MFA with Duo Frequently Asked Questions

 

UCSB IT staff and UCPath have identified an issue after users sign in with single sign-on (SSO). Users see an "oops" error screen and can not access the UCPath dashboard:

UCPath oops error screenshot

While the UCPath Center works to resolve this issue, users can open UCPath in a private or incognito browser window or click the "back" button to log in to UCPath again. 

Contact the IT Service Desk at (805) 893-5000 (x5000) or at ithelp.ucsb.edu immediately if your mobile device is lost or stolen, so they can lock your account until you get a new mobile device.

Use these instructions when you have a new device and you are ready to enroll it in Duo.

Overview

If you have one of your currently enrolled Duo devices with you, such as your old smartphone, or if your new smartphone has the same phone number as your previous smartphone, follow the Getting Started with MFA with Duo webpage or the instructions below. 

If you do not have one of your currently enrolled devices with you, you may have problems completing these instructions. If that is the case, contact the IT Services Catalog at x5000 or ithelp.ucsb.edu, and they will remove your previous device. Then, enroll your new smartphone in Duo.

NOTE: You will need your Apple App Store or Android Play Store password to complete Step 2.

STEP 1: Begin Duo Enrollment from Your Computer

Note: These steps must be completed on a laptop or desktop computer.

a) Open a web browser to the Duo Identity Management page.

b) Log in to SSO.

c) Log into Duo. If your new smartphone has the same phone number as your old smartphone, you may select the "Enter a Passcode," then "Text me new codes" option to use the new smartphone to log in.

e) Your browser will now show the Duo device management screen. Select Device Options next to the smartphone you wish to re-register in Duo.

Duo device options

f) Select Reactivate Duo Mobile.

g) Enter the type of mobile phone you are enrolling (iOS, Android, etc.), and then click Continue.

phone type selection

STEP 2: Install the Duo Mobile App on Your Smartphone

a) Go to the App Store or Play Store on your smartphone.

b) Search for Duo Mobile.

c) Install the app on your smartphone. There is no fee to install the app. 

NOTE: You will need your App Store or Play Store password to complete the installation.

STEP 3:  Complete Enrollment Using Your Computer and Your Mobile Phone

a) After completing the installation of the app on the mobile phone, on your computer, click “I Have Duo Mobile Installed.”

Duo Mobile app installed selection

b) The activate Duo Mobile screen displays. With the activate Duo Mobile screen displayed on the computer, open the Duo Mobile app on the mobile phone.

Duo mobile screen

c) Click the plus sign (+) in the upper right corner of the phone screen.

plus sign on Duo app

d) From the Duo Mobile app, scan the QR code displayed on the activate Duo Mobile computer screen.

Duo QR code

e) A green checkmark displays on the computer screen. Click “Continue.”

green check mark Duo QR code

f) A "Login request" notification from Duo Mobile arrives on your phone. When you open the app, it will display the "Approve" and "Deny" buttons. Select "Approve." If you accidentally click "Deny," you can choose the "It was a mistake" option. 

 Duo Mobile app push login

STEP 4: Select Duo Authentication Method on the Computer  

a) The enrollment successful screen will display. Click “Dismiss.”

Duo enrollment successful

b) Verify that your phone number is correct, and select an authentication option for “When I Log In.” 

choose authentication method

c) Click "Save." The recommended setting is "Automatically send this device a Duo Push." You are now enrolled in Duo! 

For the latest reference, see https://guide.duo.com/.

If you have a secondary device enrolled with Duo

If you have registered a second device in Duo, you can select your backup method from the list of Duo options, and authenticate that way.

If you have not set up a secondary device

If you are being prompted to authenticate with Duo and only have a smartphone enrolled in Duo, you will need to request support.

We can help you log in if you can be verified another way. We may also be able to set up a second device for you (hard token or another smart device) so you can avoid this problem in the future.

Contact the IT Services Desk at (805) 893-5000 (x5000) or submit a ticket at ithelp.ucsb.edu.

The mobile “Send me a Push” function uses the phone's internet or cell connection, whichever is available. If you are on campus, you can connect to Eduroam for WiFi, so Duo will not use your cell connection.

If you are not on Wifi, Duo pushes consume a tiny amount of data. Each push consumes less than 2KB of data, which means it would take 500 authentications a month to reach 1MB of consumption. To learn more, read How Much Data Does a Duo Push Request Use? on the Duo website.

