General
What is 2-Factor Authentication, and why is it safer than my UCMNetId password?
Duo adds a second layer of security to our sign-on process that greatly decreases the risks posed by phishing, social engineering, password brute-force attacks, and attackers exploiting weak or stolen credentials.
The two factors in 2-Factor Authentication are your password (something you know), and a device of your choosing (something you have).
With two-factor authentication, even if someone manages to get your password and tries to log in, Duo will notify you and you can deny them access to your account.
Why are we using Duo as our vendor for Two-Factor Authentication?
All University of California campuses and health centers have selected Duo—the Two-Factor Authentication vendor of choice in higher education—as their vendor for 2FA.
Which applications require 2-factor authentication?
Most campus applications that access sensitive data (UC Path, Office 365 webmail, Box, etc.) are protected by 2FA now. All single-sign on protected applications will be updated to require 2FA in the coming months.
How often will I have to authenticate via 2FA?
This varies depending on the settings of the specific application and your usage pattern.
Most users accessing applications from the same device and browser will see a handful of 2FA requests per day. Alternatively, users can select the "trust browser" box from the authentication screen, which will suppress 2FA prompts from the same device/browser for 14 days.
Doesn’t “Trust Browser” defeat the purpose of using Duo 2FA to protect campus accounts?
No. The purpose of Duo 2FA is to make it harder for phishers and cyber thieves to access your information and accounts. If phishers have stolen your password and you’ve selected "trust browser,” they can’t log in to your accounts unless they have also stolen your device.
After selecting "Trust Browser," you can only bypass the Duo Authentication step on the device and browser you were using at the time you checked the box.
How do I cancel the 2FA “Trust Browser” function?
If you want to cancel the "Trust Browser" feature for any reason, simply clear the browser’s cookies and cache. When you restart your browser you’ll see that it no longer “remembers” your Duo credentials.
Can I click “Trust Browser” on a shared computer?
To keep your account secure, never use the feature on public or shared devices! "Trust Browser" should only be used with a device you own or that is assigned only to you.
I clicked “Trust Browser” but it’s not working. Help!
If your web browser is set to clear cache and cookies upon close, the Trust Browser option will not work. You can disable the clear cache and cookies in Chrome or Firefox or any other browser of your choice if you wish. For mobile devices go to settings and enable cookies for the browser.
Can I register multiple devices?
Yes! We encourage you to register as many devices as you have available during the initial enrollment process. You can register smartphones, tablets, and U2F devices. If you need to register another device once you have completed the initial enrollment process, you may do so whenever you need to
authenticate, learn how here.
OIT recommends that you register at least two devices, for example both your smartphone and a tablet, or a smartphone and your office phone. In the event that you lose one device, you will still be able to access protected systems using your secondary device.
I am a delegate for another individual in Office 365 / Outlook. How does 2FA impact this arrangement?
Mailbox delegation is a separate process and is not impacted by 2FA. No change in permissions or behavior will result from the implementation of 2FA.
Are service accounts required to enroll in 2FA?
Service accounts will be required to enroll in 2FA on a case-by-case basis (if your account is required to enroll, OIT will email you specifically about this change). It is a good idea to do so, as shared accounts are even more susceptible to compromise than traditional accounts.
OIT can help you manage authentication on your service account in a number of ways, including registering authentication devices for each authorized user and providing hardware tokens through which users can authenticate.
Are affiliate accounts required to enroll in 2FA?
Affiliate accounts are required to enroll in 2FA just like traditional user accounts.
How does 2FA work when I am traveling abroad or without cell service?
Duo provides offline authentication options for times when you don't have cell service or when using 2FA could cause you to incur extra cellphone charges, such as when you are traveling internationally.
NOTE: In order to take advantage of the options below, you must first register your device(s) for use with your 2FA account (including, if applicable, downloading and installing the Duo Mobile App on your smartphone) before you begin your travel.
Duo Mobile App (Smartphones and Tablets)
You can request single-use passcodes directly from the Duo Mobile app, even when your mobile device is in airplane mode or doesn't have cell service. Simply open the app and tap the Passcode button. Depending on your device, this button may say Generate Passcode or Generate Token Code. It may also simply contain an image of a key. Enter the code provided in the Passcode field of the Duo verification screen.
Token
A hardware token is a small device that displays a randomly-generated code that will act as your second factor when you authenticate. If you don't have, or don't want to use, any other authentication method, OIT will supply you with a free token. Click here to request a token. (Note that each campus member is entitled to one free token. If you lose or break your token, there will be a nominal charge.)
What if I receive an unexpected login alert?
