Duo Support

Generate your Emergency Backup Codes before you need them

You can use these in case you replace or misplace your phone or hardware token.

Replace your phone using an Emergency Backup Code or Bypass Code

Don't have a Backup Code? You can call the HD and we can generate a Bypass Code.

NOTE: HS users should follow these instructions instead.

OIT uses Duo for Two-Factor Authentication (2FA). We offer two types of Duo tokens:

  • Software Tokens
    • The token will reside in an app called Duo Mobile that you download on your mobile phone.
  • Hardware Tokens (or fob)
    • This option is for users who prefer not to use their mobile phone. You can place this token on your keychain, for example.

Duo 2FA is currently available to employees only.

Getting Started with Duo

How do I get started?

Software Token Instructions

  1. Visit our DuoSupportDesk Enrollment page.
  2. Select the Software Token Registration link.
  3. Follow the step-by-step instructions to register your mobile device and download the mobile app.
  4. IMPORTANT: after you enroll your device, follow the instructions in the Duo Support Desk to generate your Emergency Backup Codes. You'll need these in case you misplace or replace your phone.

If you want to register an additional device (such as a tablet or iPad):

  1. Visit our DuoSupportDesk Enrollment page.
  2. Select the Software Token Registration link.
  3. Select the Add a new device link and enter a passcode/receive a push to verify your account.
  4. Follow the step-by-step instructions again to register the additional device and download the mobile app.

Hardware Token Instructions

  1. Fill out this form to order a token from OIT. You'll get an email when it's ready to pick up.
  2. Once you receive it, visit our DuoSupportDesk Enrollment page.
  3. Select the Duo Hardware Token Registration link.
  4. Follow the instructions to register your token's serial number.
  5. IMPORTANT: after you enroll your device, follow the instructions in the Duo Support Desk to generate your Emergency Backup Codes. You'll need these in case you misplace or replace your phone.

If you're having trouble setting up Duo, please consult our online documentation.

How do I generate Emergency Backup Codes?

We have a video tutorial that shows you how to generate the codes.

After you enroll your device, you should return to the Duo Support Desk portal and generate your emergency backup codes immediately. These codes can be used in case you replace or misplace your mobile phone or hardware token, or if you just left your phone or hardware token at home.

The system will generate 10 numeric codes, which you should keep in a safe place and somewhere nearby where they'll be readily accessible, like your wallet, purse, or even in an online password vault like LastPass.com. Each code can only be used once, so once you've used it, just scratch it off the list.

After you generate your emergency backup codes, follow these steps to use one of the codes:

  1. On the UCI Multifactor Login screen, select Enter a Passcode.
    • NOTE: If this button is greyed out, it means you've enabled the auto-push feature. Simply press Cancel in the blue bar at the bottom of the screen, and the Enter a Passcode button will now be selectable.
  2. Pull out your list of emergency backup codes and enter the 1st one on the list.
  3. Enter this code in the two-step authentication screen and select Log In.

Don't forget to cross this code off your list because each code can only be used once.

How do I opt-in to the Duo + WebAuth and/or the Duo + Office 365 service?

Employees who wish to use this service can follow the instructions on the WebAuth & Office 365 pages.

We have a video tutorial that shows you how to opt-in to this service.

I've registered two devices with Duo. How do I send a push to my 2nd device?

Using WebAuth

To use this feature, you must first 'opt-in' to the Duo + WebAuth service. Visit this page to learn how to opt-in, and then follow the steps below.

  1. Log in to a WebAuth-enabled service (such as Zotportal or EEE) as your normally would with your UCInetID and Password.
  2. On the UCI MultiFactor Login screen, select the 2nd device from the pulldown menu.
  3. Choose either option to Send me a Push or Enter a Passcode.
  4. Tap "Approve" on your 2nd device to be logged in.

Logging in to a server using RDP

If your department has configured a server to require 2FA, login as you would normally; however, type push2 in the 2nd Password field and Duo will push the notification to your 2nd device.

Using Duo

How do I enter a passcode?

We have a video tutorial that shows you how to use Duo with either a passcode from the Duo Mobile app or from a hardware token (if you have one).

  1. On the UCI Multifactor Login screen, select Enter a Passcode.
    • NOTE: If this button is greyed out, it means you've enabled the auto-push feature. Simply press Cancel in the blue bar at the bottom of the screen, and the Enter a Passcode button will now be selectable.
  2. A blue bar at the bottom of the screen prompts you to enter the Duo Mobile passcode.
  3. Open the Duo Mobile app on your tablet or smartphone.
  4. In the Duo Mobile app, tap the key icon on the right side of the screen.
  5. A six-digit passcode displays.
  6. Enter this code in the two-step authentication screen and select Log In.

How do I enter an emergency backup passcode?

We have a video tutorial that shows you how to use your previously-generated emergency backup codes.

In the event you misplace or replace your mobile device or hardware token (or if you just left it at home), you can use one of your emergency backup codes. Here's how:

  1. On the UCI Multifactor Login screen, select Enter a Passcode.
    • NOTE: If this button is greyed out, it means you've enabled the auto-push feature. Simply press Cancel in the blue bar at the bottom of the screen, and the Enter a Passcode button will now be selectable.
  2. Pull out your list of emergency backup codes and enter the 1st one on the list.
  3. Enter this code in the two-step authentication screen and select Log In.

