New Multi-Factor Authentication Enhancements

January 17, 2025

Effective March 18, 2025, employees can no longer use SMS (text messages) or simple hardware tokens for CalNet MFA verification. 

In UC’s ongoing commitment to safeguarding and protecting your data, UC Berkeley is introducing enhanced security methods for CalNet MFA verification (aka CalNet 2-Step). 

What if I missed the deadline for moving off SMS or simple token?

After March 18, 2025, you will have two options:

  1. You can log in with a bypass code. If you don’t have a bypass code, open a ticket with ITCS.
  2. We will allow you to temporarily log into mycalnet.berkeley.edu to add another device to your account. See our KB article for instructions on how to enroll a new device.

Why Do We Need To Change?

Several higher education institutions have experienced phishing attacks, which resulted in the theft of credentials and redirection of paycheck deposits. Berkeley is committed to keeping our community safe from such attacks. Therefore, we are strengthening our multi-factor authentication (MFA) protections and turning on risk-based authentication for CalNet MFA verification.

What Do I Need to Do?

Follow the below instructions to move off SMS (text messages) or simple hardware tokens before March 18.  We recommend moving to the Duo Mobile app - it’s the easiest way to do the CalNet 2-Step.

If you have a smartphone:

Instructions to enroll with Duo

If you do not have a smartphone:

Request a security key here

If you have additional questions about risk-based authentication, please email CalNet or create an incident report in ServiceNow.  

Frequently Asked Questions:

collapse all expand all

What if I already have Duo Mobile on my smartphone?

We encourage you to learn about the Verified Duo Push screen. When risk-based authentication is turned on, Duo may show you a "Verified Duo Push" instead of the usual push notification. This is known as step-up authentication, which happens based on the situation. If you are logging in from your regular devices and locations, there should be no changes. The new screen, called Verified Duo Push, appears when Duo thinks your access request is high risk.

Examples of high-risk scenarios include:
  • Accessing from a new device or IP address
  • Traveling to a new location
  • Unusual activity, such as multiple failed access attempts

Do you have simple instructions for Duo that I can share with others?

We do! Share our flyers for moving onto the Duo Mobile App - available in English | Spanish | Simple Chinese

Why should I trust installing this on my personal phone?

We understand that you may be hesitant to install Duo on your personal phone, but rest assured, Duo does not track your location, monitor your activity, or collect personal data. It simply adds an extra layer of security to protect your accounts, ensuring only you can access them.

  • Duo does NOT track your personal activity. It only checks basic details like the type of device you're using (e.g., iPhone, Windows PC) and whether it’s secure.

  • Duo does NOT collect your personal data. It does not track your location, what apps you use, or your browsing history.

  • Duo’s data collection is minimal and for security purposes only. It helps IT teams ensure devices are safe from cyber threats and does not spy on you.

If you’re concerned about privacy, rest assured that Duo is designed to protect your account without invading your personal space. Learn even more Duo Mobile Privacy Information 

What if I don't want the Duo App on my personal phone?

You can request a security key–or buy your own. We recommend several options on the security key page. Just keep in mind that you will only be able to authenticate using those physical keys. So, if you lose the key, you'll need another method in place.

What if I miss the deadline of March 18?

You cannot sign into campus systems using SMS text messages or simple hardware tokens. When you try logging into CalNet, you will be asked to select "manage devices" to add another method in the mycalnet.berkeley.edu portal - to Duo Mobile App, Security Key, or Bypass codes.

What if I use a password manager (like LastPass) to create a digital passkey?

This method is approved under the new enhancements. It works by storing your private key safely on your device and allows you to sync your passkeys across different devices within a platform's ecosystem, such as LastPass, iCloud Keychain, or Google Password Manager.

What if I use my fingerprint reader on my computer?

This method is approved under the new enhancements. However, you will only be able to authenticate using that physical device. So, if you plan on traveling and not taking your computer, it's best to use Duo Mobile or to print bypass codes.

What information does Duo collect? How does Duo keep my privacy safe?

Duo collects two types of information from you. The first type pertains to your authentication attempts; this information is always sent and cannot be turned off. The second type is analytical data, which you can choose to disable. To stop sending your analytical data to Duo, open the app, go to Settings, and turn off the option for sending usage data. Learn more about data privacy with Duo Push.

What is Risk-Based Authentication?

Risk-based authentication (RBA) is a method that assesses the risk of a login attempt and adjusts the security measures accordingly.

Risk-Based Factor Selection: Looks at authentication requests and adjusts security measures based on risk. It learns what “normal user behavior” is and spots patterns that may indicate an attack. If it detects a known attack pattern or unusual activity, the person will be prompted to use the most secure method, like Verified Duo Push.

Verified Duo Push Selection Methods: Requires users to enter a numeric code from their mobile device authentication prompt, adding an extra layer of security by requiring interaction with both the access and the authentication devices (e.g., phone and computer, tablet and computer).

Risk-Based Remembered Devices: Checks for logins from unusual network locations. If it finds a suspicious login, it ends the remembered device session, and users must log in again. It looks at the last 30 days of successful authentications to determine activity.

What are the benefits of Risk-Based Authentication?

Risk-based authentication (RBA) checks your login attempts for signs of push harassment and other threats. It may automatically increase your security methods depending on the potential threat level at the time of login. Verified Duo Push is one of these methods. It requires you to enter a unique code displayed on your computer or device into the Duo Mobile app.

RBA enhances security by:

  • Preventing accidental approvals and blocking unauthorized access.
  • Dynamically adjusting authentication requirements based on observed risk factors.
  • Improving the user experience by only asking for additional verification when necessary.