Key Takeaway:

The decommissioning of SMS, phone call, and downloadable MyAccount passcodes on February 24, 2025 means that Highlanders must authenticate by configuring at least one of the following options:

• Verified push via the Duo Mobile app on a personal smartphone or tablet (those currently using push notifications will automatically transition to this method)
• Verified push via the Duo Desktop app on a personal computer
• Biometric authentication by configuring Face ID, Touch ID, etc. on a compatible personal device
• A security key that is self-purchased and compliant with WebAuthn/FIDO2 
• A UCR-registered TOTP hardware security token (this option is reserved for those with accessibility concerns and must be requested)

MFA Options Will Change on February 24, 2025

To further bolster campus security and help ensure access is being granted appropriately, UC Riverside is upgrading the Duo MFA process on February 24, 2025 to offer a new suite of authentication options.

This change is taking place in accordance with the UC Cybersecurity Mandate, which calls for all UC campuses to strengthen cybersecurity to help protect sensitive data, maintain operational continuity, comply with regulations, and mitigate financial risks. In this video, Provost Elizabeth Watkins shares UCR’s plan to meet the security mandate in more detail. Strengthening UCR’s identity verification process is one of the key actions needed to secure the campus’ valuable data and systems.

Related: Watch “Duo Authentication Updates” video

What’s New: Duo Verified Push, Biometric Authentication, and Duo Desktop App

Currently, many Highlanders use push notifications to authenticate their logins through the Duo Mobile app. However, beginning February 24, those Highlanders will use Duo verified push to authenticate, which requires entering a unique code in the Duo Mobile app when prompted upon logging into a secure UCR resource. Please note that Duo verified push requires certain versions of the Duo Mobile app:

• Duo Mobile 4.16.0 or later on Android 8 or later
• Duo Mobile 4.17.0 or later on iOS 13 or later

New configurable authentication options are also available. This includes biometrics, which use the device’s Touch or Face ID functionality to verify identity, and the Duo Desktop app, which can be installed on your computer and works similarly to the mobile app. Highlanders using a self-managed device may directly download the Duo Desktop app, while those who are on managed devices may submit an IT ticket starting on February 25 to request application installation support (select the category “Accounts & Passwords” and subcategory “MFA”). Alternatively, Highlanders may purchase and self-enroll a security key, so long as it utilizes WebAuthn/FIDO2.

Step-by-step guidance on how to configure these new options will be available in the ITS Knowledge Base at the time of the change.

What’s Going Away: SMS, Phone Call, and Downloadable MyAccount Passcodes 

To better protect our community, less secure and more costly forms of authentication will be retired on February 24. The option to verify identity using a one-time code generated through SMS text message or phone call will no longer be available. The option to download a list of single-use passcodes in MyAccount will also be retired. However, please note that passcodes generated manually through the Duo Mobile app (also known as time-based tokens) will still be available (learn how to generate a passcode using the Duo Mobile app).

The decommissioning of SMS, phone call, and downloadable MyAccount passcodes means that Highlanders must authenticate by configuring at least one of the following options:

• Verified push via the Duo Mobile app on a personal smartphone or tablet (those currently using push notifications will automatically transition to this method)
• Verified push via the Duo Desktop app on a personal computer
• Biometric authentication by configuring Face ID, Touch ID, etc. on a compatible personal device
• A security key that is self-purchased and compliant with WebAuthn/FIDO2 
• A UCR-registered TOTP hardware security token (this option is reserved for those with accessibility concerns and must be requested; see instructions below)

Accessibility Accommodation Request

UCR employees with accessibility concerns can request accommodation from the Workers' Compensation and Disability Program (WCDP), while students can request accommodation from the Student Disability Resource Center (SDRC). Once the request is approved, WCDP and SDRC will work with ITS BearHelp to obtain an alternate authentication option.

Beware of Phishing Emails Related to Duo MFA

If you receive communication telling you that your Duo MFA will be deactivated due to the implementation of new MFA methods at UCR, please refrain from taking quick actions, like clicking links (including scanning QR codes), downloading an attachment, or even responding to the sender. UCR will never ask you for your password or sensitive information in order to keep an account active.

Report phishing emails using PhishAlarm, the hook-and-envelope icon you will find in your UCR R’Mail or Outlook email. PhishAlarm reports are forwarded to the UCR Information Security Office (ISO). If you are unsure whether the communication you received is legitimate, take a pause and look through your other emails and official UCR communication channels to determine whether this is something that has been communicated previously. When in doubt, reach out directly to ISO at infosecoffice@ucr.edu to ask about the legitimacy of the message.

Related: Read and Understand, Then Act: The Simple and Proven Method for Preventing Phishing Scams  

To learn more about the UC Cybersecurity Mandate, UCR’s security investment roadmap, and the role you play in helping us better protect our campus, please visit the ITS website.

Note: This article was updated on February 19, 2025.