Two-Factor Authentication (2FA) Frequently Asked Questions (FAQ)

What, Why, and When

What is Two-Factor Authentication (2FA)?

Two-factor authentication (2FA) is the process in which a user accesses a computer system or application and must prove they are who they say they are by using two forms of authentication to log in, such as (1) something they know, (2) something they have, or (3) something they are.

Why is SF State requiring the use of Two-Factor Authentication?

Two-factor authentication helps prevent anyone but yourself from accessing your account by providing a secure second layer of defense, protecting the various types of accounts a user logs into by offering authentication through a second device or mobile app. Login credentials are increasingly easy to compromise, e.g., phishing emails. To improve SF State’s IT security posture, two-factor authentication is now being used.

Do I have to use Two-Factor Authentication?

Yes. 2FA is a requirement to improve the security of your account and the data you access.

When will I need to use Two-Factor Authentication?

Staff, and faculty are currently required to use 2FA.
Students' migration to 2FA is in progress

Is Two-Factor Authentication being used on campus today?

Yes. Staff, faculty, and some students already use 2FA.

Will Two-Factor Authentication benefit me?

Yes. 2FA will strengthen your SF State account security, reducing the likelihood of your data being breached. In addition, accounts provisioned with 2FA will have their password expiration period extended from 6 months to 12 months so you will only need to change your password once a year.

How often do I have to log in using Two-Factor Authentication?

You will need to authenticate using 2FA every time you sign in using the SF State Global Login. However, you may select “remember me” when signing in to require authentication only once every 12 hours. Do NOT select "remember me" on a public computer. Only set the 12-hour timeframe for your own computer.

Please note: you must have cookies enabled on whichever browser you use in order to have the browser remember your 2FA authentication for 12 hours.

Can we use email or a phone for Two-Factor Authentication?

Email is not a "second factor" for authentication because your SF State username and password are also your email username and password. If one of these is compromised, both become vulnerable.

SF State's new telephone system is not tied to a hardware device any longer. Our new, modern, telephone system can follow employees wherever they go on campus without moving a physical phone with them. This means it isn't an effective "second factor."

Devices: Mobile Phones and Hardware Tokens

What do I need to get set up?

A mobile device with the Duo Mobile app installed, OR
Duo hardware token

What is the Duo Mobile app?

The Duo Mobile app delivers two-factor push notifications directly to your mobile phone or tablet. Alternately, it can simply provide a code within the app itself without a push notification. This provides for fast and secure access. The Duo Mobile application can be installed on a smartphone or tablet and is available on both iOS and Android.

What devices are compatible with the Duo Mobile App?

Android and iOS mobile phones and tablets can run the Duo Mobile App.

The latest Android app can be downloaded via Google Play at https://play.google.com/store/apps/details?id=com.duosecurity.duomobile&hl=en.
The latest Apple app for iPhone or iPad can be downloaded via Apple’s App Store at https://apps.apple.com/us/app/duo-mobile/id422663827.

What is a hardware token?

A physical device that a user carries to authenticate their identity and authorize access to a network. ITS offers a hardware token that can be added to a key ring. Push a button on the device and it generates a passcode. The hardware token is 2 1⁄2 x 1 1/16” x 5/15” in size. Using a hardware token is optional if you have the mobile app. See the 2FA guide at https://its.sfsu.edu/guides/2fa for more information.

What if I do not want to use my personal device for Two-Factor Authentication?

You can request a hardware token which will be authorized only for your use. You may only request/receive one hardware token.

What form of identification will I need to pick up my hardware token?

Any official form of photo identification such as a government issued ID, or SF State ID. You will need to have your identity verified by support staff when inquiring about any additions or changes to your 2FA profile.

Is the Duo Mobile app available for Apple Watch?

Yes. https://guide.duo.com/apple-watch

How many devices can I enroll in Two-Factor Authentication?

There is no limit to the number of devices you may enroll in Duo. It is recommended that you have at least two devices, one of which can be a hardware token. Smart phones, tablets, and even the Apple Watch can be added.

Change Devices: Broken, Lost, or Stolen

What happens if my device on which Duo has been set up is lost or stolen?

