MFA FAQs
If your question is not listed below, please contact the Support Center ( help@ucsc.edu or 831-459-4357)
General
What is Multi-Factor Authentication?
Why do I need this?
What devices are supported?
How often do I need to use MFA?
What is a passcode? How does it differ from a password?
I don't have a smartphone, basic cell phone, landline, tablet and/or am unable to use MFA.
I recently graduated and did not sign up for MFA. Do I still have to?
Device Selection
What devices can I use to authenticate?
There are so many authentication methods, how do I know which one to choose?
How do I find/download the free Duo Mobile App?
Can I MFA without a data and/or text plan for my device?
Do I need a smartphone?
How do text message passcodes (SMS) work?
I don’t have a cell phone?
I am traveling internationally. Will I be able to receive a phone call/text message?
Where can I obtain a Duo hardware token?
I have a YubiKey, can I use this instead of a Duo token?
Using MFA
I want to change my MFA default device.
I want to rename/manage my MFA devices.
Whom do I contact for help if I have problems authenticating?
How do I enroll in MFA?
How do I change/remove/add a new device?
What precautions should I take when using MFA at a shared computer at the library?
Troubleshooting
I am having trouble installing the Duo Mobile app on my smartphone.
I keep getting kicked out of CruzID Manager.
I started enrollment using the Duo Mobile app, but never scanned the QR image. How do I continue enrollment?
I was automatically sent a Push/Phone call and now I keep getting sent to the same page over and over again.
Can I use multiple devices with MFA?
I have a new phone and the Duo Mobile app stopped working. What should I do?
I upgraded/reset my smartphone. How do I get Duo Mobile notifications to work again?
My batch of text passcodes (SMS)
I’m trying to use a phone call to authenticate but can't seem to do so even though I followed the prompt.
My hardware token stopped working.
I no longer need my security token.
DC-VPN Users
How does MFA work for DC VPN?
Quick instructions for Cisco AnyConnect DC VPN.
I'm already enrolled in MFA for DC-VPN. When it's time for my group to enroll in DUO, do I have to re-enroll?
I use DC-VPN occasionally, but do not see the MFA link under Advanced in CruzID manager.
I’m locked out of Duo | MFA | DC VPN, what should I do?
When I enter 'push' into the DC-VPN 'Second Password' field nothing happens?
How often do I need to use MFA?
What VPN Clients are supported by MFA?
I’m trying to use a phone call to authenticate but keep getting a timeout message from Cisco AnyConnect.
What is Multi-Factor Authentication (MFA)? Multi-Factor Authentication (MFA) is a method of system access control in which a user is only granted authorization after successfully providing a second authentication method beyond the basic username/password. MFA combines knowledge (something you know) with possession (something you have).
At UCSC, MFA will combine CruzID+Gold password with a cell phone, landline phone or one time use passcode. Duo Security is the vendor facilitating the passcodes for the ‘possession’ half of MFA at UCSC.
Why do I need this? Passwords are becoming increasingly easy to compromise. They can be stolen, “phished”, guessed, and hacked. New technology and hacking techniques combined with the limited pool of passwords most people use for multiple accounts increases vulnerability.
UCSC is also scheduled to begin using the new UCPath system in November 2019. In order to access the UCPath system, it requires Multi-Factor Authentication (MFA). In order to avoid conflict with the launch of the UCPath project, all users must be enrolled in MFA by the deadline in October 2019.
What devices are supported? UCSC supports a range of electronic devices including:
- iOS smartphones and tablets
- Android smartphones and tablets
- Blackberry devices
- Windows phones
- Basic cell phones with and without text message capabilities
- Landlines (Desk Phones)
- Hardware tokens
It is strongly recommended that you add an additional phone number to your MFA account to serve as a backup. This phone number could be a desk/landline, tablet or trusted family/friend phone number. Please follow the Add a New Device instructions. Be sure to Manage Devices and set up the correct phone number as your default.
How often do I need to use MFA? As of now, most online services are set to timeout after 12 hours.
