Verify Your Identity with the UCR Authentication Application
Multi-factor authentication (MFA), sometimes referred to as two-step verification, has become commonplace in banking, healthcare, and education because it adds an extra layer of protection against bad actors looking to steal your sensitive information. Any time someone tries to access a secure campus resource, UCR requires the individual to verify their identity via MFA to help ensure access is being granted appropriately. The individual can then quickly and easily confirm their identity with a push notification to their mobile phone or tablet using DUO, UCR’s authentication application.
Upgraded Authentication Options Coming to Duo Mobile
To further bolster campus security and help ensure access is being granted appropriately, UCR will upgrade the Duo MFA process to offer a new suite of authentication options. In February 2025, Highlanders will be asked to use Duo verified push to authenticate, which requires entering a unique code in the Duo mobile app when prompted upon login to a secure UCR resource. However, other configurable authentication options will include biometrics, which use the device’s touch or face ID functionality to verify identity.
Currently, options to verify identity upon login include the ability to receive a phone call or an SMS text message with a one-time code. Both of these less secure and costly forms of authentication will be retired with the launching of Duo verified push. This change will require all Highlanders to have a personal device that is not only registered with their UCR account but also uses the official Duo mobile app to receive push notifications. Folks with accessibility concerns can work with ITS BearHelp to obtain an alternate authentication option.
MFA For All Email
On December 2, 2024, UCR will enforce MFA on all campus and health email accounts, including both individual and ORG email accounts. Identity verification via MFA means that every time a Highlanders logs into email and other secure UCR resources, they are will be required to authenticate their login with a registered personal device.
Details of the change and its impact, as well as additional instructions and action items, are included in ITS’ direct email communications to all affected Highlanders.
Security Outcomes Addressed
Frequently Asked Questions
-
What is verified push? How is this different from a push notification?
Verified push is an identity authentication method that requires users to input a unique code into their Duo Mobile app to verify their identity. The unique code is generated when a user tries to log into a secure UCR resource. This differs from a push notification, which only requires users to accept or reject a login attempt.
-
Why is the UCR authentication application required?
Mobile devices, such as cell phones and tablets, are devices we regularly carry on our person and are infrequently, if ever, accessed by others. As a result, using a personal mobile for MFA is the most effective way to verify one’s identity. DUO Mobile is a free application supplied by UCR’s MFA provider.
-
I use a mail client (e.g., Mac Mail) to access my UCR email account. How does the MFA requirement affect my mail client usage?
Once you're enrolled in MFA, you will be asked to authenticate your login when you access your mail client for the first time. In most cases, the authentication is good for 8 hours. However, in some cases when you need to log back into your email account (e.g., you lost your VPN connection or you removed and re-added your email account to the mail client), you will be asked to use MFA again.
-
What is the UC Cybersecurity Mandate and where can I learn more about it?
The UC President has called for all UC campuses to achieve key cybersecurity outcomes by May 28, 2025, to help protect sensitive data, maintain operational continuity, comply with regulations, and mitigate financial risks. To learn more about the UC Cybersecurity Mandate, visit the dedicated UC Cybersecurity Mandate 2025 webpage.