Duo Support

NOTE: HS users should follow these instructions instead.

OIT uses Duo for Two-Factor Authentication (2FA). We offer two types of Duo tokens:

  • Software Tokens
    • The token will reside in an app called Duo Mobile that you download on your mobile phone.
  • Hardware Tokens (or fob)
    • This option is for users who prefer not to use their mobile phone. You can place this token on your keychain, for example.

Duo 2FA is currently available to employees only.

Getting Started with Duo

How do I get started?

Software Token Instructions

  1. Visit our DuoSupportDesk Enrollment page.
  2. Select the Software Token Registration link.
  3. Follow the step-by-step instructions to register your mobile device and download the mobile app.

If you want to register an additional device (such as a tablet or iPad):

  1. Visit our DuoSupportDesk Enrollment page.
  2. Select the Software Token Registration link.
  3. Select the Add a new device link and enter a passcode/receive a push to verify your account.
  4. Follow the step-by-step instructions again to register the additional device and download the mobile app.

Hardware Token Instructions

  1. Fill out this form to order a token from OIT. You'll get an email when it's ready to pick up.
  2. Once you receive it, visit our DuoSupportDesk Enrollment page.
  3. Select the Duo Hardware Token Registration link.
  4. Follow the instructions to register your token's serial number.

If you're having trouble setting up Duo, please consult our online documentation.

How do I opt-in to the Duo + WebAuth and/or the Duo + Office 365 service?

Employees who wish to use this service can follow the instructions on the WebAuth & Office 365 pages.

How do I enable Auto-Push for Web Logins?

To use this feature, you must first 'opt-in' to the Duo + WebAuth service. Visit this page to learn how to opt-in, and then follow the steps below.

  1. Visit our DuoSupportDesk Enrollment page.
  2. Select the Software Token Registration link.
  3. Select the "My Settings & Devices" link.
  4. When prompted, enter a passcode/receive a push to verify your account.
  5. Change the "When I log in" selection for your device to automatically send a Duo push (or the opposite to disable)
  6. Click Save.

How do I enable the 'Remember Me for 24 hours' feature when Auto-Push is enabled for Web Logins?

To use this feature, you must first 'opt-in' to the Duo + WebAuth service. Visit this page to learn how to opt-in, and then follow the steps below.

  1. Log in to a WebAuth-enabled service (such as Zotportal or EEE) as your normally would with your UCInetID and Password.
  2. On the UCI MultiFactor Login screen, select the 2nd device from the pulldown menu.
  3. Click the "Cancel" button on the web page screen where it says "Pushed a login request to your device..."
  4. The "Remember me" checkbox should now be editable.
    • NOTE: Using this feature requires your browser to accept 3rd party cookies.
  5. Change option as desired and click Push, after which it will Auto-Push again with new setting.

I've registered two devices with Duo. How do I send a push to my 2nd device?

Using WebAuth

To use this feature, you must first 'opt-in' to the Duo + WebAuth service. Visit this page to learn how to opt-in, and then follow the steps below.

  1. Log in to a WebAuth-enabled service (such as Zotportal or EEE) as your normally would with your UCInetID and Password.
  2. On the UCI MultiFactor Login screen, select the 2nd device from the pulldown menu.
  3. Choose either option to Send me a Push or Enter a Passcode.
  4. Tap "Approve" on your 2nd device to be logged in.

Logging in to a server using RDP

If your department has configured a server to require 2FA, login as you would normally; however, type push2 in the 2nd Password field and Duo will push the notification to your 2nd device.

Troubleshooting Duo

I've replaced my phone (or I've reset my phone). How do I get a new token?

If you still have the old phone with an activated software token, you can go to the DuoSupportDesk Enrollment page and click on the Software Token Registration link to enroll the new device and delete the old one. If you don't have the old phone (or if you've reset your phone), please open a ticket and make sure to provide your mobile number in your request.