What is a passcode? How does it differ from a password? A passcode is a one-time use number utilized for MFA (provided by Duo) via Duo Mobile App - Passcode option, text message or token. For most online applications after authenticating first with your CruzID and gold password, the passcode will be entered into the second login window, under the `Enter a Passcode` field. DC-VPN users will enter the passcode into the DC VPN Cisco AnyConnect ‘Second Password’ field. For Cisco AnyConnect DC VPN, the password field refers to your UCSC Gold password which is reused for all logins.
I don’t have a smartphone, basic cell phone, landline, tablet and/or am unable to use MFA. All users are required to use MFA. If you have concerns about meeting this requirement, please open a Support
I recently graduated and did not sign up for MFA. Do I still have to? No. As soon as the Registrar's Office categorizes you as a prior student instead of active, you will no longer be prompted to MFA.
DEVICE SELECTION
What devices can I use to authenticate? Based on preferences and device availability, there are several convenient authentication methods. Users must pre-enroll in desired authentication methods in CruzID Manager.
- Push Notification via Duo Mobile App: If the Duo Mobile App is installed on a smartphone or tablet, a push notification is received to either approve or deny the authentication attempt. No manual entry of a passcode is required at login.
- * This is the most popular method using only a single button to MFA (vs. typing a passcode per login).
- Text Message (SMS): A batch of one-time use passcodes is sent via text message. An unused passcode is then entered into the ‘Second Password’ field of Cisco AnyConnect.
- Phone call: A telephone call to any cell phone or landline will prompt approval or denial of the authentication attempt.
- Passcodes via Duo Mobile App: If the Duo Mobile App is installed on a smartphone or tablet, a single passcode is retrieved by tapping the key image next to "University of California Santa Cruz" in the mobile app. This passcode is then entered into the ‘Second Password’ field of Cisco AnyConnect.
- Hardware Token: a small lightweight keyfob that can be attached to your keychain. Pressing the button on the keyfob will generate a passcode for you to use with MFA.
There are so many authentication methods, how do I know which one to choose? Most users with smartphones prefer to use the Duo Mobile Push Notification authentication method as it requires a single touchpoint rather than retyping a passcode into
How do I find/download the free Duo Mobile App? Select appropriate link ( iOS, Android, Windows, Blackberry) or search for “Duo Mobile” in your smartphone’s application store and then install it using standard app installation instructions. App size varies by platform (iOS 7.4MB, Android 9.9MB, Windows 4.22MB, Blackberry 115KB).
Can I MFA without a data and/or text plan for my device? The Passcode via Duo Mobile App option works without a data plan, text plan, or even a connection. The app can generate passcodes without a telephone signal or data plan, and it can do so anywhere in the world.
Do I need a smartphone? No. Duo provides a great deal of flexibility and you do not need a smartphone to use it.
How do text message passcodes (SMS) work? SMS passcodes are sent via text message. With the proper prompt, a text message is sent containing 10 one time use passcodes. A user can only have 10 valid passcodes at a time. Each new batch of 10 passcodes voids any remaining passcodes from the prior batch.
I don’t have a cell phone? If you don’t have a cell phone, you can use your landline phone or hardware token to MFA. You will receive an automated phone call that requires you to hit 1 to confirm your identity. The hardware token will generate a passcode that you enter into the 'Enter a Passcode' field on the Duo login page.
I am traveling internationally. Will I be able to receive a phone call/text message? Phone calls and text messages are not sent internationally. When out of the country, you can utilize the Duo Mobile App - Passcode functionality. If that is not an option, a batch of 10 passcodes via text message (SMS) can be sent ahead of your travels. You can also use a hardware token to generate passcodes. For more information on how to be prepared when traveling, please review our traveling internationally webpage.
Where can I obtain a Duo hardware token? UCSC staff and faculty can obtain a hardware token by contacting the ITS Support Center or their local Divisional Liaison or Local IT Specialist. Students can obtain a hardware token through the ITS Support Center.
I have a YubiKey, can I use this instead of a Duo token? Yubikeys are allowed to be used with Duo, but they are not officially supported by UCSC. You can attempt to set up your YubiKey using our self-service guide found here.
USING
I want to change my MFA default device. Please follow the Manage Devices instructions.
I want to rename/manage my MFA devices. Please follow the Manage Devices instructions.
