Two-Factor Authentication (2FA) Guide

For security, SF State protects sensitive data using two-factor authentication. SF State employees who access sensitive data to perform work need to install Duo Mobile App, the SF State application for two-factor authentication, and provide a second credential before access is granted.

As of January 15, 2020 SF State staff are required to use Two-Factor Authentication (2FA) when accessing web applications and services via the SF State Global Login. Faculty accounts will be scheduled sometime later in 2020 in collaboration with our partners in Academic Affairs. Student accounts will be assessed after staff and faculty have been on-boarded.

Getting Started

What is Two-Factor Authentication (2FA)?

Two-factor authentication (2FA) is the process in which a user accesses a computer system or application and must prove they are who they say they are by using two forms of authentication to log in, such as (1) something they know, (2) something they have, or (3) something they are.

What can you use to log in?

You can use either the Duo Mobile App or a Duo Hardware Token to log in with two-factor authentication (2FA). We recommend having both, with the app as the primary method of authentication.

Duo Hardware Token

What is a Duo Hardware Token?

A Duo Hardware Token is a physical device that a user carries to authenticate their identity and authorize access to a network. ITS offers a hardware token that can be added to a key ring. Push a button on the device and it generates a passcode. The hardware token is 2 1/2" x 1 1/16" x 5/15" in size. Using a Duo Hardware Token is optional if you are using the Duo Mobile App.

If you no longer need or are no longer using your Duo Hardware Token, please return it to the ITS Service Desk in ADM 110 during business hours, Monday-Friday 8:00 a.m. - 5:00 p.m.

Duo hardware token

                                                      2 ½" x 1 1/16" x 5/16"

How can I request a Duo Hardware Token?

If you do not have a smartphone or tablet, you must request a Duo Hardware Token to use for authenticationYou will be notified when your hardware token is ready to be picked up at the ITS Service Desk. You may only request/receive one hardware token.

Duo Mobile App

What is the Duo Mobile App?

The Duo Mobile app delivers two-factor push notifications directly to your mobile phone or tablet. Alternately, it can simply provide a code within the app itself without a push notification. This provides for fast and secure access. The Duo Mobile App can be installed on a smartphone or tablet and is available on both iOS and Android.

How do I set up the Duo Mobile App?

Duo setup will begin automatically the first time you log in to a protected resource. It is recommended that you install and set up your smartphone with the Duo Mobile App as the primary device with which you will authenticate. You can have the Duo Mobile App installed and set up on more than one mobile device.

1. On a computer, begin login at our test login page at

2. When the Protect Your SF State Account message appears, select Start setup
Protect Your SF State Account

If you don't see the screen above, contact the ITS Service Desk.

3. Select the type of device you will be using to complete your authentication; a mobile phone or tablet is preferred. Select Continue.
What type of device are you adding?

4. Follow the on-screen instructions to configure Duo. These will vary depending on the type of device you selected. You will be asked for your Device type (e.g., iOS, Android, Windows Mobile) and mobile phone number.

5 Install the Duo Mobile App on your mobile phone or tablet. When installed, on your computer select I have Duo Mobile installed.

6. On the app, select Add Account, scan the barcode, and select Continue. NOTE: The app will need access to camera settings on your mobile device, but will only use it for this step.

7. Select Continue to Login to test.

Test Your Login with Two-Factor Authentication

  1. Using a web browser, go to
  2. Log in to the SF State Global Login page.
  3. Follow the instructions to authenticate.
  4. If successful, you will see a web page indicating Authentication with Duo is completed.

Log in using Duo

For applications requiring 2FA, the general procedure is as follows once you reach the SF State Global Login page:

  1. Log in to the SF State Global Login page using your SF State credentials:
  2. Authenticate with the Duo Mobile App or a Duo Hardware Token using ONE of the options below:
    • Duo Mobile App: Select the Send me a push button. On your phone or tablet, tap the notification that is sent to you and tap Approve to complete the login. Alternatively, select Enter a passcode check your Duo mobile app to get a code. Enter that code into the Duo login page to complete the login.
    • Hardware Token: Select Enter a passcode, then press the red button on your hardware token to generate a code. Enter that code into the Duo login page to complete the login.


Update Your Duo Settings

To update your Duo settings, please log in to our test login page at After completing the initial SF State Global Login you will be redirected to the Duo login page. Select the Settings button and then select the option that best fits your needs.

New Phone Setup

To set up your new phone with the Duo Mobile App you will need to have access to an alternate method of authentication (e.g., your old phone or a Duo Hardware Token). Use the Add a new device option in the Settings panel and follow the on-screen instructions to activate the Duo Mobile App on your new phone.

Duo Options

Lost or Stolen Device

Report the loss or theft of a mobile phone or tablet on which the Duo App is installed, or the loss of a Duo Hardware Token. Include the phone number of the missing device. Your Duo account will be reset by ITS before your replacement device can be activated. The new device will then need to be set up as if it was a first-time installation of Duo. IMPORTANT: The first hardware token and replacement of defective ones are provided free of charge. However, lost/stolen tokens needing replacement will require an MPP's approval for billing of a $20 administrative fee to your department. The administrative fee may be waived for a stolen token if the request for a replacement is accompanied by a copy of a valid police report. To open a ticket with ITS to report your lost or stolen hardware token, go to







Duo's Guide to Two-Factor Authentication

Check the Duo guide at for more detailed information.

Get Help

Still have questions? Take a look at our FAQ page or contact the Service Desk using the contact information listed below.

Phone: 415-338-1420