Two-Step Login FAQ
Last Updated: November 4, 2022 4:33:28 PM PDT
Give feedback
Expand section What, Why and How
What is two-step login?
Two-step login is an added layer of protection when logging into websites and apps. The procedure is also known as multifactor authentication (MFA) or two-factor authentication (2FA).
You're likely already familiar with two-step login procedures. Anytime you're required to enter an additional passcode sent via text message, email or phone call is an example of two-step login.
In short, going forward, two steps will be required to log in:
- Enter username and password like normal
- Verify identity via a smartphone app, phone call or passcode
Why do we need two-step login?
Requiring two-step login is the single most important measure we can take to protect university networks and accounts from hackers. Login credentials are more valuable than ever and are increasingly easy to compromise. Credentials can be stolen, guessed, or hacked — you might not even know when someone is using your account to access sensitive services and data. A two-step login process provides an added layer of security to your login. The goal is to prevent anyone but you from accessing your account, even if they know your username and password.
What systems will use two-step login?
We're deploying two-step login to VPN access and single sign-on (see images below). It’s important that we provide extra layers of security into remote university connections (VPN) and financial and other systems with sensitive information accessed via single sign-on. Other systems may be added in the future.
Learn more about two-step login and:
Is two-step login required?
As of January 30, 2019, two-step login became required for faculty, staff and UC San Diego Health personnel use of following systems: campus VPN connections and single sign-on. Other systems will be added at future dates.
Student use was required starting October 16, 2019.
How will two-step login work?
You have options! The easiest way is to install a free app on your personal or university-issued smartphone. When you enter your username and password, the app will generate a push notification. Tap the green check mark and you’re in!
If you're not inclined to use the smartphone app method, you can
- Use the app on a tablet (iPad or Android)
- Authenticate via a phone call to a landline or mobile phone
- Use a token (contact the Service Desk at servicedesk@ucsd.edu or 858-246-4357 to request one)
- Enter a passcode via text message
What is Duo?
Duo Security is the vendor that UC San Diego will use to provide our two-step login functionality. Duo is also the two-step login vendor in use at UC San Diego Health, UCLA, UC Berkeley, Indiana University and other major universities.
Do I have to do two-step login every time I log in?
For VPN connections, you'll need to complete two-step login each time you connect.
For other applications, you can tell Duo to remember your machine for seven days. Therefore, you'll only need to complete the two-step process once a week. Note that the remember feature applies per machine. For example, if you choose remember me on your work computer, but log in later on your home computer, you'll still have to complete the two-step login procedure. This is not recommended for public or shared computers.
How do I start using two-step login?
Registering a device takes less than two minutes and is a DIY process. Do so at the registration portal (https://duo.ucsd.edu).
Detailed instructions are available; access this step-by-step enrollment guide (Support Portal) for help.
If you need further assistance, contact the Service Desk (servicedesk@ucsd.edu or 858-246-4357).
What happens if the Duo system is down or not working properly?
In most instances, Duo has been designed to “fail open.” If Duo is down, you'll log in directly with your username and password without two-step login. Some applications that access highly sensitive information may operate differently. Please contact your systems administrator for more information.
What if I'm traveling or working in a place with no cell connection or wifi, or an unreliable wifi connection?
You have options!
- The Duo app automatically displays a passcode that can be used even without an Internet connection. See image below.
- If you're not taking your mobile device, or don't normally use your mobile device for authentication, you can text yourself a batch of 10 single-use codes (Support Portal) (that don't have to be used in order).
- Request a token (see image below) from the Service Desk at servicedesk@ucsd.edu or 858-246-4357.
- If none of the above options meet your needs, contact the Service Desk.
What should I do if I receive a verification request I didn't request?
- Tap "Deny" (if using the smartphone app) or don't enter the access code if using another method.
- Contact the Service Desk at servicedesk@ucsd.edu or 858-246-4357 immediately.
Does the two-step login process meet accessibility standards?
Yes. Both the UC San Diego and Duo Security interfaces meet accessibility standards. For more information about UC San Diego’s interfaces, contact the Service Desk at servicedesk@ucsd.edu or 858-246-4357. Read the Duo Security accessibility information.
Can I use two-step login in a classroom without cellular or wireless service?
The Duo app can generate login codes even without Internet access.
What if I already use Duo at another institution?
