Home / Multi-Factor Authentication / MFA FAQs

MFA FAQs

If your question is not listed below, please contact the UCSC ITS help desk (Support Center) at 831-459-4357, help@ucsc.edu, or via https://slughub.ucsc.edu/its with your specific request.

General
Device Selection
Using MFA
Troubleshooting
DC-VPN Users

GENERAL

What is Multi-Factor Authentication (MFA)? Multi-Factor Authentication (MFA) is a method of system access control in which a user is only granted authorization after successfully providing a second authentication method beyond the basic username/password. MFA combines knowledge (something you know) with possession (something you have). At UCSC, MFA will combine CruzID and Gold password with cell phone, landline phone, tablet, hardware token or one time use passcode. Duo Security is the vendor facilitating the ‘possession’ half of MFA at UCSC. You can find more information about MFA at this link.

Why do I need this? Passwords are becoming increasingly easy to compromise. They can be stolen, “phished”, guessed, and hacked. New technology and hacking techniques combined with the limited pool of passwords most people use for multiple accounts increases vulnerability.

What devices are supported? UCSC supports a range of electronic devices including:

iOS smartphones and tablets
Android smartphones and tablets
Blackberry devices
Windows phones
Basic cell phones with and without text message capabilities
Landlines (Desk Phones)
Hardware tokens

It is strongly recommended that you add an additional device to your MFA account to serve as a backup. This additional device could be a desk/landline, tablet or trusted family/friend phone number. Please follow the Add a New Device instructions.

Why should I enroll more than one device for MFA? It is highly recommended to enroll more than one device for MFA. If you only have a smartphone enrolled, you are at risk of getting locked out of your accounts should you forget to charge your smartphone or if you forget to bring it to work one day. It's best to be prepared ahead of time as these things can happen. Especially now that MFA will be used on all applications using Gold passwords to authenticate. For more information, please visit https://its.ucsc.edu/mfa/index.html

How often do I need to use MFA? As of now, most online services are set to timeout after 12 hours. However, some applications contain sensitive data and will require an additional MFA authentication. Also, some of these applications may time out sooner than 12 hrs.

What is a passcode? How does it differ from a password A passcode is a one-time use number utilized for MFA (provided by Duo) via Duo Mobile App - Passcode option, text message or token. For most online applications and after authenticating first with your CruzID and gold password, the passcode will be entered into the 2nd login window, under the `Passcode` field. Campus VPN (and DC VPN) users will enter the passcode into the Cisco AnyConnect ‘Second Password’ field. For Cisco AnyConnect VPN, the password field refers to your UCSC Gold password which is reused for all logins.

I don’t have a smartphone, basic cell phone, landline, tablet and/or am unable to use MFA. What do I do?. All users are required to use MFA. Hardware tokens will generate a passcode that will allow you to access Gold password systems. These tokens are pre programmed for UCSC and can be purchased at the Baytree bookstore and easily associated with your CruzID. Alternatively if you have no other way to MFA a request process for an ITS provided token can be started via a Slughub ticket.

If I use my personal phone number for MFA, where does that phone number go? Can/will it be used for other purposes? Phone numbers provided for MFA are stored by the Duo Security vendor. They are not used by or transmitted to any other UCSC service or system. See Duo's General Privacy Notice for more information on their privacy policies.

Why isn't "X" feature offered? What is the comprehensive list of features offered by Duo Security? The Duo plan the campus is on is called Duo MFA. To see if a feature is supported on our current plan please visit the documentation section on Duo Security's website.

How does DUO use my data? Please visit the DUO Privacy section of their website to see details.

Why is Multi-Factor required? Unfortunately passwords alone are no longer sufficient to protect systems and the information accessible through them safe from cyber criminals. The work we do at UCSC, and the information we have makes us an attractive target for cyber criminals. MFA is a best practice method of protection against these risks and the University of California has Minimum Security Standards for all users and devices that access UC data or resources. For further information, refer to the following University of California Policies and Standards: IS-3: Electronic Information Security & Account and Authentication Management Standard. Please visit How to Stay Secure for more UCSC cybersecurity information.

I have accessibility needs related to MFA, how can ITS assist? Please contact the UCSC ITS help desk (Support Center) at 831-459-4357, help@ucsc.edu, or via https://slughub.ucsc.edu/its with your specific request. Please provide your name, CruzID and alternate email address.

