MFA FAQs

If your question is not listed below, please contact the Support Center (help@ucsc.edu or 831-459-4357)image

General
What is Multi-Factor Authentication (MFA)?
 
Why do I need this?

What devices are supported? 
How does MFA work for DC VPN?
How often do I need to use MFA?
What VPN clients are supported by MFA?
What is a passcode? How does it differ from a password?
I don’t have a smartphone, basic cell phone, landline, tablet and/or am unable to use MFA.

Device Selection
What devices can I use to authenticate?

There are so many authentication methods, how do I know which one to choose?
How do I find/download the free Duo Mobile App?
Can I MFA without a data and/or text plan for my device?
Do I need a smartphone?
How do text message passcodes (SMS) work?
I don’t have a cell phone? 
I am travelling internationally. Will I be able to receive a phone call/text message?

Using MFA
Quick instructions for Cisco AnyConnect DC VPN. 
I want to change my MFA default device.
I want to rename/manage my MFA devices.
Whom do I contact for help if I have problems authenticating?
How do I enroll in MFA?
How do I change/remove/add a new device?

Troubleshooting
I am having trouble installing the Duo Mobile app on my smartphone.
I keep getting kicked out of CruzID Manager.
I use DC VPN occasionally, but do not see the MFA link under Advanced in CruzID Manager.
I started enrollment using the Duo Mobile app, but never scanned the QR image. How do I continue enrollment?
When I enter in ‘push’ into the DC VPN ‘Second Password’ field nothing happens?
I was automatically sent a Push/Phone call and now I keep getting sent to the same page over and over again.
Can I use multiple devices with MFA?
I have a new phone and the Duo Mobile app stopped working. What should I do?
I upgraded/reset my smartphone. How do I get Duo Mobile notifications to work again?
I lost my phone?
I forgot my phone at home?
My batch of text passcodes (SMS) aren’t working.
I’m locked out of Duo | MFA | DC VPN, what should I do?
I’m trying to use a phone call to authenticate but keep getting a timeout message from Cisco AnyConnect.
My hardware token stopped working.
I no longer need my security token.


GENERAL


What is Multi-Factor Authentication (MFA)? Multi-Factor Authentication (MFA) is a method of system access control in which a user is only granted authorization after successfully providing a second authentication method beyond the basic username/password. MFA combines knowledge (something you know) with possession (something you have).

At UCSC, MFA will combine CruzID+Gold password with cell phone, landline phone or one time use passcode. Duo Security is the vendor facilitating the passcodes for the ‘possession’ half of MFA at UCSC.

back to top


Why do I need this? Passwords are becoming increasingly easy to compromise. They can be stolen, “phished”, guessed, and hacked. New technology and hacking techniques combined with the limited pool of passwords most people use for multiple accounts increases vulnerability. Starting in July 2016, MFA will be required for DC VPN Cisco AnyConnect users. Additional applications will begin requiring MFA in 2017.

back to top


What devices are supported? UCSC supports a range of electronic devices including: 

  • iOS smartphones and tablets
  • Android smartphones and tablets
  • Blackberry devices
  • Windows phones
  • Basic cell phones with and without text message capabilities
  • Landlines (Desk Phones)
  • Hardware tokens

It is strongly recommended that you add an additional phone number to your MFA account to serve as a backup. This phone number could be a desk/landline, tablet or trusted family/friend phone number. Please follow the Add a New Device instructions. Be sure to Manage Devices and set up the correct phone number as your default. To receive a phone call to your backup (not default) device enter ‘phone2’ (or push2, sms2) into the Second Password field.

back to top


How does MFA work for DC VPN? Cisco AnyConnect displays three fields for DC VPN users. When you attempt to access DC VPN the Username/Password fields remain unchanged. The third field ‘Second Password’ requires users enter in ‘push’, ‘sms’, ‘phone’, and/or a valid passcode.  Please refer to the Quick Guide for specific connection instructions.

back to top


How often do I need to use MFA? Each time a new connection to DC VPN is created, MFA will be required. DC VPN session timeout is set to 10 hours. All DC VPN users are required to use MFA.

back to top


What VPN clients are supported by MFA? The Cisco AnyConnect client is the only supported DC VPN client.

back to top


What is a passcode? How does it differ from a password? A passcode is a one-time use number utilized for MFA (provided by Duo) via Duo Mobile App - Passcode option, text message or token. The passcode is entered into the DC VPN Cisco AnyConnect ‘Second Password’ field. For Cisco AnyConnect DC VPN, the password field refers to your UCSC Gold password which is reused for all logins.

back to top


I don’t have a smartphone, basic cell phone, landline, tablet and/or am unable to use MFA. All DC VPN users are required to use MFA. If you have concerns about meeting this requirement, please contact kari@ucsc.edu.

back to top


DEVICE SELECTION


What devices can I use to authenticate? Based on preferences and device availability, there are several convenient authentication methods. Users must pre-enroll in desired authentication methods in CruzID Manager.

