Duo Authentication Guide

For security, SF State protects sensitive data using two-factor authentication. SF State employees who access sensitive data to perform work will need to install Duo, the campus-selected application for two-factor authentication, and provide a second credential before access is granted.


Setup Duo

Duo setup will begin automatically the first time you log into a protected resource. It is recommended that you set up at least 2 authentication methods to ensure your ability to log in.

  1. Begin login to a protected SF State resource (e.g., https://vpn.sfsu.edu)
  2. When the Protect Your SF State Account message appears, click Start setup
  3. Select the type of device you will be using to complete your authentication; a cell phone or tablet is preferred, but a phone can be used.
    Duo Device Type Screenshot
  4. Click Continue.
  5. Follow the on-screen instructions to configure Duo. These will vary depending on the type of device you selected. You can expect to be asked for:
    • Phone number
    • Device type (e.g., iPhone, Android, Windows Mobile)
  6. If required, follow the on-screen instructions to install the Duo App on your cell phone or tablet. When installed, click I have Duo Mobile installed, scan the barcode, and click Continue
  7. On the My Settings & Devices screen, select Duo Push (cell and tablet only) and select Save
    Duo Push Options Screenshot
  8. Click Continue to Login

NOTE: To update your Duo settings after your initial setup, begin a Web login process again. After entering your password, you will see the Duo options screen.

Log in using Duo

The steps for logging in with Duo will vary depending on the choices you have made during setup. The general procedure is as follows:

  1. Using your VPN client, begin login to a protected SF State resource
  2. Use your SF State ID as your username
  3. Use your SF State Password as your password
  4. Use one of the following as your second password:
    • Code: Enter the code from the Duo application on your phone or tablet as a second password
      Duo Phone Code Screenshot
    • Push Notifications: Enter push as the second password to push a login request to your phone or tablet. Review the request on the Duo application on your cell phone or tablet, then tap Approve to authenticate
    • Phone Call: Enter phone as the second password to authenticate via phone callback
    • Text Message: Enter sms as the second password to receive a code via text. You will need to log in again using the code you received via text as the second password to authenticate
    • Adding a number to the end of the above-mentioned second passwords will trigger the action to the other devices registered in your Duo settings. For example:
      • push2 pushes a login request to your second phone or tablet
      • phone2 sends a login request to your second phone
      • sms3 sends a passcode via text to your third phone
  5. Complete your login

Troubleshooting

Incorrect Phone Number

It is recommended that you setup two login methods so that the second method can be used to update your account if necessary. To update your Duo settings, begin a Web login process again. After entering your password, you will see the Duo options screen. If you have only one method for login and are unable to use it, please submit a service request.

Unable to Log In

The most common cause of VPN Login issues is the selection of an incorrect security group. If you are unsure of your group, please submit a service request asking for security group verification.

Lost/Stolen Phone

Please report the loss or theft of a phone with the Duo app to security@sfsu.edu. Include the phone number of the missing device.