Could I be locked out based on the detection of Known Attack Patterns and Anomalies geolocation? The answer is yes if you only have an SMS (text or phone call) authentication (less secure) setup. If Duo's algorithm detects a potential attack or anomaly at login it will require one of the more secure methods of authentication to be used which include: Verified via the mobile app or Hardware Tokens/ YubiKey.

DEVICE SELECTION

What methods can I use to authenticate? Based on preferences and device availability, there are several convenient authentication methods. Users must first enroll their desired devices in the device management portal within DUO. Please follow the Enroll your Device instructions.

Push Notification: via Duo Mobile App: If the Duo Mobile App is installed on a smartphone or tablet, a push notification is received to either approve or deny the authentication attempt. No manual entry of a passcode is required at login. * This is the most popular method using only a single button to MFA (vs. typing a passcode per login).
Passcodes: via Duo Mobile App: If the Duo Mobile App is installed on a smartphone or tablet, a single passcode is retrieved by tapping the key image next to "University of California Santa Cruz" in the mobile app. This passcode is entered into the “Enter your passcode” field on the Duo Authentication page.
Text Message (SMS): A passcode is sent via text message. The passcode is then entered into the “Enter your passcode” field.
Phone Call: A telephone call to any cell phone or landline will prompt approval or denial of the authentication attempt.
Hardware Token: a small lightweight keyfob that can be attached to your keychain. Pressing the button on the keyfob will generate a passcode for you to use with MFA. Hardware tokens can be purchased at the Baytree Bookstore.

How many devices can I set up? Can I choose them all for multiple backup options? You can set up an unlimited amount of devices! We encourage you to set up as many as you need.

There are so many authentication methods, how do I know which one to choose? The recommended method of authentication is via the Duo Mobile application on a smartphone or tablet. Most users with smartphones prefer to use the Duo Mobile Push Notification authentication method as it requires a single touchpoint rather than retyping a passcode to login. Using the DUO mobile app is free. For more options please review the Device Overview and Authentication Quick Guide to determine which authentication method works best for you. Using the telephone or text message functions costs UCSC every month.

How do I find/download the free Duo Mobile App? Select the appropriate link (iOS, Android, Windows, Blackberry) or search for “Duo Mobile'' in your smartphone’s application store and then install it using standard app installation instructions. App size varies by platform (iOS 7.4MB, Android 9.9MB, Windows 4.22MB, Blackberry 115KB)

Can I MFA without a data and/or text plan for my device? The Passcode via Duo Mobile App option works without a data plan, text plan, or even a connection. The app can generate the required code without the need of either a telephone signal or data plan, and it can do so anywhere in the world.

Do I need a smartphone? No. Duo provides a great deal of flexibility and you do not need a smartphone to use it. Duo can send a text message to a regular cell phone or place a phone call to your basic cell phone or landline phone.

How do text message passcodes (SMS) work? SMS passcode is sent via text message. With the proper prompt, a text message is sent containing a one time use passcode. We recommend using the Duo mobile app and here is why.

I don't have a cell phone? If you don’t have a cell phone, you can use a tablet, your landline phone or hardware token to MFA. When using a landline, you will receive an automated phone call that requires you to hit 1 to confirm your identity. The hardware token will generate a passcode that you enter into the “Enter your passcode” field on the Duo Authentication page.

I am traveling internationally. How will I authenticate? We recommend using the Duo mobile app and here is why. For more information on how to be prepared when traveling, please review our International Travel webpage.

Where can I obtain a Duo hardware token? Hardware tokens can be purchased at the Baytree bookstore.

I have a YubiKey, can I use this instead of a Duo token? Yubikeys are allowed to be used with Duo, but they are not officially supported by UCSC. You can attempt to set up your key using our YubiKey self-service guide.

I enrolled my smart phone only as a phone. Now I've decided that I want to use the Duo app on my phone. What should I do? You must completely remove your device and then re-enroll it as a smartphone.

I used to manage my devices for MFA in CruzID manager, how do I do that now? You will now have the opportunity to manage your devices each time you authenticate with MFA using your CruzID and Gold password by selecting “Other options”, and then select “Manage devices”. Please follow the Manage Devices instructions.

