What is 2-Factor Authentication, and why is it safer than my UCMNetId password?
Duo adds a second layer of security to our sign-on process that greatly decreases the risks posed by phishing, social engineering, password brute-force attacks, and attackers exploiting weak or stolen credentials.
The two factors in 2-Factor Authentication are your password (something you know), and a device of your choosing (something you have).
With two-factor authentication, even if someone manages to get your password and tries to log in, Duo will notify you and you can deny them access to your account.
Why are we using Duo as our vendor for Two-Factor Authentication?
All University of California campuses and health centers have selected Duo—the de facto industry standard for Two-Factor Authentication in higher education—as their vendor for 2FA.
Which applications require 2-factor authentication?
Most campus applications that access sensitive data (UC Path, Office 365 webmail, Box, etc.) are protected by 2FA now. All single-sign on protected applications will be updated to require 2FA in the coming months.
How often will I have to authenticate via 2FA?
This varies depending on the settings of the specific application and your usage pattern.
Most users accessing applications from the same device and browser will see a handful of 2FA requests per day. Alternatively, users can select the "remember me for 12 hours" box from the authentication screen, which will suppress 2FA prompts from the same device/browser for 12 hours.
Can I register multiple devices?
Yes! We encourage you to register as many devices as you have available during the initial enrollment process. You can register smartphones, tablets, and U2F devices. If you need to register another device once you have completed the initial enrollment process, you may do so from the UC Merced Identity Management page (you will need to log in first).
OIT recommends that you register at least two devices, for example both your smartphone and a tablet, or a smartphone and your office phone. In the event that you lose one device, you will still be able to access protected systems using your secondary device.
I am a delegate for another individual in Office 365 / Outlook. How does 2FA impact this arrangement?
Mailbox delegation is a separate process and is not impacted by 2FA. No change in permissions or behavior will result from the implementation of 2FA.
Are service accounts required to enroll in 2FA?
Service accounts will be required to enroll in 2FA on a case-by-case basis (if your account is required to enroll, OIT will email you specifically about this change). It is a good idea to do so, as shared accounts are even more susceptible to compromise than traditional accounts.
OIT can help you manage authentication on your service account in a number of ways, including registering authentication devices for each authorized user and providing hardware tokens through which users can authenticate.
Are affiliate accounts required to enroll in 2FA?
Affiliate accounts are required to enroll in 2FA just like traditional user accounts.
Duo provides offline authentication options for times when you don't have cell service or when using 2FA could cause you to incur extra cellphone charges, such as when you are traveling internationally.
NOTE: In order to take advantage of the options below, you must first register your device(s) for use with your 2FA account (including, if applicable, downloading and installing the Duo Mobile App on your smartphone) before you begin your travel.
Duo Mobile App (Smartphones and Tablets)
You can request single-use passcodes directly from the Duo Mobile app, even when your mobile device is in airplane mode or doesn't have cell service. Simply open the app and tap the Passcode button. Depending on your device, this button may say Generate Passcode or Generate Token Code. It may also simply contain an image of a key. Enter the code provided in the Passcode field of the Duo verification screen.
Text Message/Backup Codes
If you do not have the Duo Mobile App installed on a mobile device, you can request a batch of passcodes to be sent via text message to your cellphone before you depart for your travel. (See these instructions for how to generate a set of 10 backup codes). You will receive ten single-use codes via text message, which will allow you to authenticate up to ten times during your travel. You will need to request the passcodes before you leave, or while in an area with cell service, as you will need a cell connection to receive the text message on your phone. You may request additional batches of passcodes while in areas with cell service (your carrier’s roaming or international texting rates will apply). Requesting a new batch of passcodes will invalidate any unused codes from the previous batch.
A hardware token is a small device that displays a randomly-generated code that will act as your second factor when you authenticate. If you don't have, or don't want to use, any other authentication method, OIT will supply you with a free token. Click here to request a token. (Note that each campus member is entitled to one free token. If you lose or break your token, there will be a nominal charge.)
What if I receive an unexpected login alert?
If you receive a notification (a login alert on the Duo Mobile app, a phone call from the authentication system, or a batch of passcodes via text message) that you did not request, your UCMNetID may have been compromised.
