What is Duo MFA?
Duo MFA is a third-party application that the University of California, San Francisco is using for multi-factor authentication. Multi-factor authentication makes it much more difficult to gain unauthorized access to an account because, instead of requiring only one factor (something you know, such as your username and password), access also requires a second factor (something you have, such as your smartphone). The second factor ensures that, even if someone acquires your username and password through social engineering (such as phishing emails), the unauthorized person will be unable to gain access to your account because the second factor (you having possession of your smartphone) is also required, and is something they don't have. Thus, to increase security, certain users now need to log into the University's VPN with this additional security factor. Duo provides several options for how you can authenticate, including through a smartphone app, a SMS text message to your cell phone or an automated phone call to your phone number.
How Do I Enroll? Videos
Step 1 – Enroll
There is a self-service enrollment form, it will require your manager to approve your request via ServiceNow.
Use this form to request a DUO account.
Make sure to enroll at: https://ucsf.service-now.com/ess/duo2factor.do.
Step 2 – Download and install Duo App if using smartphone (This should be step one, link won’t work without Duo app installed on phone first)
Search for “Duo Mobile” in the App Store (iOS) or Google Play store (Android) or click on the appropriate link below from your smartphone:
- iPhone: http://itunes.apple.com/us/app/duo-mobile/id422663827
- Android: http://market.android.com/details?id=com.duosecurity.duomobile
- Windows Phone: http://windowsphone.com/s?appid=c4ccf0c8-afc6-4cb0-a66c-92febe084d81
- BlackBerry: http://appworld.blackberry.com/webstore/content/76023/
- BlackBerry 10: http://appworld.blackberry.com/webstore/content/28708895/
Step 2 – Click on link in email
The users will be prompted to enter a phone number – it is best to enter your smartphone number so that you can utilize the Duo app, but if you do not have one, a regular cell phone or even a landline phone can work. Note that you will need access to that phone line when you are trying to use Duo to authenticate into UCSF VPN or any other system that requires Duo authentication.
Step 3 – Activate Duo account (This option is only valid if a Duo Account Manager or the Service Desk manually enters the user phone number in the Duo Admin console and sends the activation link via SMS)
If using a smartphone, you will need to click on the link that Duo sends you via SMS. This will associate your phone with your Duo account.
Step 4 – Log into the VPN (either through the Pulse Security VPN Duo client or at remote.ucsf.edu)
To use the Pulse VPN Duo client:
Note: UCSF’s Cisco VPN solution was retired on August 31, 2015. It has been replaced with the Pulse Security VPN client. UCSF IT users received an email from the IT Service Desk on July 7, 2015 about this with instructions to download the Pulse Security VPN client.
- If the single-factor Pulse Security client is already installed, uninstall it from your workstation. While uninstalling the single factor Junos Pulse client, please be sure to also uninstall all Juniper network configurations from your workstations. The two-factor Junos Pulse client will not work unless all other configurations have been removed.
- Download and install two- factor Junos Pulse VPN client for your Windows or Mac workstation from http://software.ucsf.edu/applications/vpn.html
- Open the two-factor Junos Pulse VPN client from your workstation. Press ‘Connect.’ You will be prompted to enter your AD username and password. It will then prompt you to enter a secondary password – you will need to log into Duo on your phone or other device to get that code by pressing on the green key image. Once you enter that additional code, you will be authenticated fully through Duo and the new Junos Pulse VPN client.
To use remote.ucsf.edu VPN web portal:
- Go to remote.ucsf.edu
- You will be prompted to enter your AD username and password.
- You will then be directed to a Duo screen that will prompt you to select a verification method. Choose ‘passcode’ and then select ‘Send SMS passcodes.’
- Enter the passcode that you received on your’ phone via SMS into the passcode field on the browser screen. Press ‘Log In’. When you see your list of enrolled devices, press ‘Done.’ You are now fully authenticated through Duo.
New - Add VPN on your tablet
How do I use it once I’m enrolled?
When either using remote.ucsf.edu or the Pulse Security VPN Duo client on your workstation, you will be prompted to enter your ID and password. After that, if using remote.ucsf.edu, you will be directed to a Duo screen where you can select the method that Duo should use to authenticate you. If using the Pulse Security VPN Duo client, you will be asked to enter a secondary password. Enter "push" to send a push notification to your smartphone, or "sms1" to send a test message to your cell phone which you'll need to reply to via text to complete the authentication process. You can also obtain secondary passwords from the Pulse Security app on your smartphone and enter one of those values instead.
Via Pulse Security:
What if my phone number changes?
Your phone will need to be re-activated by a Duo administrator. Go to http://help.ucsf.edu and click on the "Report something that just isn't working right" link. Fill out the form reporting that your Duo registered phone number has changed and asking that your new number be registered with Duo.
What if I get a new smartphone?
Your new phone will need to be activated. If you have the same phone number on your new smartphone as you had on your old smartphone, you can activate your new smartphone yourself.
- Go to https://remote.ucsf.edu.
- Login with your Active Directory ID and password.
- Click on "Add a new device" on the left side of the Duo authentication prompt.
- You'll be asked to authenticate with an existing Duo method. Choose either "Call Me" or "Enter a Passcode". Duo's automated system will either call you if you picked "Call Me" or send you a text message if you picked "Enter a Passcode". If you're being called, follow the directions in the automated phone call to authenticate. If you're receiving a passcode, enter the passcode you received.
- Select "Mobile phone" for the new device type and click "Continue".
- Enter your phone number. When you've finished typing the number, a check box will appear below that says "...This phone number already exists and will be replaced." Click the check box to enable that option then click the "Continue" button.
- Select the type of smartphone you're using and click "Continue"
- Follow the Install Duo Mobile for iOS instructions that appear and click "I Have Duo Mobile Installed" to continue.
- Follow the Activate Duo Mobile for iOS instructions and click "Continue" once complete. Click the "Save" button. If the button says "Saved" then your settings have been saved.
- Click the "Back to Login" button if you wish to finish logging into the remote.ucsf.edu site, or simply close the web browser since your changes have been saved.
What if I have questions?
Contact the Service Desk at 415-514-4100.
Looking for a job aid on how to use VPN with Duo? Looking for more information on how to set up the Pulse Security VPN client?