it.ucsf.edu

Duo Frequently Asked Questions (FAQs)

Erik Wieland's picture

Duo-related question and tips. If you don't see your question answered here, please let us know, or contact the IT Service Desk.

 

Duo Basics

What is Duo and how does it benefit me?

Do I have to enroll?

Is there a cost for using Duo?

Why aren't you rolling Duo out gradually?

Will there be a chance to hear more about Duo and these new security measures?

What if I don't use UCSF email or VPN; do I need Duo?

You say that I don't have to use Duo if I'm on the UCSF network, but I'm not sure if my location is included in that. How can I tell?

Options for using Duo

What if I don't have a smartphone, or don't want to use my smartphone for Duo?

What if I am on an airplane, or overseas, and cannot access the internet on my smartphone?

I've heard about Yubikeys. Can I make a bulk request for several Yubikeys for my department?

AnchorWhat if I’m using WebConnect for the Department of Public Health?

AnchorHow do I add another device like my iPad in addition to my phone or manage my Duo settings?

Can I use another authentication service, like Google Authenticator, instead of Duo?

Enrolling with Duo

Where can I find out how to enroll in Duo?

I have an employee with a new phone. How do we get it set up?

I already have Duo setup with my smartphone, but just got a new phone. What do I do?

I accidentally deleted the Duo Mobile app. When I reinstalled the app it no longer worked. What do I do?

If I have multiple Active Directory (AD) accounts, which one should I use to register with Duo?

Does Duo require an email address?

Duo for VPN

I'm a VPN user and I don't use Duo yet. Do I have to upgrade my Pulse VPN client?

What if I am already using Duo with VPN?

Will my VPN session length change when I start using Duo?

What if I use remote.ucsf.edu?

Getting Help with Duo

I'm getting an error message. Where can I find online help?

Is there somewhere I can get in-person help with enrolling in Duo?

Duo Basics

What is Duo and how does it benefit me?

We are using a third-party application called Duo to provide two-factor authentication on systems like VPN and Outlook Web Access. Phishing and brute force attacks are increasing exponentially, and so are the risks that your credentials may be stolen. Duo provides a second layer of protection beyond your password, to ensure that every login from every device is legitimate. This helps us protect you, your work, and the university.

Do I have to enroll?

You will need to enroll in Duo if you use an application or service that requires it, such as VPN, Outlook Web Access, or other applications that include ePHI. It takes less than five minutes to enroll.

Is there a cost for using Duo?

No, there is no cost for your account, enrollment, or the Duo Mobile smartphone app.

Will there be a chance to hear more about Duo and these new security measures?

Yes, there will be Town Halls, locations and invitations to follow by email.

  • Parnassus: 11/16 from 3-4 PM
  • Mission Bay: the week of 11/28

AnchorWhat if I don't use UCSF email or VPN? Do I need Duo?

If you don’t use UCSF Outlook Web Access or VPN, you don’t need Duo at this time. Access to email from mobile devices will not change.

Why aren't you rolling Duo out gradually?

It’s a technical limitation – it’s either on or off for everyone.

You say that I don't have to use Duo if I'm on the UCSF network, but I'm not sure if my location is included in that. How can I tell?

Most UCSF sites will not require Duo, including ZSFG and most of SF DPH, the SF VAMC, and remote UCSF locations, so you can access OWA from these sites without using Duo. Community Connect sites connect to UCSF over the internet though, so they will need to use Duo for VPN or OWA access. To see if you are on the UCSF network now, try to access HBS. If you are on the UCSF network you will be be presented with the MyAccess login screen, and if you are not on the UCSF network you will receive an error.

Options for using Duo

What if I don't have a smartphone, or I don't want to use my smartphone for Duo?

We have outlined all of the authentication methods available on the Duo Authentication Methods page, including those that don't require the smartphone app.

AnchorWhat if I am on an airplane, or overseas, and cannot access the internet on my smartphone?

You can use the Duo Mobile smartphone app without an internet connection. Follow the instructions for using the Duo Passcode.

AnchorI've heard about Yubikeys. Can I make a bulk request for several Yubikeys for my department?

No. Each Yubikey gives access to the UCSF network, so it requires verification of identity with a photo ID for each individual user. You can request a Yubikey here.

What if I’m using WebConnect for the Department of Public Health, UCSF's e-Prescribe or some other system using Duo already?

