Duo MFA Frequently Asked Questions

Use our instructions "How to replace a phone in Duo". We have a tool that helps you create a new token.

Starting in Summer 2020, the lockout will only last 30 minutes and will come off automatically. If it's been 30 minutes and you're still locked out, please open a ticket and make sure to provide your mobile number in your request. If you're unable to open a ticket, you can email us at oit@uci.edu or give us a call at 949-824-2222. For your security, we'll need to speak with you to verify your identity before we can assist.

If you have previously generated and saved your Emergency Backup Codes, you can use one of your codes.

If you don't have an emergency backup code, we can still help. Please open a ticket and provide a phone number where you can be reached. If you're unable to open a ticket, you can email us at oit@uci.edu or give us a call at 949-824-2222. For your security, we'll need to speak with you to verify your identity before we can assist.

Once payroll has confirmed that you are a separated student employee, you will be automatically removed from receiving the Duo push.

If you would like to remove your phone registration from Duo, please visit the Duo Support Desk to "Opt out": https://applications.oit.uci.edu/DuoSupportDesk/enrollment.htm

Let us know if you are still experiencing issues.

1. Log in to a WebAuth-enabled service (such as Zotportal or EEE) as your normally would with your UCInetID and Password.
2. On the UCI MultiFactor Login screen, select the 2nd device from the pulldown menu.
3. Click the "Cancel" button on the web page screen where it says "Pushed a login request to your device..."
4. The "Remember me" checkbox should now be editable.
   • NOTE: Using this feature requires your browser to accept 3rd party cookies.
5. Change option as desired and click Push, after which it will Auto-Push again with new setting.

If you forget your MFA enabled device, you can use one of your emergency backup codes to login.

You've probably heard that you shouldn't write down your password, but these backup codes are an exception. You should definitely print these or write these down and keep them handy in a place where you can find them in an emergency, like your wallet, pocketbook, or purse. These are single-use codes, so after you use a code it cannot be used again.

To generate your backup codes:

1. Visit this emergency backup codes page.
2. Select the Generate button on the bottom of the page to receive 10 backup codes.
3. Copy and paste the codes in a document, and then print the document.
   • Alternatively you can store the backup codes in your password vault like LastPass, KeePass etc.

In the event you misplace or replace your mobile device or hardware token (or if you just left it at home), you can use one of your emergency backup codes. Here's how:

1. On the UCI Multifactor Login screen, select Enter a Passcode.
   • NOTE: If this button is greyed out, it means you've enabled the auto-push feature. Simply press Cancel in the blue bar at the bottom of the screen, and the Enter a Passcode button will now be selectable.
2. Pull out your list of emergency backup codes and enter the 1st one on the list.
3. Enter this code in the two-step authentication screen and select Log In.

Don't forget to cross this code off your list because each code can only be used once.

Yes. All users with iCloud Keychains enabled will automatically backup. When you activate a new iOS device, Duo Mobile will automatically connect to iCloud Keychain, iCloud Drive, and Duo’s cloud service to reactivate at first launch of the application.

Visit this Apple Support link to learn how to enable iCloud Keychain.

Passwords are becoming increasingly easy to compromise. They can be stolen, “phished”, guessed, and hacked. New technology and hacking techniques combined with the limited pool of passwords most people use for multiple accounts increases vulnerability.

UCI supports a range of electronic devices including:

• iOS smartphones and tablets
• Android smartphones and tablets
• Windows phones
• Hardware tokens, such as OIT-issued tokens or third-party tokens like Yubikey

For those of you who don't have a smartphone, the campus has funded independent Duo tokens for your use. Tokens will be distributed to your department's security coordinator.

1. On the UCI Multifactor Login screen, select Enter a Passcode.
   • NOTE: If this button is greyed out, it means you've enabled the auto-push feature. Simply press Cancel in the blue bar at the bottom of the screen, and the Enter a Passcode button will now be selectable.
2. A blue bar at the bottom of the screen prompts you to enter the Duo Mobile passcode.
3. Open the Duo Mobile app on your tablet or smartphone.
4. In the Duo Mobile app, tap the key icon on the right side of the screen.
5. A six-digit passcode displays.
6. Enter this code in the two-step authentication screen and select Log In.

