New Multi-Factor Authentication Enhancements

January 17, 2025

Effective March 18, 2025, employees can no longer use SMS (text messages) or simple hardware tokens for CalNet MFA verification. 

In UC’s ongoing commitment to safeguarding and protecting your data, UC Berkeley is introducing enhanced security methods for CalNet MFA verification (aka CalNet 2-Step).

Why Do We Need To Change?

Several higher education institutions have experienced phishing attacks, which resulted in the theft of credentials and redirection of paycheck deposits. Berkeley is committed to keeping our community safe from such attacks. Therefore, we are strengthening our multi-factor authentication (MFA) protections and turning on risk-based authentication for CalNet MFA verification.

What Do I Need to Do?

Follow the below instructions to move off SMS (text messages) or simple hardware tokens before March 18.  We recommend moving to the Duo Mobile app - it’s the easiest way to do the CalNet 2-Step.

If you have a smartphone:

Instructions to enroll with Duo

If you do not have a smartphone:

Request a security key here

If you have additional questions about risk-based authentication, please email CalNet or create an incident report in ServiceNow.  

Frequently Asked Questions:

collapse all expand all

What if I already have Duo Mobile on my smartphone?

We encourage you to familiarize yourself with the Verified Duo Push screen. Once risk-based authentication is turned on, Duo may present you with a different screen.

Do you have simple instructions for Duo that I can share with others?

We do! Share our flyers for moving onto the Duo Mobile App - available in English | Spanish | Simple Chinese

What if I don't want the Duo App on my personal phone?

You can request a security key–or buy your own. We recommend several options on the security key page. Just keep in mind that you will only be able to authenticate using those physical keys. So, if you lose the key, you'll need another method in place.

What if I miss the deadline of March 18?

You cannot sign into campus systems using SMS text messages or simple hardware tokens. When you try logging into CalNet, you will be asked to select "manage devices" to add another method in the mycalnet.berkeley.edu portal - to Duo Mobile App, Security Key, or Bypass codes.

What if I use a password manager (like LastPass) to create a digital passkey?

This method is approved under the new enhancements. It works by storing your private key safely on your device and allows you to sync your passkeys across different devices within a platform's ecosystem, such as LastPass, iCloud Keychain, or Google Password Manager.

What if I use my fingerprint reader on my computer?

This method is approved under the new enhancements. However, you will only be able to authenticate using that physical device. So, if you plan on traveling and not taking your computer, it's best to use Duo Mobile or to print bypass codes.

What information does Duo collect? How does Duo keep my privacy safe?

Duo collects two types of information from you. The first type pertains to your authentication attempts; this information is always sent and cannot be turned off. The second type is analytical data, which you can choose to disable. To stop sending your analytical data to Duo, open the app, go to Settings, and turn off the option for sending usage data. Learn more about data privacy with Duo Push.

What is Risk-Based Authentication?

Risk-based authentication (RBA) is a method that assesses the risk of a login attempt and adjusts the security measures accordingly.

Risk-Based Factor Selection: Looks at authentication requests and adjusts security measures based on risk. It learns what “normal user behavior” is and spots patterns that may indicate an attack. If it detects a known attack pattern or unusual activity, the person will be prompted to use the most secure method, like Verified Duo Push.

Verified Duo Push Selection Methods: Requires users to enter a numeric code from their mobile device authentication prompt, adding an extra layer of security by requiring interaction with both the access and the authentication devices (e.g., phone and computer, tablet and computer).

Risk-Based Remembered Devices: Checks for logins from unusual network locations. If it finds a suspicious login, it ends the remembered device session, and users must log in again. It looks at the last 30 days of successful authentications to determine activity.

What are the benefits of Risk-Based Authentication?

Risk-based authentication (RBA) checks your login attempts for signs of push harassment and other threats. It may automatically increase your security methods depending on the potential threat level at the time of login. Verified Duo Push is one of these methods. It requires you to enter a unique code displayed on your computer or device into the Duo Mobile app.

RBA enhances security by:

  • Preventing accidental approvals and blocking unauthorized access.
  • Dynamically adjusting authentication requirements based on observed risk factors.
  • Improving the user experience by only asking for additional verification when necessary.