Overview

What is multi-factor authentication?

Phishing and brute force attacks are increasing exponentially, and so are the risks that your credentials may be stolen. Multi-factor authentication, or MFA, provides added security control. 

Multi-factor authentication requires users to provide multiple identifying factors before they will be allowed access to an application or device. We are using a third-party application called Duo to provide two-factor authentication (a subset of multi-factor authentication) for systems such as Remote Access, VPN and Outlook Web Access. 

Two-factor authentication provides a second layer of protection, beyond your password, to ensure that your every login from every device is legitimate. This helps us protect you, your work, and the University. 

Incoming UCSF students and onboarding UCSF staff only: As part of your on-boarding process a UCSF email account has been created for you.  Instructions for completing Duo enrollment have been sent to that address.  This message will come from [email protected].  If you have not received these instructions, install the Duo app as described above and then follow the steps below. 

1. Open a web browser and go to https://myaccess.ucsf.edu. Use your UCSF username and password and click “LOGIN” to log in.
   
2. If you currently have no device enrolled in Duo, you will be presented with the following screen. Press the "Start setup" buttons.  If you see a different screen skip to "Managing and enrolling additional devices" (below).
   
3. Select the type of device you will be using for multi-factor authentication. Most likely, this will be a mobile phone, although it is not uncommon to use a landline.
   
4. Then enter your device's phone number.
   
5. This step will cause the Duo service to attempt to contact your device. This is a critical step that establishes trust between you and Duo, ensuring that you possess the device with the number entered.
   
6. During this step you will choose the default multi-factor authentication method. This can be a push, a voice call or you can have it ask you each time you attempt to authenticate. A push is a small popup window sent to your phone with options for you to authorize or reject the connection attempt.
   
7. For mobile phones, it is recommended that you select “Automatically send this device a Duo Push”. For a landline, choose “Automatically call this device”. For more information on Duo authentication methods refer to Duo Authentication Methods. 
   
8. You are now ready to perform your first Duo multi-factor authentication to the MyAccess website and enrollment of your device in Duo is now complete.
   

Please refer to How does changing a phone, number, or SIM card affect Duo Mobile? from Duo for help with adding an additional phone or other device (such as an iPad). Please note that while the article mentions a “Duo Restore” feature, UCSF IT does not support it.