If you're unable to open a ticket, you can email us at oit@uci.edu or give us a call at 949-824-2222. For your security, we'll need to speak with you to verify your identity before we can assist. Once we do, we'll remove the old phone from system. At that point, you can go to the DuoSupportDesk Enrollment page and click on the Software Token Registration link to enroll the new device.

I've replaced my phone but forgot to 'opt-out' of Duo + WebAuth before doing so.

There are two ways to enroll in Duo + WebAuth:

  1. Opting-in yourself by following the instructions here.
  2. Being 'granted' the KSAMS role WebAuth Duo MFA Mandatory Enforcement which basically means your department has forced Duo + WebAuth as a requirement to login.

If you opted-in yourself *and you still have your old phone with you*, you can opt-out by following the instructions here. However, if you've already replaced the phone, open a ticket. We'll send you a temporary Bypass Code which you can use to login to the Enrollment page.

If you were given the aforementioned KSAMS role, open a ticket. We'll send you a temporary Bypass Code which you can use to login to the Enrollment page.

In rare cases, the 'Bypass Code' option won't work and we'll have to remove and manually re-add your phone to Duo. Once we do, we will send you an SMS message with a new token.

My Duo account is locked.

Please open a ticket and make sure to provide your mobile number in your request. If you're unable to open a ticket, you can email us at oit@uci.edu or give us a call at 949-824-2222. For your security, we'll need to speak with you to verify your identity before we can assist.

I'm getting the 'Access Denied' error.

If you're seeing the following error in red... "Access Denied. The username you have entered cannot authenticate with Duo Security. Please contact your system administrator.' ...it's because you've recently replaced your phone, or performed a factory reset on your phone. The old token is no longer valid and must be replaced. Please open a ticket and provide a phone number where you can be reached. If you're unable to open a ticket, you can email us at oit@uci.edu or give us a call at 949-824-2222. For your security, we'll need to speak with you to verify your identity before we can assist.

I left my phone at home. Can you help me?

Yes. Please open a ticket and provide a phone number where you can be reached. If you're unable to open a ticket, you can email us at oit@uci.edu or give us a call at 949-824-2222. For your security, we'll need to speak with you to verify your identity before we can assist.

Can students use Duo?

Currently, only Law School students and those students who are employed by a department that uses Duo are allowed to use the service. If you're unsure whether your department requires you to use Duo, check with your manager/supervisor. In the near future, we *may* roll this out to the rest of the student body but we have no ETA at this time. For now, those of you who would like to take advantage of 2FA can sign up for Google 2FA.

What if I'm somewhere with no telephone reception?

You can generate bypass codes in the Duo Support Desk tool (where you enrolled your mobile device). These codes can be useful if you're traveling abroad or are in a location with poor telephone reception. It is your responsibility to safeguard these codes.

My hardware Duo token (or fob) is not working

Please open a ticket and make sure to provide your mobile number in your request. We'll need to speak with you during business hours to resync your token. If your hardware token needs to be replaced and you work for OIT, we can open a ticket with the Security team so they can furnish you with a new one. If you do not work for OIT, please partner with whoever in your department provided you with the hardware token. Alternatively, you can ask your local CSC.

I've received an email with the subject line 'Fraudulent authentication report'.

If you tap the "Deny" button on a push request, even if by accident, the system will send you and the Duo Admins an email. If you tapped the "Deny" button in error, you can safely disregard the email. If you did not, please forward the email to oit@uci.edu and include a note.

I've tried the steps above and I'm still having issues

We recommend you continue your search in our comprehensive ServiceNow Knowledge Base.

If you're still having trouble, feel free to open a ticket. When doing so, please provide the following:

  • Your full name
  • Your UCInetID (the first part of your email address, not your ID number)
  • Your mobile number
  • A detailed description of the issue

Failure to provide this information will delay our response.

Lots of great info can be found in the Duo User Guide. Return to the OIT Help Center.

Scroll Up