Whom do I contact for help if I have problems authenticating? First, make sure that you have your devices enrolled properly by following the Manage Devices instructions. If you still have trouble authenticating please contact the Support Center ( help@ucsc.edu or 831-459-4357).
How do I enroll in MFA? Enrollment happens in CruzID Manager. Please review Enrollment Instructions.
How do I change/remove/add a new device? Please follow the Add a New Device or Manage Devices instructions.
What precautions should I take when using MFA at a shared computer such as at the library? Google Chrome, Mozilla Firefox and Internet Explorer all have private browsing modes. Always make sure to use a private browsing mode when using a shared computer. To activate a private browsing window use the following keyboard shortcuts.
Chrome (Incognito) |
Firefox (Private Browsing) |
Internet Explorer ( |
|
OSX (Mac) |
Command+Shift+N |
Command+Shift+P |
Command+Shift+P |
Windows |
Ctrl+Shift+N |
Ctrl+Shift+P |
Ctrl+Shift+P |
Make sure you close your browser. This way when you leave the workstation, you won’t stay signed in.
On Windows machines, make sure that you select the ‘X’ on the upper right corner of the browser window to close it.
On OSX a properly closed browser will not
Taking these precautions will keep your account safe in shared locations. For added peace of mind, it’s also a good idea to shut down your computer once you leave.
TROUBLE SHOOTING
I am having trouble installing the Duo Mobile App on my smartphone. Installing the free Duo Mobile App should be similar to any other app installation on your smartphone. Make sure you have your AppleID and/or Google Play account on hand as without it, you will not be able to download the application. If you are having trouble navigating app installation, please contact the Support Center (help@ucsc.edu or 831-459-4357). Please Note: If there is a fundamental hardware or software problem with your personal device to be used with MFA, that must be fixed on your end first before ITS can assist. (i.e. I don't know my app store credentials, my camera doesn’t work, my cell reception is bad, my wifi controller is not working).
I keep getting kicked out of CruzID Manager. CruzID Manager has a timeout of 20 minutes. If you are planning to enroll in MFA using the Duo Mobile App, please install this app on your smartphone or tablet before beginning enrollment.
I started enrollment using the Duo Mobile App, but never scanned the QR image. How do I continue enrollment? If you have not entered in a phone number, you will need to start enrollment over again following Enroll: Smartphone instructions. If you have entered in your phone number, but not scanned the QR image, follow the Add a New Device: Smartphone instructions. If you need additional assistance contact the Support Center ( help@ucsc.edu or 831-459-4357)
I was automatically sent a Push/Phone call and now I keep getting sent to the same page over and over again. This functionality does not work for DC VPN Cisco AnyConnect. To remove this selection follow the Undo ‘Automatically sent Push/Phone Call’ instructions.
Can I use multiple devices with MFA? Yes. It is strongly recommended that you add an additional phone number to your MFA account to serve as a backup. This phone number could be a desk/landline, tablet or trusted family/friend phone number. Please follow the Add a New Device instructions. Be sure to Manage Devices and set up the correct phone number as your default.
I have a new phone and the Duo Mobile App stopped working. What should I do? If you have a new phone with the same phone number, you will need to follow Manage Devices instructions. Select Device Options and then Reactivate Duo Mobile. If you have a backup device and need to add a new phone number, follow Add a New Device: Smartphone instructions. Contact the Support Center ( help@ucsc.edu or 831-459-4357 option 1) if you do not have a second device configured.
I upgraded/reset my smartphone. How do I get Duo Mobile notifications to work again? If you have a new phone with the same phone number, you will need to follow Manage Devices instructions. Select Device Options and then Reactivate Duo Mobile.
I lost my phone? We recommend everyone have two phone numbers associated with their account. If you have lost the only phone associated with your account, please contact the Support Center ( help@ucsc.edu or 831-459-4357 option 1). It is strongly recommended that you add an additional phone number to your MFA account to serve as a backup. This phone number could be a desk/landline, tablet or trusted family/friend phone number.