If you receive a notification (a login alert on the Duo Mobile app, a phone call from the authentication system, or a passcode via text message) that you did not request, your UCMNetID may have been compromised.
Reject the login, select Yes on "Was this a suspicious login?", change your UCMNetID password as soon as possible via the Identity Management page, and email the Information Security team to report the problem.
Why did my Push notification expire?
Duo Push notifications expire after 60 seconds. If you aren't able to approve the Push notification on your phone in that time period, just send yourself another Push!
The service will "hold" your authentication attempt until you either approve or deny the request on your phone app. You can also hit "cancel" on your computer screen to have Duo send you a different type of authentication request.
Phones
Do I need to have a smartphone to use Duo?
No. We recommend that users who have a smartphone choose to use them, since they are the easiest to use with Duo. However, you can also use a (non-smart) cell phone, a landline (such as your office or home phone), a tablet, or your own U2F token. Additionally, hardware tokens are available to users that have no other means by which to authenticate.
What if I don't want to use my personal phone?
You don't need a smartphone to use UC Merced's Duo 2-Factor Authentication. While a smartphone is convenient, you can use your office phone (see Enrolling a VoIP or Landline phone), a tablet, or hardware token. Click here to request a token.
What if I forget my smartphone at home?
We encourage users to set up multiple authentication methods with Duo. That way when one method is unavailable, you have others to choose from.
If you have no backup authentication methods available to you, contact the OIT Service Desk at 209-228-HELP.
What if I lose my registered mobile device?
If you lose your phone or tablet and have an alternate device enrolled which you can use to authenticate, you should remove the lost device in manage devices, available whenever you need to authenticate. You may also contact the OIT Service Desk at 209-228-HELP to disable the 2FA account connected to your missing device.
How much data does a Duo Push use?
Almost none. 500 pushes to your device will use 1 MB of data—roughly the equivalent of loading a single webpage on your smartphone.
What if I don’t have a Wi-Fi connection or cellular reception?
No problem. Tap the icon in the Duo app to generate an authentication passcode. You do not need an internet connection or a cellular signal to generate these passcodes.
What if I get a new phone, but am keeping the same phone number?
You will need to add your new phone to Duo, and assign it the same phone number. Follow the steps in manage devices.
What if I lose my phone?
Remove your phone from your Duo Devices in manage devices (available whenever you need to authenticate). Click "edit" next to the device in question and choose Delete this Device to remove it from your Duo profile.
What if I stop receiving push notifications on Duo mobile?
You may have trouble receiving push requests if there are network issues between your phone and the Duo service. Simply turning the phone to airplane mode and back to normal operating mode again often resolves these sort of issues, if there is a reliable internet connection available. You can also turn off the WiFi connection on your device and use the cellular data connection instead.
Tokens
What is a token and how does it work?
A token is a small device that displays a randomly-generated code that will act as your second factor when you authenticate. If you don't have, or don't want to use, any other authentication method, OIT will supply you with a free token. (Note that each campus member is entitled to one free token. If you lose or break your token, there will be a nominal charge.)
I have a YubiKey. Can I use it with our 2-Factor Authentication service?
Yes! Visit manage devices to learn how to register U2 Key with Duo, and you'll be able to use it like any other 2nd factor.
What do I do with my Duo token when I no longer work or study at the University?
Please return it to the OIT Service Desk.
Privacy
Does Duo see my UCMNetID and password?
No. The University Single Sign-On page verifies your UCMNetID and password with its internal systems, and never sends it to Duo. Duo's service provides only the second factor—the “something you have.” Duo stores very little information—just enough to do its job.
Is my mobile number safe when I use it for 2-Factor Authentication?
Yes. The number is stored securely and used only by the Duo software, when needed, to help log you in.
Does installing the Duo Mobile app give up control of my phone?
No. The Duo app has no access to change settings on your phone. The Duo app cannot read your emails, it cannot see your browser history, and it requires your permission to send you notifications. Lastly, the Duo app cannot remotely wipe your phone.
The visibility the Duo app requires is to verify the security of your device, such as OS version, device encryption status, screen lock, etc. Duo uses this to help recommend security improvements to your device and you always are in control of whether or not you take action on these recommendations.
Why does the Duo app need to access my camera?
The Duo app only accesses your camera when scanning a QR code during activation.
Access Denied (National Security Impacts on 2FA)
Why am I seeing the message “Access denied. Duo Security does not provide services in your current location” when I try to authenticate?
As of May 2022, Duo does not provide services in countries or regions subject to economic and trade sanctions enforced by the US Office of Foreign Access Control. Due to University security requirements, there are currently no recommended alternatives or workarounds to access UC Merced resources from these regions.
Please see this page for more information.