it.ucsf.edu

Duo Frequently Asked Questions (FAQs)

Kevin Dale's picture

Duo-related question and tips. If you don't see your question answered here, please contact the IT Service Desk.

Duo Basics

What is Duo and how does it benefit me?

Do I have to enroll?

I'm a WOS faculty member, and I only need access to the Library. Do I still need to enroll in Duo?

Is there a cost for using Duo?

Why aren't you rolling Duo out gradually?

Will there be a chance to hear more about Duo and these new security measures?

What if I don't use UCSF email or VPN; do I need Duo?

You say that I don't have to use Duo if I'm on the UCSF network, but I'm not sure if my location is included in that. How can I tell?

Once I login with Duo, how long until I need to login again for the same application?

Options for using Duo

What if I don't have a smartphone, or don't want to use my smartphone for Duo?

What if I am on an airplane, or overseas, and cannot access the internet on my smartphone?

I've heard about Yubikeys. Can I make a bulk request for several Yubikeys for my department?

AnchorWhat if I’m using WebConnect for the Department of Public Health?

AnchorHow do I add another device like my iPad in addition to my phone or manage my Duo settings?

Can I use another authentication service, like Google Authenticator, instead of Duo?

Enrolling with Duo

Where can I find out how to enroll in Duo?

I have an employee with a new phone. How do we get it set up?

I already have Duo setup with my smartphone, but just got a new phone. What do I do?

I accidentally deleted the Duo Mobile app. When I reinstalled the app it no longer worked. What do I do?

If I have multiple Active Directory (AD) accounts, which one should I use to register with Duo?

Does Duo require an email address?

Duo for VPN

I'm a VPN user and I don't use Duo yet. Do I have to upgrade my Pulse VPN client?

I use Pulse Secure VPN on my mobile device. Do I need to update my app to use Duo?

What if I am already using Duo with VPN?

Will my VPN session length change when I start using Duo?

What if I use remote.ucsf.edu?

Duo for Outlook Web Access (OWA, email.ucsf.edu)

How do I log into my email account via the web when I'm not at work?

I log into my group's resource account via email.ucsf.edu. Will I need to use Duo for that? How do I enroll our resource account?

Duo for APeX Connect Portal (connect.ucsfmedicalcenter.org)

When I log into the APeX Connect Portal and complete my Duo login, I am prompted to install something. What is that?

AnchorI cannot use my mobile phone for Duo, what are my other options?​

AnchorWhat will happen on 8/8?

AnchorHow do I enroll in Duo?

AnchorWhat if I didn’t get a Duo email?

AnchorI work at UBCP or HBTB, do I need Duo?

If I log into the APeX Connect Portal more than once from the same browser, do I need to use Duo each time?

YubiKeys

What should I do if lose my Yubikey?

How can I change how I authenticate with Duo from a Yubikey to my mobile device?

Getting Help with Duo

I have more than one account. Which account should I use with Duo?

I'm getting an error message. Where can I find online help?

Is there somewhere I can get in-person help with enrolling in Duo?

Duo Basics

What is Duo and how does it benefit me?

We are using a third-party application called Duo to provide two-factor authentication on systems like VPN and Outlook Web Access. Phishing and brute force attacks are increasing exponentially, and so are the risks that your credentials may be stolen. Duo provides a second layer of protection beyond your password, to ensure that every login from every device is legitimate. This helps us protect you, your work, and the university.

Do I have to enroll?

You will need to enroll in Duo if you use an application or service that requires it, such as VPN, Outlook Web Access, or other applications that include ePHI. It takes less than five minutes to enroll.

I'm a WOS faculty member, and I only need access to the Library. Do I still need to enroll in Duo?

If you use UCSF VPN to access Library resources, then yes, you need to enroll in Duo. If you only use the Library's EZProxy service to access Library resources, then no, you do not need Duo.

Is there a cost for using Duo?

No, there is no cost for your account, enrollment, or the Duo Mobile smartphone app.

Will there be a chance to hear more about Duo and these new security measures?

Yes, there will be Town Halls, locations and invitations to follow by email.

  • Parnassus: 11/16 from 3-4 PM
  • Mission Bay: Wednesday 11/29, 1:30-3 PM, Rock Hall 102
    • Live streaming link. After it is finished live streaming, the same link will be used to view the recorded town hall, on-demand.

AnchorWhat if I don't use UCSF email or VPN? Do I need Duo?

If you don’t use UCSF Outlook Web Access or VPN, you don’t need Duo at this time. Access to email from mobile devices will not change.

Why aren't you rolling Duo out gradually?

It’s a technical limitation – it’s either on or off for everyone.

You say that I don't have to use Duo if I'm on the UCSF network, but I'm not sure if my location is included in that. How can I tell?

Most UCSF sites will not require Duo, including ZSFG and most of SF DPH, the SF VAMC, and remote UCSF locations, so you can access OWA from these sites without using Duo. Community Connect sites connect to UCSF over the internet though, so they will need to use Duo for VPN or OWA access. To see if you are on the UCSF network now, try to access HBS. If you are on the UCSF network you will be be presented with the MyAccess login screen, and if you are not on the UCSF network you will receive an error.

