait for the message to complete to select '1' (or '9' + '1' if you need to enable tones). If you still receive a timeout message from Cisco AnyConnect, try uninstalling/reinstalling the Cisco AnyConnect client. Windows users can do this by going to 'Start > Programs > Cisco Systems VPN Client > Uninstall VPN Client' and Mac users can go to 'Applications > Cisco > Uninstall AnyConnect'. Then follow VPN Client Installation instructions. If you need help doing this, please contact the Support Center (help@ucsc.edu or 831-459-4357).