USING MFA

I want to change/rename/manage my MFA device. Please follow the Manage Devices instructions.

Whom do I contact for help if I have problems authenticating? First make sure that you have your devices enrolled properly by following the Manage Devices instructions. Once you have enrolled all your devices properly, follow our instructions on how to authenticate for the first time. If you still have trouble authenticating contact the UCSC ITS help desk (Support Center) at 831-459-4357, help@ucsc.edu, or via https://slughub.ucsc.edu/its. For account verification please be prepared to provide your full name, CruzID, an alternate email address, as well as your Student ID or Employee ID number.

How do I enroll in MFA? Please review our Enrollment Instructions.

How do I change/remove/add a new device? Please follow the Add a New Device or Manage Devices Instructions.

What precautions should I take when using MFA at a shared computer such as at the library? Shared computers, like those in labs, public libraries, shared workstations in offices, or a computer borrowed from a friend, should always follow secure practices for SSO which includes quitting your web browser to end your single sign-on session. Please see our (SSO) Single Sign-On page for more details.

I already use DUO for an application, will I need to re-enroll? If you use Duo for a UC Santa Cruz application (like DC-VPN) then you will not need to enroll. If you use Duo for anything else (non-UCSC application, i.e. ,UCOP ) then you do need to re-enroll. But you will use the same Duo app that is already on your phone - no need to reinstall it.

If I authenticate using my personal phone (smart or cell), will I be charged? Charges depend on your carrier and plan but are very nominal. The Push notification is 2kb. The SMS text is standard text pricing. The phone call is the cost of a standard call. To avoid charges you can use the Duo Mobile app passcodes or the Duo token.

What if I clicked the “Trust this Browser” button but I am still being asked to authenticate? This setting must be applied to each browser you use on each computer you use. If you choose this setting but login later with a different browser or computer you will have to set it again for that browser during authentication. If you are certain you chose it to remember you on both the computer and the browser you are using, then it might be a setting on the browser that is not saving your choice.

Required Browser Settings:

Chrome

While in Chrome click on the 3 vertical dots in the top-right corner of the browser and choose “Settings” in the drop down menu.
Click on the section labeled “Security and Privacy" on the left side of the window. In the menu in the center of the screen, click on "Cookies and other site data".
In the "Cookies and other site data" menu, make sure:
1. “Clear cookies and site data when you close all windows” is turned OFF
2. "Block third-party cookies" is turned OFF
If you are still having trouble after doing steps 1-3, go back to the "Cookies and other site data" menu and at the bottom under the "Sites that can always use cookies" section, click the "Add" button and add [*.]duosecurity.com.
Changes you make here are immediate, so there is no option to save. You can close the Chrome settings tab/window whenever you are finished.

Firefox

While in Firefox click on the 3 horizontal lines in the top-right corner of the browser and choose “Settings” from the drop down menu.
On the left-hand side, choose the “Privacy & Security” option.
In the “History” section make sure you either uncheck the "Clear history when Firefox closes" option, OR click the Settings button just to the right of that option and uncheck "Cookies" from the list of things that get cleared.
If you still have trouble after doing steps 1-3, you can also click the "Manage Exceptions" button to the right of this option and add https://duosecurity.com to the exceptions list.
Changes you make here are immediate, so there is no option to save. You can close the preferences tab/window whenever you are finished.

Safari

With Safari open and active, click on “Safari” at the top-left of your computer screen (next to the Apple symbol on your top taskbar) and choose “Preferences” from the drop down menu.
Choose the “Privacy” option across the top of the window that appears.
Under “Cookies and website data” make sure the “Block all cookies” option is NOT selected. Safari should save all website data unless you specifically remove it in Preferences.
Changes you make here are immediate, so there is no save option. You can close the Preferences window whenever you are finished.

I added the Trust this Browser feature. How do I disable it? The “Trust this browser?” feature relies on a browser cookie from Duo. By clearing your browser's cookies and cache, this will disable this feature.

In Safari the Cookie settings can be found under Safari > Preferences > Privacy > Block all Cookies.
In Firefox by going to Firefox > Preferences > Privacy & Security: Scroll down to the Cookies and Site Data section. Make sure the following checkbox is checked: Delete cookies and site data when Firefox is closed.
In Internet Explorer at Tools > Internet Options > Privacy. Adjust the slider for the Internet zone to allow third-party cookies to be stored.

