About Multi-factor Authentication

In addition to your password, multi-factor authentication provides a second layer of security by sending an approval request to a pre-approved device.  By requiring two different modes of authentication UC Santa Barbara can protect user logins from remote hacks or phishing attacks that may exploit stolen user names and passwords. 

Two modes of authentication include:

Something you know: A unique username and password

Something you have: A smartphone with an app to approve authentication requests

To improve our security posture, UC Santa Barbara Enterprise Technology Services (ETS) incorporates Duo Security as a multi-factor authentication solution. Once enrolled in Duo, you can log in using your UC Santa Barbara information and as a second step, reconfirm your identity using a second device – a mobile phone, a non-smart cellphone, a landline, or at your department's direction, a hard token. 

Current Integrations

As of May 2020, we will begin to integrate MFA with Duo for privileged accounts (see Updates below). 

Updates

MFA with Duo Help

Contact the IT Service Catalog at (805) 893-5000 (x5000) or visit ithelp.ucsb.edu.

 

Enroll Now

Benefits of MFA with Duo

  1. MFA with Duo protects your account and your data. To gain access to your account, an attacker would need your passphrase as well as the physical device you use for MFA with Duo. If all the attackers have is your password, they can’t access the account. If they somehow obtain your token or smartphone, they would still need your passphrase. In other words, one factor can fail, and the other will still protect you. (At UC Santa Barbara, the two primary authentication methods for many applications and websites are CAS and Shibboleth. They require your login and Kerberos passphrase, and provide the first level of sign-in authentication.)

  2. Duo protects UC Santa Barbara. Duo will provide better security for UC Santa Barbara data assets, including accounts, applications and websites.

  3. Duo offers flexibility. There are choices in how you can use Duo. You can receive the second password via a free mobile app on your mobile phone, a hard token (a small device that typically resembles an electronic key or flash drive), via a phone call or text.

  4. Duo is a simple solution. Duo offers simple integration with other services and an easy interface.

MFA with Duo Frequently Asked Questions

We recommend registering multiple devices in Duo because this will provide a backup method of authenticating with Duo when your primary method is not available.

For example, in addition to registering your smartphone in Duo, you may also wish to register your landline. Then if you don’t have your phone with you, you can still authenticate with Duo using your landline. 

If you have multiple devices registered in Duo, only the device that you select as your "Default Device" will receive the Duo prompt. You will not receive Duo prompts from every device each time you authenticate.

To enroll a secondary device:

  1. Go to the Duo Identity Management page
  2. Select the Duo Multifactor Authentication module
  3. Authenticate with Duo
  4. Select +Add another device

enroll second device with Duo

  1. Add a secondary device
    1. Smartphone - start with step 1e
    2. Non-smart cellphone - start with step 1e
    3. Landline - start with step 1e
    4. Hard Token
  2. Ensure that your preferred primary Duo device is set as your "Default Device."

 add another device MFA Duo

7. Click End Session.

To keep the campus safe, Duo will be required for all users at UC Santa Barbara. 

If you have a business reason that prevents you from using Duo, you can file a cyber-safety exception request (is this true for UCSB?)

Contact the IT Service Desk at x5000 immediately if your mobile device is lost or stolen, so they can lock your account until you get a new mobile device.

When you have a new device and you are ready to enroll it in Duo, contact IT Services.

Overview

Follow the instructions on the Getting Started with MFA with Duo webpage or the instructions below if you have one of your currently Duo enrolled devices with you, such as your old smartphone, or if your new smartphone has the same phone number as your old smartphone.

If you do not have one of your currently enrolled devices with you, you may have problems completing these instructions. If so, contact the IT Services Catalog Express at x5000 or ithelp.ucsb.edu, and they will remove your previous device. Then enroll your new smartphone in Duo.

NOTE: You will need your Apple App Store or Android Play Store password to complete Step 2.

STEP 1: Begin Duo Enrollment from Your Computer

Note: These steps must be completed on a laptop or desktop computer.

a) Open a web browser to the Duo Identity Management page.

b) Log in to SSO.

c) Log into Duo. If your new smartphone has the same phone number as your old smartphone, you may select the Call Me option, or the Enter a Passcode -> Text me new codes option to use the new smartphone to log in.

e) Your browser will now show the Duo device management screen. Select Device Options next to the Smartphone you wish to re-register in Duo.

Duo device options

f) Select Reactivate Duo Mobile.

g) Enter the type of mobile phone you are enrolling (iOS, Android, etc.), and then click Continue.

phone type selection

STEP 2: Install the Duo Mobile App on Your Smartphone

a) Go to the App Store or Play Store on your smartphone.

b) Search for Duo Mobile.

c) Install the app on your smartphone. There is no fee to install the app. 

NOTE: You will need your App Store or Play Store password to complete installation

STEP 3: Complete Enrollment Using Your Computer and Your Smartphone

a) After completing the installation of the app on the smartphone, click I have Duo Mobile installed.

