Overview

Duo offers the following methods of authentication:

• Duo Push: The most common and recommended way users utilize two-factor authentication. This requires (1) either an Android or an Apple smartphone with the application installed and enrolled to your Active Directory account, and (2) an internet connection.
• Duo Passcode: This also requires the Duo Mobile application installed to a smartphone but does not require an internet connection.
• SMS Text: This does not require a smartphone; instead, it uses SMS text messaging in the authentication process.
• Voice: This is most commonly used in a situation where there is no cell service but a LAN line is available to receive a phone call. This is a less secure option, since anyone can answer the phone. To use this option, you must register your landline's phone number on remote.ucsf.edu.
• YubiKey: This is a physical USB key that you plug into a computer to provide secondary authentication. For more detail on this option, see the YubiKey section below.
• Bypass code: This is a temporary passcode that you can use as your secondary authentication method. Bypass codes must be requested in advance and only by the person who will use them. They expire after 30 days.

Duo Push

1. After entering your network login username and password in a Duo Enabled application (e.g., Pulse Secure VPN client, remote.ucsf.edu, Outlook Web Access), you will be prompted for a secondary password.
2. In the secondary password field, type push and click Connect.
   
    
3. Some applications may offer a Send Me a Push button for you to click instead.
   
    
4. A Duo notification will appear on your smartphone.
5. Tap on the notification to open the Duo Mobile app.
   
    
6. Tap the Approve button to complete your login.
   

 Duo Passcode

1. After entering your network login username and password in a Duo-enabled application (e.g., desktop or mobile Pulse Secure VPN client, remote.ucsf.edu, Outlook Web Access), you will be prompted for a secondary password.
    
   
    
2. Launch the Duo Mobile app on your smartphone and click on the green key on the right side of the UCSF entry. A 6-digit passcode will appear. 
   
   
3. Enter this 6-digit passcode in the secondary password field, then click submit/connect.

SMS Text Message

1. After entering your network login username and password in a Duo-enabled application (e.g., desktop or mobile Pulse Secure VPN client, remote.ucsf.edu, Outlook Web Access), you will be prompted for a secondary password.
    
   
2. In the secondary password field, type sms1, then click Connect. This sends a text message to the first device in your account capable of receiving text messages. To send to the second, type sms2; to the third, type sms3, and so on.
3. An invalid credentials error will be displayed. Click OK.
4. 10 passcodes will be delivered to your phone as a text message.
5. Type any of the passcodes in the secondary password field, then click Connect.
   
    

Voice Phone Call

1. After entering your network login username and password in a Duo-enabled application (e.g., desktop or mobile Pulse Secure VPN client, remote.ucsf.edu, Outlook Web Access), you will be prompted for a secondary password.
   
2. In the secondary password field, type phone1, then submit/connect. This calls the first device in your account capable of receiving phone calls. To call the second, type phone2; the third, phone3, etc.
3. Duo will call your registered landline.
4. Answer the phone, and the automated voice will prompt you to press any number.
5. Once you’ve pressed any number, you will be authenticated.

YubiKey

A YubiKey is a USB key that you plug into your computer's USB port to provide secondary authentication. YubiKeys are the keys to all of your accounts, so do not keep them with your computer in case it is ever lost or stolen.

YubiKeys have specific system requirements, so before submitting your request, refer to https://www.yubico.com/support/knowledge-base/categories/downloads/ and make sure your device is supported.

Replacement YubiKeys cost $30 each, so safeguard your YubiKey and file a report immediately if it is lost or stolen. 

View YubiKey videos, with step-by-step instructions, here.

Requesting a YubiKey

1. Go to http://help.ucsf.edu and click on Accounts, Access & Email.
2. Log into MyAccess with your network login username and password.
3. Click on Duo YubiKey (Two Factor USB Device) Request Form.
4. Fill out the form and click Submit. Your YubiKey should be delivered to us in 2 days.
5. You will receive a notification to pick up your YubiKey from an IT Health Desk location.
6. Locate the closest IT Health Desk and bring your photo ID so we can verify your identity.

Using a YubiKey

1. Insert the YubiKey into your computer’s USB port.
2. After entering your network login username and password in a Duo-enabled application (e.g., the desktop or mobile Pulse Secure VPN client, remote.ucsf.edu or Outlook Web Access), you will be prompted for a secondary password.
3. Click in the secondary password field, then press the button on your YubiKey.

Bypass code

A bypass code is a temporary passcode that you can use as your secondary authentication method. Bypass codes must be requested in advance and only by the person who will use them. They expire after 30 days.

Requesting a bypass code

1. Call the UCSF IT Service Desk (415-514-4100) and ask for a Duo bypass code.
2. The Service Desk agent will ask you questions to verify your identity.
3. Once you verify your identity, the Service Desk agent will create a bypass code unique to your network login username.

Using a bypass code

1. After entering your network login username and password in a Duo-enabled application (e.g., the desktop or mobile Pulse Secure VPN client, remote.ucsf.edu or Outlook Web Access), you will be prompted for a secondary password.
2. Enter your bypass code in the secondary password field, then click Connect.