Two-Factor Authentication (2FA) Guide

For security, SF State protects sensitive data using two-factor authentication. SF State employees who access sensitive data to perform work need to install Duo Mobile App, the SF State application for two-factor authentication, and provide a second credential before access is granted.

As of January 15, 2020 SF State staff are required to use Two-Factor Authentication (2FA) when accessing web applications and services via the SF State Global Login. Faculty accounts will be scheduled sometime later in 2020 in collaboration with our partners in Academic Affairs. Student accounts will be assessed after staff and faculty have been on-boarded.


Getting Started

What is Two-Factor Authentication (2FA)?

Two-factor authentication (2FA) is the process in which a user accesses a computer system or application and must prove they are who they say they are by using two forms of authentication to log in, such as (1) something they know, (2) something they have, or (3) something they are.

What can you use to log in?

You can use either the Duo Mobile App or a Duo Hardware Token to log in with two-factor authentication (2FA). We recommend having two devices with one acting as a backup. You can have two smart devices, like a phone and a tablet, or one smart device and a hardware token.

Duo Hardware Token

What is a Duo Hardware Token?

A Duo Hardware Token is a physical device that a user carries to authenticate their identity and authorize access to a network. ITS offers a hardware token that can be added to a key ring. Push a button on the device and it generates a passcode. The hardware token is 2 1/2" x 1 1/16" x 5/15" in size. Using a Duo Hardware Token is optional if you are using the Duo Mobile App.

If you no longer need or are no longer using your Duo Hardware Token, please return it to the ITS Service Desk in ADM 110 during business hours, Monday-Friday 8:00 a.m. - 5:00 p.m.

Duo hardware token

                                                      2 ½" x 1 1/16" x 5/16"

How can I request a Duo Hardware Token?

If you do not have a smartphone or tablet, you must request a Duo Hardware Token to use for authenticationYour hardware token can be picked up or mailed to your residence. You may only request/receive one hardware token.

Duo Mobile App

What is the Duo Mobile App?

The Duo Mobile app delivers two-factor push notifications directly to your mobile phone or tablet. Alternately, it can simply provide a code within the app itself without a push notification. This provides for fast and secure access. The Duo Mobile App can be installed on a smartphone or tablet and is available on both iOS and Android.

How do I set up the Duo Mobile App?

Duo setup will begin automatically the first time you log in to a protected resource. It is recommended that you install and set up your smartphone with the Duo Mobile App as the primary authentication device. You can have the Duo Mobile App installed and set up on more than one mobile device. It is strongly recommended that you set up a second device in case your primary device is lost or stolen.

1. To set up your first Duo device, start on a computer by going to https://2fa.sfsu.edu/

2. When the Protect Your SF State Account message appears, select Start setup
Protect Your SF State Account

If you don't see the screen above, contact the ITS Service Desk.

3. Select the type of device you will be using to complete your authentication; a mobile phone or tablet is preferred. Select Continue.
What type of device are you adding?

4. Follow the on-screen instructions to configure Duo. These will vary depending on the type of device you selected. You will be asked for your Device type (e.g., iOS, Android, Windows Mobile) and mobile phone number.

5 Install the free Duo Mobile app on your mobile phone or tablet using your device's app store.  The app is "Duo Mobile" by "Duo Security Inc." When installed, on your computer select I have Duo Mobile installed.

6. On the app, select Add Account or the '+' button; scan the barcode by holding up your device's camera so that it can see the code on your web browser. Your device will notify you when it has correctly scanned the code. Select Continue. NOTE: The app will need access to camera settings on your mobile device, but will only use it for this step.

7. Select Continue to Login to test your setup. 

Test Your Login with Two-Factor Authentication

  1. Using a web browser, go to https://2fa.sfsu.edu
  2. Log in to the SF State Global Login page.
  3. Follow the instructions to authenticate. 
  4. If successful, you will see a web page indicating Authentication with Duo is completed.

Log in using Duo

For applications requiring 2FA, the general procedure is as follows once you reach the SF State Global Login page:

  1. Log in to the SF State Global Login page using your SF State credentials:
  2. Authenticate with the Duo Mobile App or a Duo Hardware Token using ONE of the options below. Make sure the "Device:" selector has your phone number if you are using a phone, your tablet description if using a tablet, or says "token" if you are using a hardware token. This tells Duo from which device to expect an authentication message.
    • Duo Mobile App: Select the Send me a push button. On your phone or tablet, tap the notification that is sent to you and tap Approve to complete the login. Alternatively, select Enter a passcode check your Duo mobile app to get a code. Enter that code into the Duo login page to complete the login. The "push" requires cellular or internet access to function while the passcode will work without a connection. 
    • Hardware Token: Select Enter a passcode, then press the red button on your hardware token to generate a code. Enter that code into the Duo login page to complete the login.

 

Update Your Duo Settings

Log in to the 2FA test page linked below on your computer to access your Duo settings. You will need to have access to a Duo-connected device for authentication. This can be a Duo hardware token, a phone with the Duo Mobile App activated, or a different Duo-connected device. If you do not have an available device, please use the Try another way link below the Duo authentication page to request a one-time passcode. This passcode can be used to add or update a device.

 

2FA test page: https://2fa.sfsu.edu/

 

After completing the initial SF State Global Login you will be redirected to the Duo login page. Before authenticating with Duo, select the Settings button. Then, select the option that best fits your needs.

 

Setup a New Phone

Access your Duo Settings using the instructions above. Select the My Settings & Devices option in the Settings panel to get started. 
 

Duo settings panel. Links on the panel include "Add a new device" and "My Settings and Devices"

You will need to authenticate with Duo to access your settings. 

My Settings and Devices page. A prompt to choose an authentication device and authenticate with Duo to confirm it's really you logging in.

After authenticating, you will see a list of your devices. 

My Settings and Devices page. A device list including a mobile device and hardware tokens. Buttons with gear icons are to the right of each device.

Select the gear icon next to your phone number to see the device settings. 

My Settings and Devices page. Options available after selecting a specific device including reactivate device, change device name, and delete device.

If your phone number is the same, select Reactivate Duo Mobile and follow the on-screen instructions to activate the Duo Mobile App on your new phone. 

 

If you have a new phone number, select Add another device and follow the on-screen instructions to activate the Duo Mobile App on your new phone. After adding your new phone, go back to your old device and select Delete Device to remove it from your device list.

 

 

 

 

Lost or Stolen Device

Report the loss or theft of a mobile phone or tablet on which the Duo App is installed, or the loss of a Duo Hardware Token. Include the phone number of the missing device. Your Duo account will be reset by ITS before your replacement device can be activated. The new device will then need to be set up as if it was a first-time installation of Duo. To open a ticket with ITS to report your lost or stolen hardware token, go to https://sfsu.service-now.com/sp?id=sc_cat_item&sys_id=85c46071db4dff0081fd16994b96192a

 

 

 

During normal business hours, please call Academic Technology or ITS for help getting into your account. Outside of normal business hours, you can use the "Try Another Way" feature to obtain a single-use, emergency passcode.

 

 

 

 

Duo's Guide to Two-Factor Authentication

Check the Duo guide at https://guide.duo.com/ for more detailed information.

Get Help

Still have questions? Take a look at our FAQ page or contact the Service Desk using the contact information listed below.

Phone: 415-338-1420

Email: service@sfsu.edu