Two-Factor Authentication (2FA) Frequently Asked Questions (FAQ)

What, Why, and When

What is Two-Factor Authentication (2FA)?

Two-factor authentication (2FA) is the process in which a user accesses a computer system or application and must prove they are who they say they are by using two forms of authentication to log in, such as (1) something they know, (2) something they have, or (3) something they are.

Why is SF State requiring the use of Two-Factor Authentication?

Two-factor authentication helps prevent anyone but yourself from accessing your account by providing a secure second layer of defense, protecting the various types of accounts a user logs into by offering authentication through a second device or mobile app. Login credentials are increasingly easy to compromise, e.g., phishing emails. To improve SF State’s IT security posture, two-factor authentication is now being used.

Do I have to use Two-Factor Authentication?

Yes. 2FA is a requirement to improve the security of your account and the data you access.

When will I need to use Two-Factor Authentication

  • Staff is required to use 2FA as of January 15, 2020
  • Faculty will be scheduled sometime later in 2020 in collaboration with our partners in Academic Affairs
  • Students will be assessed after staff and faculty have been onboarded

Is Two-Factor Authentication being used on campus today? 

Yes. The Common Financial System (CFS) application, OnBase, and other web services that contain Level 1 data are currently protected with 2FA. Learn about confidential data at As of January 15, 2020 SF State staff are also using Two-Factor Authentication.

Will Two-Factor Authentication benefit me? 

Yes. 2FA will strengthen your SF State account security, reducing the likelihood of your data being breached. In addition, accounts provisioned with 2FA will have their password expiration period extended from 6 months to 12 months so you will only need to change your password once a year.

How often do I have to log in using Two-Factor Authentication?

You will need to authenticate using 2FA every time you sign in using the SF State Global Login. However, you may select “remember me” when signing in to require authentication only once every 12 hours. Do NOT select "remember me" on a public computer. Only set the 12-hour timeframe for your own computer.

Please note: you must have cookies enabled on whichever browser you use in order to have the browser remember your 2FA authentication for 12 hours.

Devices: Mobile Phones and Hardware Tokens


What do I need to get set up? 

  • A mobile device with the Duo Mobile app installed, OR
  • Duo hardware token

What is the Duo Mobile app? 

The Duo Mobile app delivers two-factor push notifications directly to your mobile phone or tablet. Alternately, it can simply provide a code within the app itself without a push notification. This provides for fast and secure access. The Duo Mobile application can be installed on a smartphone or tablet and is available on both iOS and Android.

What devices are compatible with the Duo Mobile App?

Android and iOS mobile phones and tablets can run the Duo Mobile App. 

The latest Android app can be downloaded via Google Play at

The latest Apple app for iPhone or iPad can be downloaded via Apple’s App Store at

What is a hardware token? 

A physical device that a user carries to authenticate their identity and authorize access to a network. ITS offers a hardware token that can be added to a key ring. Push a button on the device and it generates a passcode. The hardware token is 2 1⁄2 x 1 1/16” x 5/15” in size. Using a hardware token is optional if you have the mobile app. See the 2FA guide at for more information.

What if I do not want to use my personal device for Two-Factor Authentication

You can request a hardware token which will be authorized only for your use. You may only request/receive one hardware token.

What form of identification will I need to pick up my hardware token? 

Any official form of photo identification such as a government issued ID, or SF State ID. You will need to have your identity verified by support staff when inquiring about any additions or changes to your 2FA profile.

Is the Duo Mobile app available for Apple Watch? 


Change Devices: Broken, Lost, or Stolen

What happens if my device on which Duo has been set up is lost or stolen? 

Please see the 2FA Guide at

If you lose the only device that is registered for Duo, or if it is broken or stolen, email, call the ITS Service Desk at 415-338-1420, or report the loss online.

IMPORTANT: The first hardware token and replacement of defective ones are provided free of charge. However, lost/stolen tokens needing replacement will require an MPP’s approval for billing of a $20 administrative fee to your department. The administrative fee may be waived for a stolen token if the request for a replacement is accompanied by a copy of a valid police report. To report a Lost Hardware Token to ITS, go to

Can I add a second authentication device for Duo?

Yes. After registering your first device, you may add a second. The 2FA website at allows you to add additional devices such as a tablet as a self-service.

Do I have to remove my device from Duo if I am no longer employed with SF State? 

No, but it is a good idea to remove your device. To remove your device, use the 2FA website at, log in, go to Settings > My Settings & Devices, select your device settings button and select Delete Device.

How do I activate Duo if I want to replace my mobile device with a newer model? 

Please see the Duo documentation below:


Support: I Need Help

Where do I go for support? 

Do I need Duo to log in to the campus wireless network? 

No. You only need Duo to log in to any application behind the SF State Global Login.

Can I use the Duo app without internet access?

Yes. The Duo app will be able to generate a code that you can use as a second passcode for authentication. The hardware token does not require internet access to provide a second passcode. Please note: the push feature on the Duo Mobile app will not work without internet access.