  • Push Notification via Duo Mobile App: If the Duo Mobile App is installed on a smartphone or tablet, a push notification is received to either approve or deny the authentication attempt. No manual entry of a passcode is required at login. 
  •   * This is the most popular method using only a single button to MFA (vs. typing a passcode per login).
  • Text Message (SMS): A batch of one-time use passcodes is sent via text message. An unused passcode is then entered into the ‘Second Password’ field of Cisco AnyConnect.
  • Phone call: A telephone call to any cell phone or landline will prompt approval or denial of the authentication attempt.
  • Passcodes via Duo Mobile App: If the Duo Mobile App is installed on a smartphone or tablet, a single passcode is retrieved by tapping the key image next to "University of California Santa Cruz" in the mobile app. This passcode is then entered into the ‘Second Password’ field of Cisco AnyConnect.

back to top


There are so many authentication methods, how do I know which one to choose? Most users with smartphones prefer to use the Duo Mobile Push Notification authentication method as it requires a single touchpoint rather than retyping a passcode into Cisco AnyConnect. There are several other options including text messages (SMS), phone calls, and more. Review the Device Overview and Quick Guide for DC VPN Connection instructions to determine which authentication method works best for you. Remember, you can always change your preferred authentication method after enrollment by logging into CruzID Manager to Manage Devices or elect to use different phone numbers (FAQ: Can I use multiple devices with MFA?).

back to top


How do I find/download the free Duo Mobile App? Select appropriate link (iOS, Android, Windows, Blackberry) or search for “Duo Mobile” in your smartphone’s application store and then install it using standard app installation instructions. App size varies by platform (iOS 7.4MB, Android 9.9MB, Windows 4.22MB, Blackberry 115KB).

back to top


Can I MFA without a data and/or text plan for my device? The Passcode via Duo Mobile App option works without a data plan, text plan, or even a connection. The app can generate the required code without need of either a telephone signal or data plan, and it can do so anywhere in the world.

back to top


Do I need a smartphone? No. Duo provides a great deal of flexibility and you do not need a smartphone to use it. Duo can send a text message to a regular cell phone or place a phone call to your cell phone or landline phone.

back to top


How do text message passcodes (SMS) work? SMS passcodes are sent via text message. With the proper prompt, a text message is sent containing 10 one time use passcodes. A user can only have 10 valid passcodes at a time. Each new batch of 10 passcodes voids any remaining passcodes from the prior batch.

back to top


I don’t have a cell phone? If you don’t have a cell phone, you can use your landline phone to MFA. You will receive an automated phone call that requires you to hit 1 to confirm your identity.

back to top


I am travelling internationally. Will I be able to receive a phone call/text message? Phone calls and text messages are not sent internationally. When out of the country, you can utilize the Duo Mobile App - Passcode functionality. If that is not an option, a batch of 10 passcodes via text message (SMS) can be sent ahead of your travels.

back to top


USING MFA


Quick instructions for Cisco AnyConnect DC VPN. Please follow the instructions for the selected authentication method (Duo Mobile App - Push Notification, Duo Mobile App - Passcodes, Text Message (SMS), Phone CallHardware Token)

back to top


I want to change my MFA default device. Please follow the Manage Devices instructions.

back to top


I want to rename/manage my MFA devices. Please follow the Manage Devices instructions.

back to top


Whom do I contact for help if I have problems authenticating? First make sure that you have your devices enrolled properly by following the Manage Devices instructions. If you still have trouble authenticating please contact the Support Center (help@ucsc.edu or 831-459-4357).

back to top


How do I enroll in MFA? Enrollment happens in CruzID Manager. Please review Enrollment Instructions.

back to top


How do I change/remove/add a new device? Please follow the Add a New Device or Manage Devices instructions.

back to top


TROUBLESHOOTING


I am having trouble installing the Duo Mobile App on my smartphone. Installing the free Duo Mobile App should be similar to any other app installation on your smartphone. If you are having trouble navigating app installation, please contact the Support Center (help@ucsc.edu or 831-459-4357).

back to top


I keep getting kicked out of CruzID Manager. CruzID Manager has a timeout of 20 minutes. If you are planning to enroll in MFA using the Duo Mobile App, please install this app on your smartphone or tablet before beginning enrollment.

back to top


I use DC VPN occasionally, but do not see the MFA link under Advanced in CruzID Manager. Currently MFA is only available for DC VPN users. If you are an active DC VPN user and you do not see the MFA link, please contact the Support Center (help@ucsc.edu or 831-459-4357 option 1).