You won't need to download the app a second time, but you will need to add UC San Diego to your account. Follow the UC San Diego enrollment process as described (excluding the step of downloading the app).
Why isn't the "remember me for 7 days" option appearing for me?
It may be the case that your browser is blocking third-party cookies. The "remember me" option only works if an exception is made in the browser's security settings for third-party cookies coming from Duo Security.
Duo's cookies are only used to remember a Remembered Device. The cookies and associated data are never used for advertising or marketing purposes.
To add an exception for Duo-served cookies, use the following format, depending on which browser you're using:
- Internet Explorer: *.duosecurity.com
- Firefox: https://duosecurity.com
- Chrome and Opera: [*.]duosecurity.com
Note that Safari does not allow setting exceptions for third-party cookies.
What causes me to be locked out of Duo, and how do I restore access?
A lockout occurs after 10 consecutive failed login attempts. Common causes include:
- Not responding to the authentication attempts - for example, no authenticating via the push message or phone call
- Actively denying the login attempt
- Entering incorrect passcodes
Your account will auto-unlock after 60 minutes. You can also contact the Service Desk for immediate resolution:
- Submit a ticket online at support.ucsd.edu
- Email servicedesk@ucsd.edu
- Call 858-246-4357 (7 a.m. - 7 p.m. Monday - Friday. For after hours service, choose option #3 on the phone greeting)
- Visit walk up desk at AP&M building, room 1313 (8 a.m. - 4:30 p.m. Monday - Friday)
Expand section Devices
Do I have to use or buy a smartphone or cell phone to enroll?
Using push notifications via the Duo app on a smartphone is the easiest way to complete the two-step login process. Other options include:
- Receiving a phone call on a cell phone or landline
- Receiving push notifications via a tablet
- Using a token (contact the Service Desk at servicedesk@ucsd.edu or 858-246-4357 to request one)
What should I do if the passcode generated by my token is not accepted?
First, simply trying re-typing the passcode, as you may have inadvertently entered it incorrectly.
If the passcode is still not accepted, it may be the case that your token has fallen out of sync with Duo. To re-sync:
- Initiate a login attempt like normal and enter a passcode (which will fail).
- Generate a new passcode. To do this, wait for the bars next to the passcode to run out and the token screen to shut off. You’ll then have to depress the gold power button/icon on the token to view a new passcode.
- Enter the passcode and wait for it to fail.
- Enter a passcode (and fail) three times. The fourth entry should be accepted.
- If the token is still not working, contact the Service Desk.
Tokens sometimes become unsynced if too many passcodes are cycled through without being used. This could happen if the token is continually and inadvertently turned on and off while in your pocket, bag or elsewhere.
What is a token and how do I get one?
A token is a small device that displays a passcode that can be entered as the second step. A token is a good alternative for those not using phones for authentication or those who frequently access systems in locations without wifi or cell service. The token is small and many people affix to their keychain to ensure it's always close at hand.
Request a token from the Service Desk at servicedesk@ucsd.edu or 858-246-4357. Please provide your name, department, mailcode and a brief statement outlining why you're requesting a token.Where can I get help if I'm having trouble with push notifications?
Check out the links below for help with Android or Apple, respectively, if push notifications aren't coming through when expected and/or you're having trouble authenticating.
Will the Duo app work on older phones?
It's not about the phone, it's about the operating system you're on.
- For Apple devices, you'll need to be using iOS 12.0 or newer.
- For Android devices, you'll need to be using Android 8.0 or newer.
Beginning February 1, 2021, devices running iOS 11 or Android 7 or older will no longer be able to install Duo Mobile from the Apple App Store or the Google Play Store. Users who have already downloaded the app on iOS 11 or Android 7 or older devices will continue to be able to authenticate using the app.
If you don't want to, or can't, update your operating system, that's cool. There are other options, including requesting a token from the Service Desk at servicedesk@ucsd.edu or 858-246-4357.
How much space does the Duo app take up on my phone?
The Duo app requires very little space:
- iOS, 10.6 MB
- Android, 30 MB
Can I use a U2F device?
By all means! Learn more about how universal 2nd Factor (U2F) devices are compatible with Duo; learn more here
Note that the university doesn't provide U2F devices, but feel free to use your own.
Does the cellphone app use mobile data?
Duo Push authentication requests require a minimal amount of mobile data – less than 2 KB per authentication. This amount of data usage falls well within a "typical" push notification. While concerns regarding data usage are certainly understandable, the bandwidth consumed by Duo Mobile for many authentication requests every day would have an overall negligible effect on mobile data use.