I forgot my phone at home? A temporary one time passcode can be issued to you if no other authentication method exists, please contact the Support Center ( help@ucsc.edu or 831-459-4357 option 1). It is strongly recommended that you add an additional phone number to your MFA account to serve as a backup. This phone number could be a desk/landline, tablet or trusted family/friend phone number.
My batch of text passcodes (SMS) aren’t working. All passcodes are one-time use. If you need to generate another batch of passcodes see how to generate bypass tokens. DC-VPN users can quickly generate a new batch of text passcodes using Cisco AnyConnect by typing ' sms' in the ‘Second Password’ field.
I’m trying to use a phone call to authenticate but can't seem to do so even though I followed the prompt. Tones must be enabled in order to accept/approve the phone call authentication. This is typically done by selecting '9' from campus phones. You do not need to wait for the message to complete to select '1' (or '9' + '1' if you need to enable tones).
My hardware token stopped working. A hardware token is a physical device that generates a numeric passcode. These tokens can occasionally get out of sync if too many unused passcodes are generated. You can attempt to resync on your own by trying to authenticate three times, entering a valid passcode from your token each time into the 'Enter a Passcode' field. If your hardware token does not resync after the fourth attempt, Contact the Support Center ( help@ucsc.edu or 831-459-4357 option 1) if your token stops working or if you can't log in with the passcodes it generates.
I no longer need my security token. Security tokens are university property and can be disassociated with user accounts and reused. Please return your security token to the Support Center in Kerr Hall Rm 54 or to Laurie Swan at the Scotts Valley Center.
DC-VPN Users
How does MFA work for DC VPN? Cisco AnyConnect displays three fields for DC VPN users. When you attempt to access DC VPN the Username/Password fields remain unchanged. The third field ‘Second Password’ requires users enter in ‘push’, ‘sms’, ‘phone’, and/or a valid passcode. Please refer to the Quick Guide for specific connection instructions.
Quick instructions for Cisco AnyConnect DC VPN. Please follow the instructions for the selected authentication method ( Duo Mobile App - Push Notification, Duo Mobile App - Passcodes, Text Message (SMS), Phone Call, Hardware Token)
I'm already enrolled in MFA for DC-VPN. When it's time for my group to enroll in Duo, do I have to re-enroll? No. We will do a one-time manual sync for all enrolled/existing users in DUO and populate our grouper group as needed.
I use DC-VPN occasionally, but do not see the MFA link under Advanced in CruzID manager. If you don’t see the MFA option in CruzID manager, Contact the Support Center in Kerr Hall Rm54 (help@ucsc.edu or 831-459-4357 option 1).
I’m locked out of Duo | MFA | DC VPN, what should I do? After several failed login attempts, users will be locked out for 30 minutes. If after 30 minutes, you are unable to authenticate via all your configured devices contact the Support Center ( help@ucsc.edu or 831-459-4357). If you are having trouble receiving a push notification, please verify you have cell service or use an alternate authentication method.
When I enter in ‘push’ into the DC VPN ‘Second Password’ field nothing happens? There are a few reasons you might be having this problem. First, make sure that you have your smartphone enrolled properly as your default device by following the Manage Devices instructions. After that verify that notifications are allowed ‘turned on’ for the Duo Mobile App. If you are still unable to receive push notifications, contact the Support Center ( help@ucsc.edu or 831-459-4357 option 1).
How often do I need to use MFA? If you are using DC-VPN, MFA will be required each time a new connection to DC VPN is created. DC VPN session timeout is set to 12 hours. All DC VPN users are required to use MFA.
What VPN clients are supported by MFA? The Cisco AnyConnect client is the only supported DC VPN client.
I’m trying to use a phone call to authenticate but keep getting a timeout message from Cisco AnyConnect. Tones must be enabled in order to accept/approve the phone call authentication. This is typically done by selecting '9' from campus phones. You do not need to wait for the message to complete to select '1' (or '9' + '1' if you need to enable tones).
If you still receive a timeout message from Cisco AnyConnect, try uninstalling/reinstalling the Cisco AnyConnect client. Windows users can do this by going to 'Start > Programs > Cisco Systems VPN Client > Uninstall VPN Client' and Mac users can go to 'Applications > Cisco > Uninstall AnyConnect'. Then follow VPN Client