In Chrome under Settings > Show advanced settings > Content settings > Cookies. Make sure that the setting Keep local data only until you quit your browser is on.

If there is an unexpected outage, how do I MFA?. You can use the passcode feature in the DUO mobile app or you can use the DUO token and enter in the passcode to MFA into an application. Both the token and the passcode feature in the DUO mobile app do not require cellular connection or wifi to work.

TROUBLESHOOTING

I am having trouble installing the Duo Mobile App on my smartphone. Installing the free Duo Mobile App should be similar to any other app installation on your smartphone. If you are having trouble navigating app installation, contact the UCSC ITS help desk (Support Center) at 831-459-4357, help@ucsc.edu, or via https://slughub.ucsc.edu/its with your specific request. For account verification please be prepared to provide your full name, CruzID, an alternate email address, as well as your Student ID or Employee ID number. Please Note: If there is a fundamental hardware or software problem with your personal device to be used with MFA, that must be fixed on your end first before ITS can assist. (i.e., my camera doesn’t work, my cell reception is bad, my wifi controller is not working).

I started enrollment using the Duo Mobile App, but never scanned the QR image. How do I continue enrollment? If you have not entered a phone number, you will need to start enrollment over again following Enroll: Smartphone instructions. If you have entered in your phone number, but not scanned the QR image, follow the Add a New Device: Smartphone instructions. If you need additional assistance please contact the UCSC ITS help desk (Support Center) at 831-459-4357, help@ucsc.edu, or via https://slughub.ucsc.edu/its with your specific request. For account verification please be prepared to provide your full name, CruzID, an alternate email address, as well as your Student ID or Employee ID number.

Can I use multiple devices with MFA? Yes. It is strongly recommended that you add an additional device phone to your MFA account to serve as a backup. This device could be a desk/landline, tablet or a trusted family/friend's phone number. Please follow the Add a New Device Instructions. Be sure to Manage Devices and set up the correct phone number as your default.

I have a new phone and the Duo Mobile App stopped working. What should I do? If you have a new phone with the same phone number, you will need to follow the instructions to Reactivate Duo Mobile: Smartphone at Manage Devices. If you have a backup device and need to add a new phone number, follow Add a New Device: Smartphone instructions. Please contact the UCSC ITS help desk (Support Center) at 831-459-4357, help@ucsc.edu, or via https://slughub.ucsc.edu/its if you do not have a second device configured. For account verification please be prepared to provide your full name, CruzID, an alternate email address, as well as your Student ID or Employee ID number.

I upgraded/reset my smartphone. How do I get Duo Mobile notifications to work again? f you have a new phone with the same phone number, you will need to follow the instructions to Reactivate Duo Mobile: Smartphone at Manage Devices

My phone was lost or stolen, what do I do? We recommend everyone have a back up device associated with their account. If you have lost the only phone associated with your account, please contact the UCSC ITS help desk (Support Center) at 831-459-4357, help@ucsc.edu, or via https://slughub.ucsc.edu/its. For account verification please be prepared to provide your full name, CruzID, an alternate email address, as well as your Student ID or Employee ID number. It is strongly recommended that you add an additional device to your MFA account to serve as a backup. This device could be a desk/landline, tablet, token or trusted family/friend phone number.

I forgot my phone at home? Use your backup device to authenticate with. We recommend everyone have a back up device associated with their account. IIf you did not setup a backup device, a temporary one time passcode can be issued to you if no other authentication method exists, please contact the Support Center (help@ucsc.edu or 831-459-4357 option 1) please contact the UCSC ITS help desk (Support Center) at 831-459-4357, help@ucsc.edu, or via https://slughub.ucsc.edu/its. For account verification please be prepared to provide your full name, CruzID, an alternate email address, as well as your Student ID or Employee ID number. It is strongly recommended that you add an additional device to your MFA account to serve as a backup. This device could be a desk/landline, tablet, token or trusted family/friend phone number.