Once I login with Duo, how long until I need to login again for the same application?

Your session length isn't determined by Duo, but by the application. When logging into an application that requires Duo, you will be prompted to authenticate with Duo each time you log in. 

Options for using Duo

What if I don't have a smartphone, or I don't want to use my smartphone for Duo?

We have outlined all of the authentication methods available on the Duo Authentication Methods page, including those that don't require the smartphone app.

AnchorWhat if I am on an airplane, or overseas, and cannot access the internet on my smartphone?

You can use the Duo Mobile smartphone app without an internet connection. Follow the instructions for using the Duo Passcode.

AnchorI've heard about Yubikeys. Can I make a bulk request for several Yubikeys for my department?

No. Each Yubikey gives access to the UCSF network, so it requires verification of identity with a photo ID for each individual user. You can request a Yubikey here.

What if I’m using WebConnect for the Department of Public Health, UCSF's e-Prescribe or some other system using Duo already?

If you’re using ZSFG's WebConnect then the Duo Mobile app is already installed on your smartphone. After you activate your UCSF account, you will see one entry for SF Dept of Public Health, and one entry for UCSF.

Credit:
MultipleDuos

How do I add another device like my iPad, in addition to my phone, or manage my Duo settings?

Go to https://remote.ucsf.edu. Log in and click “add a new device.” You will be prompted to authenticate with Duo before you can add an additional device.

Can I use another authentication service, like Google Authenticator, instead of Duo?

UCSF does not have a BAA with Google, so we can't use Google services like Authenticator. That being said, you can use Duo with the services you currently use Google Authenticator with. Please see https://guide.duo.com/third-party-accounts for more information.

Enrolling with Duo

AnchorWhere can I find out how to enroll in Duo?

There are screenshots and documentation at http://it.ucsf.edu/duo. Please pay close attention to the timing specified when following the Duo enrollment instructions. Do not upgrade your Pulse Secure VPN client to dual authentication until you get the email from Duo and click the link to enroll your account, because the dual authentication client will not work until you are enrolled.

AnchorI have an employee with a new phone. How do we get it set up?

If the new phone has the same phone number, add the Duo application to the phone and then contact the IT Service Desk so they can send another SMS/text to activate the device. 

If it is a new number, there are 2 options:

  1. Use self-service on remote.ucsf.edu website and add the new number there. Once you have signed in to the UCSF VPN, click “Add a new device”, select your authentication method, confirm authentication and select "Mobile phone" as the device you are adding. Enter the phone number and click "Continue."

  2. Provide the new number to the IT Service Desk and we can add it to the account and remove the old one.

I already have Duo setup on my smartphone, but just got a new phone. What do I do?

The process is the same as above. Go to remote.ucsf.edu, sign on and add a new device. Once you have signed in to the UCSF VPN, click “Add a new device”, select your authentication method, confirm authentication and select the type of device you are adding. Enter the phone number and click "Continue." If you run into an issue, reach out to the IT Service Desk.

I accidentally deleted the Duo Mobile app from my smartphone. When I reinstalled the app it no longer worked. What do I do?

If you delete the Duo Mobile app from your smartphone, you may need to add your smartphone back to your Duo account. Follow the instructions above. If you run into an issue, reach out to the IT Service Desk.

If I have multiple Active Directory (AD) accounts, which one should I use to register with Duo?

You should use the AD username that you use for email to register with Duo.

MyID

AnchorDoes Duo require an email address?

Yes, Duo requires an email address, but it doesn’t have to be a UCSF email. It *does* need to be linked to the Active Directory username used to sign up though, so you should use your primary AD username where you receive email. Go to MyID on the MyAccess page to see your ID(s). Look at the top left to see your AD username, which one has email, and if it is enrolled in Duo already.

Duo for VPN

AnchorI'm a VPN user and I don't use Duo yet. Do I have to upgrade my Pulse VPN client?

If you are new to using Duo with VPN, the instructions at http://it.ucsf.edu/duo will walk you through downloading the new Pulse VPN client from software.ucsf.edu. Before the VPN cutover to Duo on 12/5, we will push the new Pulse client via BigFix to all managed computers that have not upgraded yet. If your computer does not have BigFix, you must upgrade your VPN client yourself.

I use Pulse Secure VPN on my mobile device. Do I need to update my app to use Duo?

No, you do not need to update your Pulse Secure VPN mobile app. The current version already has the option to use single- or dual-authentication. For more information on using Duo with the Pulse Secure VPN mobile app see our articles on the Duo Login Experience and Duo Authentication Methods.

What if I am already using Duo with VPN?

If you are already using dual authentication, you should be able to upgrade the Pulse client anytime with no impact. You can check MyID to confirm if your account is already enrolled in Duo.

AnchorWill my VPN session length change when I start using Duo?

No, your Pulse VPN session duration will stay the same: 10 hours.

AnchorWhat if I use remote.ucsf.edu?