Please see the 2FA Guide at https://its.sfsu.edu/guides/2fa

If you lose the only device that is registered for Duo, or if it is broken or stolen, email service@sfsu.edu, call the ITS Service Desk at 415-338-1420, or report the loss online.

IMPORTANT: To report a Lost Hardware Token to ITS, go to https://sfsu.service-now.com/sp?id=sc_cat_item&sys_id=85c46071db4dff0081fd16994b96192a

Can I add a second authentication device for Duo?

Yes. After registering your first device, you may add a second. The 2FA website at 2fa.sfsu.edu allows you to add additional devices such as a tablet as a self-service.

add device 2FA

Do I have to remove my device from Duo if I am no longer employed with SF State?

No, but it is a good idea to remove your device. To remove your device, use the 2FA website at 2fa.sfsu.edu, log in, go to Settings > My Settings & Devices, select your device settings button and select Delete Device.

My Settings & Devices

How do I activate Duo if I want to replace my mobile device with a newer model?

Please see the Duo documentation below:

https://guide.duo.com/add-device

I’m worried about forgetting my hardware token. What can I do?

It is recommended that you enroll more than one device with Duo so you have a backup. If you lose one device or it becomes inoperable, the second device can be used to log in and later to enroll a replacement device.

What is the “Duo Restore” function on the Duo App?

Duo Mobile's restore functionality lets you back up Duo-protected accounts for recovery to the same device or to a new device. Please see the Duo guide at https://guide.duo.com/duo-restore

Support: I Need Help

Where do I go for support?

Two-Factor Authentication (2FA) Service Page: https://its.sfsu.edu/service/twofactorauthentication2fa
Two-Factor Authentication (2FA) Guide: https://its.sfsu.edu/guides/2fa
Contact the ITS Service Desk at 415-338-1420 or service@sfsu.edu Monday - Friday 8:00 a.m. - 5:00 p.m. For troubleshooting or support that cannot be provided over the phone, we are available to assist in-person by appointment. Simply contact us and we will assist in scheduling a time.

Do I need Duo to log in to the campus wireless network?

No. You only need Duo to log in to any application behind the SF State Global Login.

Can I use the Duo app without internet access?

Yes. The Duo app will be able to generate a code that you can use as a second passcode for authentication. The hardware token does not require internet access to provide a second passcode. Please note: the push feature on the Duo Mobile app will not work without internet access.

Remember me for 12 hours 2FA

How can I get a temporary passcode if I don’t have Duo or a token available?

To provide an additional self-service tool for users to get a temporary passcode when they do not have any devices with Duo or a token with them, they will now see the text "Don’t have your device? Try another way" on the Authentication with Duo page where the link will guide users through the steps to get a bypass code.

2FA Try Another Way

Pick between Temporary passcode request (Response to Security Questions to generate one-time passcode) or Submit a service ticket. (For security reasons, your identity needs to be verified. You’ll be contacted within one business day).

Can I use Duo overseas?

Yes. Duo does not require access to the cellular or Wi-Fi network to function.

Smartphone or tablet with Wi-Fi or cellular access: Use your device just as you normally do. If you plan to be overseas for a while and obtain an international phone number, you can enroll that phone number in your Duo account. See: Can I add a second authentication device for Duo?
Smartphone or tablet with no network access: Use the Duo mobile app to generate a passcode instead of a push. Select the Enter a Passcode option when you get the Duo authentication prompt.
Hardware token: Use your hardware token just as you normally do. Select the Enter a Passcode option when you get the Duo authentication prompt and enter the passcode provided by the token.

Will the hardware token work overseas?

Yes. The hardware token works exactly the same overseas.

Do I need Duo or a hardware token to use the VPN?

Yes. You will be asked to authenticate with Duo when you first log into VPN.

What do I do if I get a Duo Verification push notification on my device when I didn't log in?

If you did not initiate the log-in request intentionally or accidentally, then this push notification could mean someone else is trying to log into your account.

The first thing you should do is deny the push request.
Duo Mobile may ask why you are denying the request. If you suspect fraudulent activity, select It seems fraudulent. Select It was a mistake if you know it wasn’t fraudulent.
Change your password to ensure your account is secure.