What is two-factor authentication?
- Two-factor authentication is a type, or subset, of multifactor authentication, or MFA. With multifactor authentication, a computer user is granted access only after successfully presenting two (i.e., "two-factor") or more pieces of evidence to an authentication mechanism. The three most common authentication pieces of evidence involve the user's knowledge, possession and inherence.
How does two-factor authentication benefit me?
- Two-factor authentication helps us protect you, your work and the University by providing a second layer of protection, beyond your network login password, to ensure that your every login from every device is legitimate.
- By providing two-factor authentication on systems such as VPN and Outlook Web Access, we are ensuring that you, and only you, are accessing the systems you use that contain sensitive information, protecting you and the University from identity theft.
What is Duo?
- Duo is the application UCSF has chosen for its multi-factor authentication solution.
Do I have to enroll?
- You will need to enroll in Duo if you use an application or service that requires it, such as VPN, Outlook Web Access, Remote Access or any other applications that include accessing ePHI.
I'm a without salary (WOS) faculty member, and I only need access to the Library. Do I still need to enroll in Duo?
Is there a cost for using Duo?
What if I don't use UCSF email, VPN or MyAccess? Do I need Duo?
- If you don’t use UCSF Outlook Web Access, VPN or MyAccess, you don’t need Duo at this time. Your access to email from mobile devices will not change.
You say I don't have to use Duo if I'm on the UCSF network, but I'm not sure if my location is included in that. How can I tell?
- Most UCSF sites will not require Duo, including ZSFG and most of SF DPH, the SF VAMC and remote UCSF locations, so you can access Outlook Web Access from these sites without using Duo.
- Community Connect sites connect to UCSF over the internet, however, so they will need to use Duo for VPN or Outlook Web Access access.
- To see if you are on the UCSF network now, try to access HBS. If you are on the UCSF network, you will be presented with the MyAccess screen. If you are not on the UCSF network you may receive either an error message or the spinning icon of your browser indicating failure to connect.
Once I log in with Duo, how long until I need to log in again for the same application?
- Your session length is determined by the application, not by Duo. However, each time you log into an application that requires Duo, you will be prompted to initiate Duo authentication.
Options for using Duo
What if I don't have a smartphone, or I don't want to use my smartphone for Duo?
What do I do if I'm on an airplane, or overseas, and cannot access the internet on my smartphone?
- You can use the Duo Mobile smartphone app without an internet connection. Follow the instructions for using the Duo Passcode.
I've heard about YubiKeys. Can I make a bulk request for several YubiKeys for my department?
- No. Because each YubiKey gives access to the UCSF network, identification with a photo ID is required for every user. You can request a YubiKey here.
What if I’m using WebConnect for the Department of Public Health, UCSF's e-Prescribe or some other system that's already using Duo?
- If you’re using ZSFG's WebConnect, then the Duo Mobile app is already installed on your smartphone. After you activate your UCSF DUO account, you will see an entry for the system DUO was previously utilizing, such as the SF Dept of Public Health, along with an additional entry for UCSF. The graphic below illustrates this for e-Prescribe and UCSF (both the user and an admin account).
I am already enrolled in Duo, how do I add another device such as my iPad in addition to my phone?
- You can add a new device such as a tablet after logging into remote.ucsf.edu with your network login and selecting Add a new device.
Can I use another authentication service, like Google Authenticator, instead of Duo?
- UCSF does not have a BAA with Google, so we can't use Google services like Authenticator. However, you can use Duo with the Google Authenticator services you currently use. See Duo Third-Party Accounts for more information.
Enrolling in Duo
Where can I find out how to enroll in Duo?
- If you are a UCSF Faculty, Staff, Student or designated Guest with an Active Directory and Email account you are automatically enrolled in DUO at the time your account is created. If you were not enrolled a DUO account can be requested for you by any UCSF Faculty or Staff member by using the IT Web Site "Submit a Ticket" link under the Get Help section.
I have Duo set up on my smartphone, but I just got a new device. What do I do?
I accidentally deleted the Duo Mobile app from my smartphone. When I reinstalled the app, it no longer worked. What do I do?
- If you delete the Duo Mobile app from your smartphone, you may need to add your smartphone back to your Duo account.
- If the new phone has the same phone number, add the Duo application to the phone, then contact the IT Service Desk to request another SMS/text to activate the device. If it is a new number, provide the new number to the IT Service Desk. They will add it to the account and remove the old one.
- If you run into an issue, reach out to the IT Service Desk.
