This content is viewable by Everyone

Multi-Factor (Duo) FAQs

Save

Audience: Affiliate, Faculty, Staff, Technical Partner
Service Category: Access & Identity
Owner Team: Identity and Access Management
Service:
Multi-Factor Authentication (Duo)

Overview

These Frequently Asked Questions (FAQs) are updated on a regular basis, so if your question isn't answered here, please contact the IT Service Desk at help.ucsf.edu — the most common questions received from users will be added to this list of FAQs.

Quick Links

Two-Factor Basics
Getting Help with Duo
Options for Using Duo
Enrolling in Duo
Duo for Outlook Web Access
YubiKeys

Two-Factor Basics

What is Multi-factor authentication?

Multi-factor authentication (MFA) requires a user to provide at least two pieces of evidence that they are the account owner. Duo is the application UCSF has chosen for its MFA solution.

How does MFA benefit me?

MFA helps UCSF IT protect you, your work, and all of UCSF. By providing a second layer of protection, beyond your UCSF username and password, MFA ensures that every login from every device is legitimate.
You will use MFA on systems like VPN, MyAccess, and Outlook Web Access [or any application used to access electronic Protected Health Information (ePHI)], ensuring that you, and only you, are able to access sensitive information.

I'm a Without Salary (WOS) faculty member, and I only need access to the Library. Do I still need to enroll in two-factor authentication?

Yes, in order to ensure that only those with legitimate access to the library can be authenticated.

Is there a cost for using two-factor authentication?

No, two-factor authentication is a cost-free way to protect your and the University’s information.

Do I have to use two-factor authentication if I’m on-site at a UCSF location and connected to the UCSF network?

No, most UCSF sites will not require Duo if you are connected to the UCSF network. These sites include:
- Zuckerberg San Francisco General (ZSFG)
- San Francisco Department of Public Health (SF DPH)
- San Francisco Veterans Affairs Medical Center (SF VAMC)
- Remote UCSF locations (e.g., UCSF remote clinics)

Once I log in with MFA, how long until I need to log in again for the same application?

Session length is determined by the application rather than Duo. NOTE: Each time you close the application or disconnect from the UCSF network, you may be required to initiate Duo authentication to access that application again.

Getting Help with Duo

Why does the Duo screen look different, and default to a Duo Push notification for some of my applications?

UCSF has begun to roll out Duo Universal Prompt, which provides a simplified Duo experience over the traditional prompt, helping you log in to your applications faster than before.
Although the Duo Universal Prompt appears different, it still supports a wide range of Duo login options, so you can choose the options that work best for you.
This roll-out will be done gradually, so certain applications will move to Duo Universal Prompt sooner than others — all applications will move to Duo Universal Prompt by November 2023.
For help navigating the new Duo interface, please reference Multi-Factor (Duo) Authentication Methods.
You can find documentation on how to navigate the traditional Duo experience on Duo's how-to website. Alternatively, your application may first require a sign-in through a platform other than MyAccess, such as Okta (shown in below screenshot). Enter your respective username and password as normal before being rerouted back to the Duo experience.

Why am I seeing the message "Access denied. Duo Security does not provide services in your current location" in the Duo Prompt?

Users will experience this or a similar error message if they attempt to access UCSF resources from the following regions/countries:
- Cuba
- North Korea
- Iran
- Sudan
- Syria
- Crimea region
- Donetsk region
- Luhansk region
- Sevastopol region
- Belarus
- Russian Federation

NOTE: This restriction is enforced by the UCSF deployment of Duo multi-factor authentication, and affects foreign collaborators and offsite employees in regions restricted by the US government by blocking access to many UCSF computing resources and networks, including UCSF VPN, email, APeX, among others. Details of how Duo enacts this restriction can be found here.

If you plan to be in one of these regions and lack of access to Duo will be an issue for you, please contact the Service Desk.

I cannot use my mobile phone for Duo. What are my other options?

Please consult with your supervisor.

I have more than one UCSF account. Which account should I use with Duo?

Many individuals at UCSF may have more than one account, and despite the multiple accounts, you will only need one account enrolled within Duo.
To verify the account to enroll within Duo, complete the following steps:
- Navigate and log into https://myaccess.ucsf.edu/myid.
- Select every Account tab until you locate the account with Duo Enabled: Yes.
  - NOTE: If you have multiple accounts enrolled in Duo, use the account that is Mail Enabled.
If you have multiple accounts with the same username, you will need to specify the domain that the account is in.
- For example, if your account username is shinc, then enter your username as:
  - campus\shinc if your account is in the CAMPUS domain
  - som\shinc if your account is in the SOM domain
  - ucsfmc\shinc if your account is in the UCSFMC domain

I'm getting an error message I don’t see on this FAQ. Where can I find online help?

Please contact the IT Service Desk for assistance.

Is there somewhere I can get in-person help with enrolling in Duo?

Yes, you can get in-person help from IT Health Desks. You can also contact the IT Service Desk for assistance. If the Service Desk technician is unable to help you remotely, a field service technician can be dispatched to assist you directly.
If you experience any problems, please contact the IT Service Desk for help at 415.514.4100.