The "Enter a Passcode" function does not consume any data. If data consumption is a concern, we recommend using the passcode feature.

If you accidentally deny the Duo push on your smartphone, you will be asked why you denied the request.

If you accidentally denied the request, select “It was a mistake.” 

If you accidentally pressed deny, and then also pressed "It seems fraudulent," contact the IT Services Desk at (805) 893-5000 (x5000).

Contact the IT Services Service Desk at (805) 893-5000 (x5000) or submit a ticket via the IT Services Catalog immediately under End User Services, then, Accounts & Access if your hard token is lost or stolen so they can lock the hard token until you get a new one. To enroll the new hard token, contact the IT Services Desk.

Within 6 Months of Purchase

If you are having a problem with a Duo token (no longer generating a passcode, with either a corrupt or blank display) within the six-month warranty period, you will need to contact Duo directly for replacement under the warranty.

Required information: Serial Number (located on the back of the token), Shipping Address for return
Phone: (866) 760-4247
Email: support@duosecurity.com

The replacement token will be shipped directly to the customer that requested the replacement. Once the new token has been received, contact the IT Services Desk at x5000 to add it to your Duo account.

More than 6 Months Since Purchase

If your hard token stops working after the six-month warranty period, you will need to purchase a new one. Use these instructions to purchase a new token.

Tokens that no longer work are e-waste.

Yes. If a department has a spare Duo hard token, IT Services can assign it to a different user.

The Duo prompt displays incorrectly. Part of the Duo prompt is greyed out.

Steps to reproduce

On an iPhone or iPad, going to a website that required Duo authentication.

More information

Follow the instructions on the Duo website, titled "How do I resolve Duo Prompt display issues related to iOS content restrictions?"  

Note that the instructions differ for iOS 12 and iOS 11 and older.

Yes, even if you use Duo somewhere else, you will still need to enroll in Duo at UCSB. See our Getting Started with Duo article for instructions.

If you have set Duo to automatically send you a push or call you when you log in, the checkbox to have Duo remember you will be greyed out, and you won't be able to select it. Follow the instructions below to change a setting to allow you to check that box.

  1. Go to the Duo Identity Management page
  2. Select Duo Multifactor Authentication
  3. Authenticate with Duo
  4. In the When I log in field, select "Ask me to choose an authentication method"
     
    ask me to choose authentication method
     
  5. Click Save
  6. The next time you authenticate with Duo, you will be able to check the Remember Me box

If you'd like Duo to automatically send a push, you can go back into (INSERT LINK HERE) and set it back to Automatically send this device a push.

Note: The Duo Authentication Remember Me option is tied to the cookies in the web browser. If Duo's Remember Me settings are not working, verify that your web browser has cookies enabled and that the browser is not set to delete the cookies after closing the web browser. Visit this web guide to learn how to enable cookies on your browser and follow the instructions for your browser.

The Duo mobile app does collect information from your device when you attempt to authenticate using that device. The data that is collected is not user identifying, and is not used to track what you are doing.

Duo collects two types of information from you.

The first type is used to provide information about your authentication attempts, such as your hardware model, operating system, unique user and device identifiers, connection information and IP address. The transmission of this information cannot be disabled.

The second type of information that the Duo Mobile app collects is analytical data such as how you use the Duo Mobile app, the screens you use within Duo Mobile, and the actions you perform. You can disable the collection of your Duo usage data. To do this, open the Duo Mobile app, go to Settings and turn off Send usage data.

For more information, read Duo's Privacy notice and this article from Duo's knowledge base.

We recommend registering multiple devices in Duo because this will provide a backup method of authenticating with Duo when your primary method is not available.

If you have multiple devices registered in Duo, only the device that you select as your "Default Device" will receive the Duo prompt. You will not receive Duo prompts from every device each time you authenticate.

To enroll a secondary device:

  1. Go to the Duo Identity Management page
  2. Select the Duo Multifactor Authentication module
  3. Authenticate with Duo
  4. Select +Add another device

enroll second device with Duo

  1. Add a secondary device
    1. Smartphone - start with step 1e
    2. Non-smart cellphone - start with step 1e
    3. Hard Token

  2. Ensure that your preferred primary Duo device is set as your "Default Device."

 add another device MFA Duo

7. Click End Session.