My hardware token stopped working. A hardware token is a physical device that generates a numeric passcode. These tokens can occasionally get out of sync if too many unused passcodes are generated. You can attempt to resync on your own by trying to authenticate three times, entering a valid passcode from your token each time into the “Enter your passcode’' field. For more information, please view the Duo site's page on hardware token re-synchronization. If your hardware token does not resync after the 4th attempt, contact the UCSC ITS help desk (Support Center) at 831-459-4357, help@ucsc.edu, or via https://slughub.ucsc.edu/its with your request. For account verification please be prepared to provide your full name, CruzID, an alternate email address, as well as your Student ID or Employee ID number.

I no longer need my hardware token. Hardware tokens are university property and must be disassociated with user accounts when they are no longer needed.To request that your token be disassociated with your CruziD please contact the UCSC ITS help desk (Support Center) at 831-459-4357, help@ucsc.edu, or via https://slughub.ucsc.edu/its.

Why do I no longer see the “Remember Me” option? "Remember me for 14 days" has been replaced with a "Yes, trust browser" option and will have the same result.

Why do I no longer receive a block of codes when I use the sms/text method to login? This feature was discontinued and a single code will be sent by DUO. You can generate a passcode from the Duo Mobile app even when you don’t have a Wi-Fi connection or cellular reception. For more information see support documentation.

I am one of many users that MFA for a department shared account. When I log in it is sending a message to my peer’s phone not mine as they were the last to log in, how do I authenticate with my device? Select “Other options” and select the desired authentication method. Your peer will receive a code or verification prompt in this scenario so as a shared account user you should understand this is what is happening. Your peer who was automatically prompted by DUO to authenticate, should respond accurately, I did not request this.

DC-VPN USERS

How does MFA work for DC VPN? Cisco AnyConnect displays three fields for DC VPN users. When you attempt to access DC VPN the Username/Password fields remain unchanged. The third field ‘Second Password’ requires users enter in ‘push’, ‘sms’, ‘phone’, and/or a valid passcode. Please refer to the Quick Guide for specific connection instructions.

Authentication instructions for Cisco AnyConnect DC-VPN. Please follow the instructions for the selected authentication method (Duo Mobile App - Push Notification, Duo Mobile App - Passcodes, Text Message (SMS), Phone Call, Hardware Token)

I’m locked out of Duo | MFA | DC VPN, what should I do? After several failed login attempts, users will be locked out for 30 minutes. If after 30 minutes, you are unable to authenticate via all your configured devices contact the UCSC ITS help desk (Support Center) at 831-459-4357, help@ucsc.edu, or via https://slughub.ucsc.edu/its with your request. For account verification please be prepared to provide your full name, CruzID, an alternate email address, as well as your Student ID or Employee ID number. If you are having trouble receiving a push notification, please verify you have cell service or use an alternate authentication method.

When I type ‘push’ into the DC VPN ‘Second Password’ field nothing happens? There are a few reasons you might be having this problem. First make sure that you have your smartphone enrolled properly (see instructions to Reactivate Duo Mobile). If you are still unable to receive push notifications, contact the UCSC ITS help desk (Support Center) at 831-459-4357, help@ucsc.edu, or via https://slughub.ucsc.edu/its with your request. For account verification please be prepared to provide your full name, CruzID, an alternate email address, as well as your Student ID or Employee ID number.

How often do I need to use MFA? If you are using DC-VPN, MFA will be required each time a new connection to DC VPN is created. DC VPN session timeout is set to 12 hours. All DC VPN users are required to use MFA.

What VPN clients are supported by MFA? The Cisco AnyConnect client is the only supported DC VPN client.

I’m trying to use a phone call to authenticate but keep getting a timeout message from Cisco AnyConnect. Tones must be enabled in order to accept/approve the phone call authentication. This is typically done by selecting '9' from campus phones. You do not need to wait for the message to complete to select '1' (or '9' + '1' if you need to enable tones). If you still receive a timeout message from Cisco AnyConnect, try uninstalling/reinstalling the Cisco AnyConnect client. Windows users can do this by going to 'Start > Programs > Cisco Systems VPN Client > Uninstall VPN Client' and Mac users can go to 'Applications > Cisco > Uninstall AnyConnect'. Then follow VPN Client Installation instructions. If you need help doing this, please contact the UCSC ITS help desk (Support Center) at 831-459-4357, help@ucsc.edu, or via https://slughub.ucsc.edu/its with your request.