You can continue using remote.ucsf.edu like before. You'll just need to use Duo with your login. If you only use remote.ucsf.edu, then you don't need to download or upgrade the Pulse VPN client from software.ucsf.edu.

Duo for Outlook Web Access (OWA, email.ucsf.edu)

How do I log into my email account via the web when I'm not at work?

When you are not on the UCSF network you can access your email from a web browser at https://email.ucsf.edu. This is called Outlook Web Access, or OWA. All logins to OWA will be required to use two-factor authentication by 12/12/17. More information about how OWA works with Duo is on our Duo Login Experience page.

I log into my group's resource account via email.ucsf.edu. Will I need to use Duo for that? How do I enroll our resource account?

First, because of audit requirements, we strongly recommend that resource accounts be accessed only from your full email client (e.g., Outlook, Apple Mail, etc.). When you log into a resource account via OWA, we can't tell who logged in, so if anything ever happens to the data in that account we have no way of knowing who made the changes.

That being said: yes, you will use your individual Duo account to log into the VPN via Pulse Secure or remote.ucsf.edu.  After you're authenticated into the VPN, you can login to your department's resource accounts via OWA. You cannot enroll a resource account in Duo. Please follow the instructions on the Duo Two-Factor Authentication page.

Duo for APeX Connect Portal (connect.ucsfmedicalcenter.org)

When I log into the APeX Connect Portal and complete my Duo login, I am prompted to install something. What is that?

The first time you log into the APeX Connect Portal you are prompted to install the Citrix Receiver plugin.

Install Citrix Receiver plugin

Some browsers also require you to allow the plugin to run, or to allow the plugin to run on specific sites. Please select "Always open these types of links..." when you first connect to avoid having the notification come up every time.

Open Citrix Receiver Launcher?

Also note that if you clear your browser's cache you may have to select this option again.

Complete instructions are available from Citrix on their support website, but please contact the UCSF IT Service Desk for assistance.

I cannot use my mobile phone for Duo, what are my other options?​

Please check with your supervisor. You may be able to use a landline or a Yubikey instead of your mobile.

What will happen on 8/14?
If you are already using Duo with your Medical Center (UCSFMC) account, when you go to log into the Connect Portal (https://connect.ucsfmedicalcenter.org), you will be prompted to authenticate with Duo. If you are not already using Duo with your Medical Center account, nothing will happen until you receive your Duo enrollment email.

How do I enroll in Duo?
You should have received an email from [email protected] with the subject line "Duo Security Enrollment." Follow the instructions to complete your Duo enrollment.

What if I didn’t get a Duo email?
If it’s before 8/22, please go to Duo Two-Factor Authentication and follow the instructions to complete enrollment. If it’s after 8/22, please follow the instructions for Duo Manual Enrollment for APeX Connect Portal.

I work at UBCP or HBTB, do I need Duo?
No, unless you are a provider who works from home, you only access APeX from the Citrix Receiver. If you have further questions please ask your supervisor.

If I log into the APeX Connect Portal more than once from the same browser, do I need to use Duo each time?

When you log into the APeX Connect Portal you will see a checkbox to Remember me for 8 hours. When you check this box, any logins from the same browser session (same browser window, same computer) will not require Duo for 8 hours.

Duo for APeX Connect Portal screenshot

YubiKeys

What should I do if lose my Yubikey?

A lost Yubikey is a security risk so you need to report it ASAP. Please call the Service Desk and report it. Community Connect users must then report it to your Clinic Supervisor so you can get a replacement one.

How can I change how I authenticate with Duo from a Yubikey to my mobile device?

Contact the Service Desk to uncouple your Yubikey from your account. They can walk you through setting up your mobile device. Community Connect users must then return your Yubikey to your clinic supervisor.

Getting Help with Duo

I have more than one account. Which account should I use with Duo?

Many people have more than one account, especially if they are involved in patient care in addition to teaching, research, or administrative duties. The good news is that you only need to enroll one account with Duo in order to use it.

  • Go to https://myaccess.ucsf.edu/myid, and check each account tab to see which account is enrolled in Duo. This is the account you will use with Duo.
    MyID screen showing mail enabled and enrolled in duo
    • If you have more than one account enrolled in Duo, please use the account that is Mail Enabled.
  • If you have more than one account with the same username, then you need to specify the domain your account is in. This will work for your Pulse VPN client, https://remote.ucsf.edu, or https://email.ucsf.edu. For example, if your account is shinc, then enter your username as
    • campus\shinc if your account is in the CAMPUS domain,
    • som\shinc if your account is in the SOM domain, or
    • ucsfmc\shinc if your account is in the UCSFMC domain.

I'm getting an error message; where can I find online help?

We have documented errors messages in this FAQ, and in the Duo Authentication Methods page. If you can't find the error you are seeing, please contact the IT Service Desk for assistance.

AnchorIs there somewhere I can get in-person help with enrolling in Duo?

Yes, you can get help at IT Health Desks. You can also contact the IT Service Desk for assistance. If the Service Desk technician is unable to assist you remotely, they can dispatch a field service technician to assist you.

If you experience any problems, please contact the IT Service Desk for help at 415-514-4100.