Duo provides the following authentication methods:

• Duo Push: Default verification method for Duo users with a smart device, and UCSF IT’s recommended method for multi-factor authentication. This requires a smartphone or tablet (running Android or iOS) with the Duo Mobile application installed and enrolled to your Active Directory account, and an internet connection. 
• Duo Passcode: Alternate option for verification; this also requires the Duo Mobile application installed to a smart device but does not require an internet connection.
• SMS Text: Alternate option for verification that does not require a smart device. Instead, it uses SMS text messaging in the authentication process. This is a less secure option, as phones may display SMS text messages on devices lock screen. NOTE: In the future, UCSF IT will no longer offer this authentication option.
• Phone Call: Alternate option for verification that does not require a smart device. This is a less secure option, as most phones by default allow anyone to answer calls without unlocking the device. NOTE: In the future, UCSF IT will no longer offer this authentication option. 
• YubiKey: Physical USB key that you plug into a computer to provide secondary authentication.
  NOTE: YubiKeys are not available to UCSF Health Saint Francis and UCSF Health St. Mary's hospital employees
• Token: A hard token generate passcodes used for multi-factor authentication

Duo Push

1. Enter your UCSF email address and password in a Duo-enabled application (e.g., MyAccess, Outlook Web Access).

2. Duo will automatically send you a push notification to your Duo enrolled device. 
NOTE: Duo will send a Duo Push as a default. 

3. A Duo push notification will appear on your device. 

4. Tap the notification to open the Duo Mobile app.

5. On the prompt, select the Approve button to complete your login. 
NOTE: Be sure to review the information on the Duo Push to ensure that the information is correct and that you initiated the push notification.

6. Select whether to remember the device you are using by selecting Yes, this is my device for any device that only you use and trust. By remembering your device, you will not be required to provide authenticate with Duo for 16 hours.  NOTE: If you are using a public or shared device, select the No, other people use this device option.
 

Other Options

Duo Mobile Passcode

1. When you receive the screen to Check for a Duo Push, select Other Options. 

2. Select Duo Mobile passcode.

3. Launch the Duo Mobile app on your device and expand the UCSF entry. A six-digit passcode will appear. NOTE: You will have to refresh the passcode after every use; this code is only valid for one-time use. 

4. Enter the six-digit passcode on the device you are attempting to log into, then select Verify.

5. Select whether to remember the device you are using by selecting Yes, this is my device for any device that only you use and trust. NOTE: If you are using a public or shared device, select the No, other people use this device option. 

SMS Text Message Passcode

1. On the Check for a Duo Push screen, select Other Options.

2. Select Text message passcode.

3. You will receive a text message on your Duo registered device with a seven-digit passcode to enter in Duo. 

4. Enter the seven-digit passcode from your text message and select Verify.

5. Select whether to remember the device you are using by selecting the Yes, this is my device for any device that only you use and trust. NOTE: If you are using a public or shared device, select the No, other people use this device option.

Phone Call

1. From the Check for a Duo Push screen, select Other Options. 

2. Select Phone call. 

3. Duo will call your Duo registered device.

4. Answer and listen to the call

5. Press the number specified on screen and on the call to verify your login. 
NOTE: If you select the wrong key, the verification will fail. 

6. Once you have pressed that key, you will be authenticated. 

7 . Select whether to remember the device you are using by selecting Yes, this is my device for any device that only you use and trust. NOTE: If you are using a public or shared device, select the No, other people use this device option. 

YubiKey

A YubiKey is a physical security device that plugs into your computer's USB port to provide two-factor authentication. Since a YubiKey grants access to your UCSF computing accounts, be sure to keep it in a safe place at all times, and do not leave your YubiKey plugged into or near your computer unattended.

Report a lost or stolen YubiKey immediately. Replacement YubiKeys cost $30 each.

Requesting a YubiKey

1. Go to http://help.ucsf.edu and select Accounts, Access & Email.
2. Log into MyAccess with your network login username and password.
3. Select Duo YubiKey (Two-Factor USB Device) Request Form.
4. Fill out the form and click Submit. Your YubiKey should be delivered to UCSF IT within two business days.
5. You will receive a notification to pick up your YubiKey from an IT Health Desk location.
6. Locate the closest IT Health Desk and bring your photo ID so we can verify your identity.

Using a YubiKey

1. Insert the YubiKey into your computer’s USB port.

2. On the Check for a Duo Push, select Other Options. 

3. Select YubiKey passcode.

4. Select the Passcode field and press your YubiKey button to enter before selecting the Verify button.

5. Select whether to remember the device you are using by selecting Yes, this is my device for any device that only you use and trust. NOTE: If you are using a public or shared device, select the No, other people use this device option.
 

Token

1. Enter your UCSF email address and password in a Duo-enabled application such as MyAccess, VPN, or Outlook Web App

2. When the Duo Screen loads, select the Other Options link

3. From the Other Options to log in screen, select the Hard Token Option

4. Press the Green button on your token to generate a one-time use six-digit passcode

5. Enter the six-digit passcode from your Duo Token into Duo before selecting the Verify button to be logged into the desired system or application