1. Visit our DuoSupportDesk Enrollment page.
2. Select the Software Token Registration link.
3. Select the "My Settings & Devices" link.
4. When prompted, enter a passcode/receive a push to verify your account.
5. Change the "When I log in" selection for your device to automatically send a Duo push (or the opposite to disable)
6. Click Save.

Sometimes a Duo push might not be received in a timely manner (or at all) on a user’s phone for any of a number of reasons, namely a weak network connection or an upstream problem that is out of OIT’s and Duo’s control. The reasons include:

1. You're somewhere that has poor or no network connectivity.
   • You can use the Enter a Passcode option. The Duo Mobile app generates a new 6-digit code every 60 seconds that you can use anywhere in the world.
   • See the instructions below on how to use this feature.
2. You've inadvertently disabled your notifications on your mobile device.
   • To enable notifications on a iPhone, visit this Apple support page. For Android devices, visit this Android support page.

Reason 1: If you are somewhere that has poor or no network connectivity, use the Enter a Passcode option. If this button is greyed out, click the Cancel button in the lower right.

Now, select the Enter a Passcode option button.

On your mobile phone, open the Duo Mobile app and tap the “Duo-Protected” token. A 6-digit number will appear below it. This is the passcode.

Type this 6-digit code that you see in the Duo Mobile app, and then select Log In.

The UCI Multifactor Login screen (which is where you tell Duo to send you a push or to enter a passcode) will appear blank if your running certain 'ad blocker' browser plugins, such as Adblocker Plus and uBlock Origin. The ad blockers are misinterpreting the Duo page as a 'pop up'.

There are a few ways to resolve this:

1. Temporarily disable the ad blocker and refresh the page.
2. Add the URL 'login.uci.edu' to your ad blocker's 'white list'.
3. Permanently disable or uninstall the ad blocker.

If you're seeing the following error in red... "Access Denied. The username you have entered cannot authenticate with Duo Security. Please contact your system administrator.' ...it's because you've recently replaced your phone, or performed a factory reset on your phone. The old token is no longer valid and must be replaced. Please open a ticket and provide a phone number where you can be reached. If you're unable to open a ticket, you can email us at oit@uci.edu or give us a call at 949-824-2222. For your security, we'll need to speak with you to verify your identity before we can assist.

Currently no, but in the near future we will roll this out to the student body. For now, those of you who would like to take advantage of MFA can sign up for Google MFA.

Open the Duo Mobile app and use the 6-digit passcode that appears on your screen.

Please open a ticket and make sure to provide your mobile number in your request. We'll need to speak with you during business hours to resync your token. If your hardware token needs to be replaced and you work for OIT, we can open a ticket with the Security team so they can furnish you with a new one. If you do not work for OIT, please partner with whoever in your department provided you with the hardware token. Alternatively, you can ask your local CSC.

Yes. If you have a Yubikey, follow this link to enroll.

Make sure your Yubikey is plugged in to your computer's USB port before proceeding.

After you login to WebAuth, you'll arrive on the UCI Multifactor Login page. Select the "Enter a Passcode" option and then press the button on your Yubikey.

The Yubikey will generate a unique 6-digit code, automatically add it to the passcode field, and will then automatically log you in.

1. Login to the Duo Support Desk.
2. Select the WebAuth Opt-In link at the top of the screen.
3. Select the Enable radio button, and then select Submit.

If you tap the "Deny" button on a push request, even if by accident, the system will send you and the Duo Admins an email. If you tapped the "Deny" button in error, you can safely disregard the email. If you did not, please forward the email to oit@uci.edu and include a note.

No, if your application uses WebAuth, it will automatically include Duo MFA for those who are enrolled.

You'll see this error if you were 'opted-in' to the Duo + WebAuth service but you have not yet enrolled your mobile device in Duo. Please open a ticket with the Help Desk and ask us to opt you out.

When you attempt to RDP into a Windows workstation that requires Duo, you will receive a prompt to authenticate with Duo. However, this prompt may default to the using your mobile phone option.

In the case where you'd like to authenticate with your hardware token instead, you may simply enter the code it generates into the passcode field that is available. Despite this being labeled under the mobile phone, it will still accept a passcode generated from any of your active Duo devices.