I have Duo Mobile installed selection

b) The Activate Duo Mobile screen displays. With the Activate Duo Mobile screen displaying on the computer, open the Duo Mobile app on the smartphone.

Duo QR code activation

c) Click the plus sign (+) in the upper right corner of the phone screen.

 

d) From the Duo Mobile app, scan the barcode with your phone that displays in the Activate Duo Mobile computer screen.

e) A green checkmark displays on the computer screen. Click Continue.

 green checkmark QR code activation

If you have a secondary device enrolled with Duo

If you have registered a second device in Duo, such as a landline, you can select your backup method from the list of Duo options, and authenticate that way.

If you have not set up a secondary device

If you are being prompted to authenticate with Duo and only have a smartphone enrolled in Duo, you will need to call for support.

We will be able to help you log in if you can be verified another way. We may also be able to set up a second device for you (landline, hard token, or another smart device) so you can avoid this problem in the future.

Contact the IT Services Catalog at x5000 or submit a ticket at ithelp.ucsb.edu

 

The mobile “Send me a Push” function uses the phone's internet or cell connection, whichever is available. If you are on campus, you can connect to Eduroam for WiFi, so Duo will not use your cell connection.

If you are not on Wifi, Duo pushes consume a tiny amount of data. Each push consumes less than 2KB of data, which means it would take 500 authentications a month to reach 1MB of consumption. To learn more, read How Much Data Does a Duo Push Request Use? on the Duo website.

The "Enter a Passcode" function does not consume any data. If data consumption is a concern, we recommend using the passcode feature.

If you accidentally deny the Duo push on your smartphone, you will be asked why you denied the request.

If you accidentally denied the request, select “It was a mistake.” 

If you accidentally pressed deny, and then also pressed "It seems fraudulent," contact the IT Services Catalog at x5000.

Contact the IT Services Service Desk at x5000 or submit a ticket via the IT Services Catalog immediately if your hard token is lost or stolen so they can lock the hard token until you get a new one. To enroll the new hard token, contact the IT Services Desk.

Within 6 Months of Purchase

If you are having a problem with a Duo token (no longer generating a passcode, with either a corrupt or blank display) within the six-month warranty period, you will need to contact Duo directly for replacement under the warranty.

Required information: Serial Number (located on the back of the token), Shipping Address for return
Phone: (866) 760-4247
Email: support@duosecurity.com

The replacement token will be shipped directly to the customer that requested the replacement. Once the new token has been received, contact the IT Services Catalog at x5000 to add it to your Duo account.

More than 6 Months Since Purchase

If your hard token stops working after the six-month warranty period, you will need to purchase a new one. Use these instructions to purchase a new token.

Tokens that no longer work are e-waste.

Yes. If a department has a spare Duo hard token, IT Services can assign it to a different user.

The Duo prompt displays incorrectly. Part of the Duo prompt is greyed out.

Steps to reproduce

On an iPhone or iPad, going to a website that required Duo authentication.

More information

Follow the instructions on the Duo website, titled "How do I resolve Duo Prompt display issues related to iOS content restrictions?"  

Note that the instructions differ for iOS 12 and iOS 11 and older.

Yes, even if you use Duo somewhere else, you will still need to enroll in Duo at UC Santa Barbara. See our Getting Started with Duo article for instructions.

If you have set Duo to automatically send you a push or call you when you log in, the checkbox to have Duo remember you will be greyed out, and you won't be able to select it. Follow the instructions below to change a setting to allow you to check that box.

  1. Go to the Duo Identity Management page
  2. Select Duo Multifactor Authentication
  3. Authenticate with Duo
  4. In the When I log in field, select "Ask me to choose an authentication method"
     
    ask me to choose authentication method
     
  5. Click Save
  6. The next time you authenticate with Duo, you will be able to check the Remember Me box

If you'd like Duo to automatically send a push, you can go back into (INSERT LINK HERE) and set it back to Automatically send this device a push.

Note: The Duo Authentication Remember Me option is tied to the cookies in the web browser. If Duo's Remember Me settings are not working, verify that your web browser has cookies enabled and that the browser is not set to delete the cookies after closing the web browser. To learn how to enable cookies on your browser, visit this website, and follow the instructions for your browser.

The Duo mobile app does collect information from your device when you attempt to authenticate using that device. The data that is collected is not user identifying, and is not used to track what you are doing.

Duo collects two types of information from you.

The first type is used to provide information about your authentication attempts, such as your hardware model, operating system, unique user and device identifiers, connection information and IP address. The transmission of this information cannot be disabled.

The second type of information that the Duo Mobile app collects is analytical data such as how you use the Duo Mobile app, the screens you use within Duo Mobile, and the actions you perform. You can disable the collection of your Duo usage data. To do this, open the Duo Mobile app, go to Settings and turn off Send usage data.

For more information, read Duo's Privacy notice and this article from Duo's knowledge base.