it.ucsf.edu

Duo Authentication Methods

Erik Wieland's picture

Duo offers several methods for two-factor authentication. We have ranked them in order of recommendation here.

Duo Mobile Smartphone App

The Duo Mobile smartphone app offers two methods of authentication: Duo Push, and Duo passcodes.

Duo Push

Note: Duo Push requires a smartphone with the Duo Mobile app installed and enrolled, and an internet connection.

 

  1. After entering your AD username and password in a Duo-enabled application (like the Pulse Secure VPN client, remote.ucsf.edu, or Outlook Web Access), you will be prompted for a secondary password.
    Secondary password screenshot
  2. In the secondary password field, type push, then submit/connect. Some applications may offer a push button for you to click instead.
    Screenshot showing Send me a Push button
  3. A Duo notification will appear on your smartphone
    iPhone screenshot - notification
    Android notification
  4. Tap on the notification to open the Duo Mobile app
  5. Tap the Approve button to complete your login
    iPhone screenshot Duo screen
    Android approval

Duo Passcode

Note: Duo Passcode requires a smartphone with the Duo Mobile app installed and enrolled, but does not require an internet connection.

 

  1. After entering your AD username and password in a Duo-enabled application (like the Pulse Secure VPN client, remote.ucsf.edu, or Outlook Web Access), you will be prompted for a secondary password.
    Secondary password screenshot
  2. Go to the Duo Mobile app on your smartphone
  3. Click on the green key on the right side of the UCSF entry, and a 6-digit passcode will appear
    iPhone screenshot - Duo passcode
    Android passcode
  4. Enter this 6-digit passcode in the secondary password field, then submit/connect

​SMS Text Message

If you can't use the Duo Mobile smartphone app, you can receive a text message with your passcode on your mobile phone.

 

  1. After entering your AD username and password in a Duo-enabled application (like the Pulse Secure VPN client, remote.ucsf.edu, or Outlook Web Access), you will be prompted for a secondary password.
    Secondary password screenshot
  2. In the secondary password field, type sms1, then submit/connect
  3. An invalid credentials error will be displayed. Click OK.
  4. 10 passcodes will be delivered to your phone as a text message. Enter any of the 10 passcodes in the secondary password field, then submit/connect.
    iPhone screenshot SMS message

Voice Phone Call

If you don't have access to a mobile phone, Duo can call you for the secondary authentication. Because landlines are not tied one-to-one to a specific person, this is a less secure option. To use this option, you must register your landline's phone number on remote.ucsf.edu.

 

  1. After entering your AD username and password in a Duo-enabled application (like the Pulse Secure VPN client, remote.ucsf.edu, or Outlook Web Access), you will be prompted for a secondary password.
    Secondary password screenshot
  2. In the secondary password field, type phone1, then submit/connect
  3. Duo will call your registered landline
  4. Answer the phone, and the automated voice will prompt you to press any number
  5. Once you’ve pressed any number, you will be authenticated

Yubikey

A Yubikey is a USB key that you plug into your computer's USB port to provide secondary authentication. Yubikeys have specific system requirements, so please refer to https://www.yubico.com/support/knowledge-base/categories/downloads/ and make sure your device is supported before submitting your request. In addition, replacement Yubikeys cost $30 each, so please safeguard your Yubikey and file a report immediately if it is lost or stolen. View Yubikey videos, with step by step instructions, here.

 

Request a Yubikey

  1. Go to http://help.ucsf.edu and click on Accounts, Access & Email
  2. Login to MyAccess with your AD username and password
  3. Click on Duo Yubikey (Two Factor USB Device) Request Form
  4. Fill out form and click Submit. Your Yubikey should be delivered to us in 2 days.
  5. You will receive a notification to pick up your Yubikey from an IT Health Desk location. Locate the closest IT Health Desk and bring your photo ID so we can verify your identity.

 

Using a Yubikey

  1. Insert the Yubikey into your computer’s USB port
  2. After entering your AD username and password in a Duo-enabled application (like the Pulse Secure VPN client, remote.ucsf.edu, or Outlook Web Access), you will be prompted for a secondary password.
  3. Click in the secondary password field, then press the button on your Yubikey

Bypass Code

A bypass code is a temporary passcode that you can use as your secondary authentication method. Bypass codes must be requested in advance, only by the person who will use them, and expire after 30 days.

 

Request a Bypass Code

  1. Call the UCSF IT Service Desk and ask for a Duo bypass code
  2. The Service Desk agent will ask you questions to verify your identity
  3. Once you verify your identity, the Service Desk agent will create a bypass code unique to your AD username

Using a Bypass Code

  1. After entering your AD username and password in a Duo-enabled application (like the Pulse Secure VPN client, remote.ucsf.edu, or Outlook Web Access), you will be prompted for a secondary password.
  2. Enter your Bypass Code in the secondary password field, then submit/connect