What do I do when I upgrade my phone?
If it has the same number as your old device, you'll need to reactivate it. If you're also getting a new number, then delete the old one from Duo and add the new one as an additional device. Instructions for both here.
Can I register an international phone number?
Yes. When registering a landline or mobile phone, you'll see a dropdown menu with a comprehensive list of countries. Additionally, the country code prefix will automatically change.
Note, however, that entering the auto-generated passcode within the smartphone app is a simpler and more reliable method of completing the two-step login process.
On a university-issued iPhone, how can I install Duo without having to set up a method of payment?
Apple has a help center article that goes over how to sign up for an AppleID without setting up a payment method here: https://support.apple.com/en-us/HT204316.
Step 6 covers the step to skip adding in any payment information, including what to do if the “none” option does not appear for you.
Why do I have to register my device if I already registered via UC San Diego Health?
UC San Diego Health personnel use a version of Duo and two-step login that applies to their systems and connections. For a variety of technical and compliance related reasons, they are not related.
Therefore, Health personnel using campus VPN or single sign-on will have to register their devices through the steps described herein. You will not have to install the Duo app a second time. Both registrations will display side by side (see image below). Finally, when logging in, you won't have to decide which to choose - Duo will do that automatically.
What if my preferred device isn't available?
Simply cancel the login attempt via the interface on your computer screen. You'll then be prompted to select an alternate verification method.
What do I do if I forget my mobile device or it’s out of power?
You have options!
- Set your office landline as a backup authentication method. Note you'll need to set this option in advance of ever needing to use it.
- From the Duo app, you can generate 10 one-time use codes. Consider generating the codes, copying them down and securing in a locked drawer for use if needed.
- If all else fails, contact the Service Desk at servicedesk@ucsd.edu or 858-246-4357 for a bypass code.
What happens if I lose my device?
If you lose your phone or tablet, you should remove it from your list of enrolled devices as soon as possible using the Duo self-service portal; here are instructions. You may also contact the Service Desk at servicedesk@ucsd.edu or 858-246-4357 to disable the authentication device that's gone missing.
Can I register multiple devices?
When you enroll, you can select multiple methods of two-step login and manage them within the Duo self-service portal (the screen that appears during the login process). It is recommended to register multiple devices in case one device isn't available for any reason.
T-Mobile is my service, and I’m having trouble receiving text messages and phone calls from Duo. What can I do?
For text message issues, read this information from T-Mobile.
For call issues, read this information from Duo.
Does Duo phone callback authentication work with Chinese +86 numbers?
Yes. An earlier issue with authentication calls to Chinese numbers (+86 country code) has been resolved. Read more on the Duo web site about phone calls to Chinese numbers.
Expand section Privacy
Does UC San Diego sell or otherwise use any data it collects about me while using Duo?
Our contractual agreements with vendors expressly ensure our data is protected. UC San Diego would never license this data for sale by a third party or for general use by a third party. The contract we have in place with Duo was negotiated by Internet2, a member-driven advanced technology community consisting of leading higher education institutions. Member institutions have the same privacy and security concerns as we do, and their expertise and input was contributed to the contract’s negotiation as well as product review.
As is necessary to detect and investigate compromised accounts, UC San Diego retains authentication logs. Access is highly restricted and governed by University of California policy – even during formal investigations. In fact, UC San Diego limits the collection and restricts the use of data far more aggressively than commercial providers.
What information does Duo collect from my device?
Duo collects profile, device, connection and network information required for authentication and usability analytics (that can be disabled). The Duo app does not have access to personal information such as location, contacts, email, photos or other content on a device. Our agreement with Duo also includes safeguards to protect data use, sharing, confidentiality and privacy. Read the Duo privacy notice and the information Duo collects.
How can I keep my browsing private and safe from third-party cookies tracking me, while still not having to complete two-step each time I log in?
The instructions for whitelisting Duo's cookies in Chrome explain how to protect privacy while browsing but also use the "Remember me for 7 days feature."
You'll want to go to the section called "Change your cookie settings," then the section called "Allow or block cookies for a specific site." Follow the instructions; eventually, you'll want to "Allow" Duo. When prompted, type [*.]duosecurity.com
If you still have questions, contact the Service Desk at servicedesk@ucsd.edu or 858-246-4357.