Don't forget to cross this code off your list because each code can only be used once.

How do I enable Auto-Push for Web Logins?

We have a video tutorial that shows you how to enable this feature in the Duo Support Desk.

To use this feature, you must first 'opt-in' to the Duo + WebAuth service. Visit this page to learn how to opt-in, and then follow the steps below.

  1. Visit our DuoSupportDesk Enrollment page.
  2. Select the Software Token Registration link.
  3. Select the "My Settings & Devices" link.
  4. When prompted, enter a passcode/receive a push to verify your account.
  5. Change the "When I log in" selection for your device to automatically send a Duo push (or the opposite to disable)
  6. Click Save.

How do I enable the 'Remember Me for 24 hours' feature when Auto-Push is enabled for Web Logins?

We have a video tutorial that shows you how to enable this feature in WebAuth.

To use this feature, you must first 'opt-in' to the Duo + WebAuth service. Visit this page to learn how to opt-in, and then follow the steps below.

  1. Log in to a WebAuth-enabled service (such as Zotportal or EEE) as your normally would with your UCInetID and Password.
  2. On the UCI MultiFactor Login screen, select the 2nd device from the pulldown menu.
  3. Click the "Cancel" button on the web page screen where it says "Pushed a login request to your device..."
  4. The "Remember me" checkbox should now be editable.
    • NOTE: Using this feature requires your browser to accept 3rd party cookies.
  5. Change option as desired and click Push, after which it will Auto-Push again with new setting.

Troubleshooting Duo

I've replaced my phone/factory reset my phone. How do I get a new token?

We have a video tutorial that shows you how to enroll your new device if you still have the old device, as well as a separate video that shows you how to remove the old device.

If you still have the old phone with an activated software token, you can go to the DuoSupportDesk Enrollment page and click on the Software Token Registration link to enroll the new device and delete the old one. If you don't have the old phone (or if you've reset your phone), please open a ticket and make sure to provide your mobile number in your request.

If you're unable to open a ticket, you can email us at oit@uci.edu or give us a call at 949-824-2222. For your security, we'll need to speak with you to verify your identity before we can assist. Once we do, we'll remove the old phone from system. At that point, you can go to the DuoSupportDesk Enrollment page and click on the Software Token Registration link to enroll the new device.

I left my phone at home. Can you help me?

We have a video tutorial that shows you what to do if you forget your phone.

We can provide you with a Bypass Code that will work for 24 hours. However, if you previously generated and saved your Emergency Backup Codes, you can use one of your codes in case you don't have you phone.

If you don't have an emergency backup code, we can still help. Please open a ticket and provide a phone number where you can be reached. If you're unable to open a ticket, you can email us at oit@uci.edu or give us a call at 949-824-2222. For your security, we'll need to speak with you to verify your identity before we can assist.

My Duo account is locked.

Please open a ticket and make sure to provide your mobile number in your request. If you're unable to open a ticket, you can email us at oit@uci.edu or give us a call at 949-824-2222. For your security, we'll need to speak with you to verify your identity before we can assist.

I'm getting the 'Access Denied' error.

If you're seeing the following error in red... "Access Denied. The username you have entered cannot authenticate with Duo Security. Please contact your system administrator.' ...it's because you've recently replaced your phone, or performed a factory reset on your phone. The old token is no longer valid and must be replaced. Please open a ticket and provide a phone number where you can be reached. If you're unable to open a ticket, you can email us at oit@uci.edu or give us a call at 949-824-2222. For your security, we'll need to speak with you to verify your identity before we can assist.

Can students use Duo?

Currently, only Law School students and those students who are employed by a department that uses Duo are allowed to use the service. If you're unsure whether your department requires you to use Duo, check with your manager/supervisor. In the near future, we *may* roll this out to the rest of the student body but we have no ETA at this time. For now, those of you who would like to take advantage of 2FA can sign up for Google 2FA.

What if I'm somewhere with no telephone reception?

You can generate bypass codes in the Duo Support Desk tool (where you enrolled your mobile device). These codes can be useful if you're traveling abroad or are in a location with poor telephone reception. It is your responsibility to safeguard these codes.

My hardware Duo token (or fob) is not working

Please open a ticket and make sure to provide your mobile number in your request. We'll need to speak with you during business hours to resync your token. If your hardware token needs to be replaced and you work for OIT, we can open a ticket with the Security team so they can furnish you with a new one. If you do not work for OIT, please partner with whoever in your department provided you with the hardware token. Alternatively, you can ask your local CSC.

I've received an email with the subject line 'Fraudulent authentication report'.

If you tap the "Deny" button on a push request, even if by accident, the system will send you and the Duo Admins an email. If you tapped the "Deny" button in error, you can safely disregard the email. If you did not, please forward the email to oit@uci.edu and include a note.

I've tried the steps above and I'm still having issues

We recommend you continue your search in our comprehensive ServiceNow Knowledge Base.

If you're still having trouble, feel free to open a ticket. When doing so, please provide the following:

  • Your full name
  • Your UCInetID (the first part of your email address, not your ID number)
  • Your mobile number
  • A detailed description of the issue

Failure to provide this information will delay our response.

Lots of great info can be found in the Duo User Guide. Return to the OIT Help Center.

Scroll Up