If you’re using ZSFG's WebConnect then the Duo Mobile app is already installed on your smartphone. After you activate your UCSF account, you will see one entry for SF Dept of Public Health, and one entry for UCSF.

Image credit:
MultipleDuos

How do I add another device like my iPad, in addition to my phone, or manage my Duo settings?

Go to https://remote.ucsf.edu. Log in and click “add a new device.”

Can I use another authentication service, like Google Authenticator, instead of Duo?

UCSF does not have a BAA with Google, so we can't use Google services like Authenticator. That being said, you can use Duo with the services you currently use Google Authenticator with. Please see https://guide.duo.com/third-party-accounts for more information.

Enrolling with Duo

AnchorWhere can I find out how to enroll in Duo?

There are screenshots and documentation at http://it.ucsf.edu/duo. Please pay close attention to the timing specified when following the Duo enrollment instructions. Do not upgrade your Pulse Secure VPN client to dual authentication until you get the email from Duo and click the link to enroll your account, because the dual authentication client will not work until you are enrolled.

AnchorI have an employee with a new phone. How do we get it set up?

If the new phone has the same phone number, add the Duo application to the phone and then contact the IT Service Desk so they can send another SMS/text to activate the device. 

If it is a new number, there are 2 options:

  1. Use self-service on remote.ucsf.edu website and add the new number there. Once you have signed in to the UCSF VPN, click “Add a new device”, select your authentication method, confirm authentication and select "Mobile phone" as the device you are adding. Enter the phone number and click "Continue."

  2. Provide the new number to the IT Service Desk and we can add it to the account and remove the old one.

I already have Duo setup on my smartphone, but just got a new phone. What do I do?

The process is the same as above. Go to remote.ucsf.edu, sign on and add a new device. Once you have signed in to the UCSF VPN, click “Add a new device”, select your authentication method, confirm authentication and select the type of device you are adding. Enter the phone number and click "Continue." If you run into an issue, reach out to the IT Service Desk.

I accidentally deleted the Duo Mobile app from my smartphone. When I reinstalled the app it no longer worked. What do I do?

If you delete the Duo Mobile app from your smartphone, you may need to add your smartphone back to your Duo account. Follow the instructions above. If you run into an issue, reach out to the IT Service Desk.

If I have multiple Active Directory (AD) accounts, which one should I use to register with Duo?

You should use the AD username that you use for email to register with Duo.

MyID

AnchorDoes Duo require an email address?

Yes, Duo requires an email address, but it doesn’t have to be a UCSF email. It *does* need to be linked to the Active Directory username used to sign up though, so you should use your primary AD username where you receive email. Go to MyID on the MyAccess page to see your ID(s). Look at the top left to see your AD username, which one has email, and if it is enrolled in Duo already.

Duo for VPN

AnchorI'm a VPN user and I don't use Duo yet. Do I have to upgrade my Pulse VPN client?

If you are new to using Duo with VPN, the instructions at http://it.ucsf.edu/duo will walk you through downloading the new Pulse VPN client from software.ucsf.edu. Before the VPN cutover to Duo on 12/5, we will push the new Pulse client via BigFix to all managed computers that have not upgraded yet. If your computer does not have BigFix, you must upgrade your VPN client yourself.

What if I am already using Duo with VPN?

If you are already using dual authentication, you should be able to upgrade the Pulse client anytime with no impact. You can check MyID to confirm if your account is already enrolled in Duo.

AnchorWill my VPN session length change when I start using Duo?

No, your Pulse VPN session duration will stay the same: 10 hours.

AnchorWhat if I use remote.ucsf.edu?

You can continue using remote.ucsf.edu like before. You'll just need to use Duo with your login. If you only use remote.ucsf.edu, then you don't need to download or upgrade the Pulse VPN client from software.ucsf.edu.

Getting Help with Duo

I'm getting an error message; where can I find online help?

We have documented errors messages in this FAQ, and in the Duo Authentication Methods page. If you can't find the error you are seeing, please contact the IT Service Desk for assistance.

AnchorIs there somewhere I can get in-person help with enrolling in Duo?

Yes, you can get help at IT Health Desks. You can also contact the IT Service Desk for assistance. If the Service Desk technician is unable to assist you remotely, they can dispatch a field service technician to assist you.

If you experience any problems, please contact the IT Service Desk for help at 415-514-4100.