If I have multiple network logins, which one should I use with Duo?
- Use the network login with Duo that you use for email. You can review this information by going to https://myaccess.ucsf.edu/myid, as shown in the graphic below:
Does Duo require an email address?
- Yes, Duo requires an email address, but it doesn’t have to be a UCSF email. However, it does need to be linked to the Active Directory username you use, so you should use your primary AD username where you receive email.
- Go to MyID on the MyAccess page and click on your network login username.
- Look at the Enrolled in Duo? line to see if your username is already enrolled.
- If your username cannot be enrolled, the Enrolled in Duo? line will indicate the account is ineligible.
Duo for Outlook Web Access (OWA, email.ucsf.edu)
How do I log into my email account via the web when I'm not at work?
- When you are not on the UCSF network, you can access your email from a web browser at email.ucsf.edu. This is called Outlook Web Access, or OWA.
- All logins to OWA are required to use two-factor authentication. Find more information about how OWA works with Duo on our Duo Login Experience page.
I log in to my group's resource account via email.ucsf.edu. Will I need to use Duo for that? How do I enroll in our resource account?
- First, because of audit requirements, we strongly recommend that resource accounts be accessed only from your full email client (e.g., Outlook, Apple Mail). When you log into a resource account via OWA, we can't tell who logged in. So if anything ever happens to the data in that account, we have no way of knowing who made the changes.
- Yes, you will use your individual Duo account to log into the VPN via Pulse Secure or remote.ucsf.edu. After you're authenticated into the VPN, you can log in to your department's resource accounts via OWA.
- You cannot enroll a resource account in Duo. Please follow the instructions on the Duo Two-Factor Authentication page.
When I log in to the APeX Connect Portal and complete my Duo login, I am prompted to install something. What is that?
- The first time you log in to the APeX Connect Portal, you are prompted to install the Citrix Receiver plugin.
- Some browsers also require you to allow the plugin to run or to allow the plugin to run on specific sites. When you first connect, select Always open these types of links... to avoid having the notification come up every time.
If I work at UBCP or HBTB, do I need Duo?
- No, unless you're a provider who works from home. You only access APeX from the Citrix Receiver. If you have further questions, please ask your supervisor.
If I log into the APeX Connect Portal more than once from the same browser, do I need to use Duo each time?
- When you log into the APeX Connect Portal, you will see a checkbox to Remember me for 8 hours. When you check this box, any logins from the same browser session (same browser window, same computer) will not require Duo for 8 hours.
What should I do if lose my YubiKey?
- A lost YubiKey is a security risk, so you need to report it ASAP by calling the IT Service Desk at 415-514-4100. Community Connect users: Next, report it to your clinic supervisor to get a replacement YubiKey.
How can I change how I authenticate with Duo from a YubiKey to my mobile device?
- Contact the ITService Desk to uncouple your YubiKey from your account. They can walk you through setting up your mobile device. Community Connect users: Next, return your YubiKey to your clinic supervisor.
Getting help with Duo
I cannot use my mobile phone for Duo. What are my other options?
- Please check with your supervisor. You may be able to use a landline or a YubiKey instead of your mobile phone.
What if I didn’t get the Duo email needed to enroll in Duo?
- You should have received an email from
firstname.lastname@example.org with the subject line Duo Security Enrollment. If you do not receive this email, contact the IT Service Desk.
I have more than one account. Which account should I use with Duo?
- Many people have more than one account, especially if they're involved in patient care in addition to teaching, research or administrative duties. The good news is that you only need to enroll one account with Duo in order to use it.
- Go to https://myaccess.ucsf.edu/myid, and check each account tab to see which account is enrolled in Duo. This is the account you will use with Duo.
- If you have more than one account enrolled in Duo, please use the account that is Mail Enabled. If you have more than one account with the same username, then you need to specify the domain your account is in. This will work for your Pulse VPN client, remote.ucsf.edu or email.ucsf.edu.
- For example, if your account is
shinc, then enter your username as:
campus\shinc if your account is in the CAMPUS domain
som\shinc if your account is in the SOM domain
ucsfmc\shinc if your account is in the UCSFMC domain
I'm getting an error message; where can I find online help?
Is there somewhere I can get in-person help with enrolling in Duo?
- Yes, you can get in-person help from IT Health Desks. You can also contact the IT Service Desk for assistance. If the Service Desk technician is unable to help you remotely, he or she can dispatch a field service technician to assist you.
- If you experience any problems, please contact the IT Service Desk for help at 415-514-4100.