back to top


I started enrollment using the Duo Mobile App, but never scanned the QR image. How do I continue enrollment? If you have not entered in a phone number, you will need to start enrollment over again following Enroll: Smartphone instructions. If you have entered in your phone number, but not scanned the QR image, follow the Add a New Device: Smartphone instructions. If you need additional assistance contact the Support Center (help@ucsc.edu or 831-459-4357)

back to top


When I enter in ‘push’ into the DC VPN ‘Second Password’ field nothing happens? There are a few reasons you might be having this problem. First make sure that you have your smartphone enrolled properly as your default device by following the Manage Devices instructions. After that verify that notifications are allowed ‘turned on’ for the Duo Mobile App. If you are still unable to receive push notifications, contact the Support Center (help@ucsc.edu or 831-459-4357 option 1).

back to top


I was automatically sent a Push/Phone call and now I keep getting sent to the same page over and over again. This functionality does not work for DC VPN Cisco AnyConnect. To remove this selection follow the Undo ‘Automatically sent Push/Phone Call’ instructions.

back to top


Can I use multiple devices with MFA? Yes. It is strongly recommended that you add an additional phone number to your MFA account to serve as a backup. This phone number could be a desk/landline, tablet or trusted family/friend phone number. Please follow the Add a New Device instructions. Be sure to Manage Devices and set up the correct phone number as your default. To receive a phone call to your backup (not default) device enter ‘phone2’ (or push2, sms2) into the Second Password field.

back to top


I have a new phone and the Duo Mobile App stopped working. What should I do? If you have a new phone with the same phone number, you will need to follow Manage Devices instructions. Select Device Options and then Reactivate Duo Mobile. If you have backup device and need to add a new phone number, follow Add a New Device: Smartphone instructions. Contact the Support Center (help@ucsc.edu or 831-459-4357 option 1) if you do not have a second device configured.

back to top


I upgraded/reset my smartphone. How do I get Duo Mobile notifications to work again? If you have a new phone with the same phone number, you will need to follow Manage Devices instructions. Select Device Options and then Reactivate Duo Mobile.

back to top


I lost my phone? We recommend everyone have two phone numbers associated with their account. If you have lost the only phone associated with your account, please contact the Support Center (help@ucsc.edu or 831-459-4357 option 1). It is strongly recommended that you add an additional phone number to your MFA account to serve as a backup. This phone number could be a desk/landline, tablet or trusted family/friend phone number.

back to top


I forgot my phone at home? A temporary one time passcode can be issued to you if no other authentication method exists, please contact the Support Center (help@ucsc.edu or 831-459-4357 option 1). It is strongly recommended that you add an additional phone number to your MFA account to serve as a backup. This phone number could be a desk/landline, tablet or trusted family/friend phone number.

back to top


My batch of text passcodes (SMS) aren’t working. All passcodes are one time use. In the Cisco AnyConnect ‘Second Password’ field enter ‘sms’ to receive a new batch of text passcodes.

back to top


I’m locked out of Duo | MFA | DC VPN, what should I do? After several failed login attempts, users will be locked out for 30 minutes. If after 30 minutes, you are unable to authenticate via all your configured devices contact the Support Center (help@ucsc.edu or 831-459-4357).  If you are having trouble receiving a push notification, please verify you have cell service or use an alternate authentication method.

back to top


I’m trying to use a phone call to authenticate but keep getting a timeout message from Cisco AnyConnect. Tones must be enabled in order to accept/approve the phone call authentication.  This is typically done by selecting '9' from campus phones.  You do not need to wait for the message to complete to select '1' (or '9' + '1' if you need to enable tones). If you still receive a timeout message from Cisco AnyConnect, try uninstalling/reinstalling the Cisco AnyConnect client.  Windows users can do this by going to 'Start > Programs > Cisco Systems VPN Client > Uninstall VPN Client' and Mac users can go to 'Applications > Cisco > Uninstall AnyConnect'. Then follow VPN Client Installation instructions. If you need help doing this, please contact the Support Center (help@ucsc.edu or 831-459-4357).

back to top


My hardware token stopped working. A hardware token is a physical device that generates a numeric passcode. These tokens can occasionally get out of sync if too many unused passcodes are generated. Contact the Support Center (help@ucsc.edu or 831-459-4357 option 1) if your token stops working or if you can't log in with the passcodes it generates.

back to top


I no longer need my security token. Security tokens are university property and can be disassociated with user accounts and reused. Please return your security token to the Support Center in Kerr Hall Rm 54 or to Laurie Swan at the Scotts Valley Center.

back to top