Why did my Push notification expire?
Duo Push notifications expire after 60 seconds. If you aren't able to approve the Push notification on your phone in that time period, just send yourself another Push!
The service will "hold" your authentication attempt until you either approve or deny the request on your phone app. You can also hit "cancel" on your computer screen to have Duo send you a different type of authentication request.
Do I need to have a smartphone to use Duo?
No. We recommend that users who have a smartphone choose to use them, since they are the easiest to use with Duo. However, you can also use a (non-smart) cell phone, a landline (such as your office or home phone), a tablet, or your own U2F token. Additionally, hardware tokens are available to users that have no other means by which to authenticate.
What if I don't want to use my personal phone?
You don't need a smartphone to use UC Merced's Duo 2-Factor Authentication. While a smartphone is convenient, you can use your office phone (see Enrolling a VoIP or Landline phone), a tablet, or hardware token. Click here to request a token.
What if I forget my smartphone at home?
We encourage users to set up multiple authentication methods with Duo. That way when one method is unavailable, you have others to choose from.
We also recommend that you generate a set of backup codes and carry them in a safe place (for example, your wallet) as a last-ditch authentication method.
If you have no backup authentication methods available to you, contact the OIT Service Desk at 209-228-HELP.
What if I lose my registered mobile device?
If you lose your phone or tablet and have an alternate device enrolled which you can use to authenticate, you should remove the lost device from your list of enrolled devices using the Duo self-service portal as soon as possible. You may also contact the OIT Service Desk at 209-228-HELP to disable the 2FA account connected to your missing device.
How much data does a Duo Push use?
Almost none. 500 pushes to your device will use 1 MB of data—roughly the equivalent of loading a single webpage on your smartphone.
What if I don’t have a Wi-Fi connection or cellular reception?
No problem. Tap the icon in the Duo app to generate an authentication passcode. You do not need an internet connection or a cellular signal to generate these passcodes.
What if I get a new phone, but am keeping the same phone number?
You will need to add your new phone to Duo, and assign it the same phone number. Follow the steps in Duo: Enroll a Smartphone or Tablet to Use with the Duo Mobile App.
What if I lose my phone?
Remove your phone from your Duo Devices on the ID Management page (you will need to log in and authenticate first using another device or a backup method). Click "Device Options" next to the device in question and choose Delete this Device to remove it from your Duo profile.
What if I stop receiving push notifications on Duo mobile?
You may have trouble receiving push requests if there are network issues between your phone and the Duo service. Simply turning the phone to airplane mode and back to normal operating mode again often resolves these sort of issues, if there is a reliable internet connection available. You can also turn off the WiFi connection on your device and use the cellular data connection instead.
A token is a small device that displays a randomly-generated code that will act as your second factor when you authenticate. If you don't have, or don't want to use, any other authentication method, OIT will supply you with a free token. (Note that each campus member is entitled to one free token. If you lose or break your token, there will be a nominal charge.)
I have a YubiKey. Can I use it with our 2-Factor Authentication service?
Yes! Register it in Duo Device Management as a U2F token and you will be able to use it like any other 2nd factor.
What do I do with my Duo token when I no longer work or study at the University?
Please return it to the OIT Service Desk.
Does Duo see my UCMNetID and password?
No. The University Single Sign-On page verifies your UCMNetID and password with its internal systems, and never sends it to Duo. Duo's service provides only the second factor—the “something you have.” Duo stores very little information—just enough to do its job.
Is my mobile number safe when I use it for 2-Factor Authentication?
Yes. The number is stored securely and used only by the Duo software, when needed, to help log you in.
Does installing the Duo Mobile app give up control of my phone?
No. The Duo app has no access to change settings on your phone. The Duo app cannot read your emails, it cannot see your browser history, and it requires your permission to send you notifications. Lastly, the Duo app cannot remotely wipe your phone.
The visibility the Duo app requires is to verify the security of your device, such as OS version, device encryption status, screen lock, etc. Duo uses this to help recommend security improvements to your device and you always are in control of whether or not you take action on these recommendations.
Why does the Duo app need to access my camera?
The Duo app only accesses your camera when scanning a QR code during activation.