Options for Using Duo

I want to use an authentication method other than a Duo Push to my smartphone. How do I do that?

Duo supports mobile passcode, and token verification methods in addition to Push. Please refer to the Multi-Factor (Duo) Authentication Methods for assistance and scroll down to Other Options to find method that works best for you.

What do I do if I'm on an airplane, overseas, or otherwise cannot access the internet on my smartphone?

You can use the Duo Mobile app without an internet connection. Review the instructions for using Duo Passcode in Multi-Factor (Duo) Authentication Methods.

I've heard about YubiKeys. Can I make a bulk request for several YubiKeys for my department?

No, because identification with a photo ID is required for every YubiKey user. You can request a YubiKey here.

What if I’m using WebConnect for the Department of Public Health, UCSF's e-Prescribe, or some other system that's already using Duo?

If you’re using ZSFG's WebConnect, then Duo Mobile is already installed on your smartphone. After you activate your UCSF Duo account, you will see entries for the systems that Duo will be utilizing, one for SF Department of Public Health and an additional entry for UCSF. The graphic below illustrates this for e-Prescribe and UCSF (both the user and an admin account).

A picture showing the choice in Duo between UCSF and e-prescribe

I am already enrolled in Duo. How do I add another device, such as my iPad, in addition to my phone?

Please refer to the following page: Managing, Updating, and Enrolling Additional Devices in Duo.

Can I use another authentication service, like Google Authenticator, instead of Duo?

No, because UCSF only allows Duo for multi-factor authentication.

Enrolling in Duo

How can I enroll in Duo?

Please refer to the following page: Enrolling Your First Device in Duo.

NOTE: Duo Multifactor Authentication requires minimum versions for both the Duo app and phone operating system are installed. The following are the current minimum versions for both Duo and phone operating systems:

Duo mobile app version: 4.55.0 or later

iOS version: 14 or later

Android version: 12 or later

I previously had Duo set up on my old smartphone, but I just received a new device. What do I do?

Please refer to the following page: Managing, Updating, and Enrolling Additional Devices in Duo.

I accidentally deleted the Duo Mobile app from my smartphone. When I reinstalled the app, it no longer worked. What do I do?

If the Duo Mobile app is deleted from your smartphone, your smartphone may need to be added back to your Duo account.
If the new phone has the same phone number, add the Duo application to the phone, then contact the IT Service Desk to request a text to activate the device. If it is a new number, provide the new number to the IT Service Desk. They will add it to the account and remove the old one.
If you run into an issue, please reach out to the IT Service Desk.

Duo for Outlook Web Access (OWA)

How do I log into my email account via the web when I'm not at work?

When you are not on the UCSF network, you can access your email from a web browser in Outlook Web Access (OWA) at email.ucsf.edu. NOTE: All logins to OWA are required to use multi-factor authentication.

I log in to my group's resource account via email.ucsf.edu. Will I need to use Duo for that? How do I enroll in our resource account?

UCSF IT strongly recommends that resource accounts (e.g., Accounts used for conference rooms, equipment and other shared items within a department) be accessed directly from your email client (e.g., Outlook, Apple Mail) because of Audit requirements. When you log into a resource account via OWA, UCSF IT is unable to tell who logged in, which means that if anything ever happens to that account, UCSF IT has no way of knowing who made the changes.
Yes, you will use your individual Duo account to access VPN via Pulse Secure or remote.ucsf.edu. Once authenticated into VPN, you can log in to your department's resource accounts via the Outlook Web App.
You cannot enroll a resource account in Duo. Please follow the instructions on the Duo Multi-Factor Authentication page.

YubiKeys

A YubiKey is a physical USB key that you plug into a computer to provide secondary authentication. NOTE: YubiKeys are not available to UCSF Health Saint Francis and UCSF Health St. Mary's hospital employees. While, YubiKeys will not be offered in the future to UCSF employees, existing YubiKeys will be supported and it is recommended to request a token if you are not able to use your smartphone or tablet with Duo.

How do I request a YubiKey?

Go to http://help.ucsf.edu and click on Accounts, Access & Email.
Log into MyAccess with your network login username and password.
Select the  Duo YubiKey (Two Factor USB Device) Request  Form.
Fill out the form and click Submit. Your YubiKey should be delivered to us in 2 days.
You will receive a notification to pick up your YubiKey from an IT Health Desk location.
Locate the closest IT Health Desk and bring your photo ID so we can verify your identity.

What should I do if lose my YubiKey?

A lost YubiKey represents a security risk, so you need to report it ASAP by calling the IT Service Desk at 415.514.4100.
- If you are a Community Connect User, report the loss to your clinic supervisor to get a replacement YubiKey.

How can I change how I authenticate with Duo from a YubiKey to my mobile device?

Contact the IT Service Desk to uncouple your YubiKey from your account. They will walk you through setting up your mobile device.
- If you are a Community Connect user, you will need to return the YubiKey to your clinic supervisor.