In UC’s ongoing commitment to safeguarding and protecting your data, UC Berkeley is introducing enhanced security methods for CalNet MFA verification. On March 18, 2025, we will turn on Risk-Based Authentication, including Verified Duo Push for employees, and you will no longer be able to use SMS (text messages) or simple hardware tokens for CalNet 2-Step verification.
Why Do We Need To Change?
Several higher education institutions have experienced phishing attacks, which resulted in the theft of credentials and redirection of paycheck deposits. Berkeley is committed to keeping our community safe from such attacks. Therefore, we are strengthening our multi-factor authentication (MFA) protections and turning on risk-based authentication for CalNet MFA verification.
Benefits of Risk-Based Authentication
Risk-based authentication (RBA) checks your login attempts for signs of push harassment and other threats. It may automatically increase your security methods depending on the potential threat level at the time of login. Verified Duo Push is one of these methods. It requires you to enter a unique code displayed on your computer or device into the Duo Mobile app.
RBA enhances security by:
- Preventing accidental approvals and blocking unauthorized access.
- Dynamically adjusting authentication requirements based on observed risk factors.
- Improving the user experience by only asking for additional verification when necessary.
What Do I Need to Do?
If you have a smartphone:
We recommend moving to the Duo Mobile app - it’s the easiest way to do the CalNet 2-Step.
- Enroll your smartphone: Follow these instructions.
- If you already use the Duo Mobile App, update it now. If not, download it through your App Store: Visit Android Duo Mobile or Apple Duo Mobile
If you do not have a smartphone:
- You must request a Security Key by emailing calnet-2-stephelp@berkeley.edu
- Also, we recommend downloading your Duo Bypass Codes as a backup.
If you have additional questions about risk-based authentication, please email CalNet or create an incident report in ServiceNow
How to Use Verified Duo Push
Duo Verified Push may present you with a different screen at times. We encourage you to familiarize yourself with How to Use Verified Duo Push, so you aren’t surprised.
What information does Duo collect? How does Duo keep my privacy safe?
Duo collects two types of information from you. The first type pertains to your authentication attempts, and this information is always sent and cannot be turned off. The second type is analytical data, which you can choose to disable. To stop sending your analytical data to Duo, open the app, go to Settings, and turn off the option for sending usage data. Learn more about data privacy with Duo Push
These changes are part of the Information Security Investment Plan (ISIP). Learn more about the plan, including scope, goals, and timeline.