Verify Your Identity with the UCR Authentication Application
Multi-factor authentication (MFA), sometimes referred to as two-step verification, has become commonplace in banking, healthcare, and education because it adds an extra layer of protection against bad actors looking to steal your sensitive information. UCR's MFA provider is Duo. To further bolster campus security and help ensure access is being granted appropriately, UC Riverside is upgrading its Duo instance to offer a new suite of secure authentication options.
This change is taking place in accordance with the UC Cybersecurity Mandate 2025, which calls for all UC campuses to strengthen cybersecurity to help protect sensitive data, maintain operational continuity, comply with regulations, and mitigate financial risks.
Security Outcomes Addressed
Upgraded Authentication Options Coming to Duo
Starting February 24, 2025, Highlanders currently using the Duo mobile app will be asked to use Duo verified push to authenticate, which requires entering a unique code in the Duo mobile app when prompted upon logging into a secure UCR resource. However, other configurable authentication options will include biometrics, which use the device’s touch or face ID functionality to verify identity, and the Duo Desktop app, which can be installed on your computer and works similarly to the mobile app. Alternatively, you can purchase and self-enroll a security key, so long as it utilizes WebAuthn/FIDO2.
Less secure authentication options will be retired with the launch of these new options. This means that Highlanders who currently use the SMS text or phone call features to receive a one-time code, as well as those who download lists of one-time use passcodes from MyAccount, will no longer be able to authenticate via these options. These individuals will need to configure one of the available authentication methods.
Employees with accessibility concerns can request an alternate authentication option by contacting the Workers' Compensation and Disability Program (WCDP). Students may contact the Student Disability Resource Center (SDRC).
MFA For All Email
Beginning December 2024, UCR enforced MFA on all campus and health email accounts, including both individual and ORG email accounts. Identity verification via MFA means that every time a Highlanders logs into email and other secure UCR resources, they are will be required to authenticate their login with a registered personal device.
Details of the change and its impact, as well as additional instructions and action items, are included in ITS’ direct email communications to all affected Highlanders.
News & Updates
-
What is verified push? How is this different from a push notification?
Verified push is an identity authentication method that requires users to input a unique code into their Duo Mobile app to verify their identity. The unique code is generated when a user tries to log into a secure UCR resource. This differs from a push notification, which only requires users to accept or reject a login attempt.
-
Why is the UCR authentication application required?
Mobile devices, such as cell phones and tablets, are devices we regularly carry on our person and are infrequently, if ever, accessed by others. As a result, using a personal mobile for MFA is the most effective way to verify one’s identity. Duo Mobile is a free application supplied by UCR’s MFA provider.
-
I use a mail client (e.g., Mac Mail) to access my UCR email account. How does the MFA requirement affect my mail client usage?
Once you're enrolled in MFA, you will be asked to authenticate your login when you access your mail client for the first time. In most cases, the authentication is good for 8 hours. However, in some cases when you need to log back into your email account (e.g., you lost your VPN connection or you removed and re-added your email account to the mail client), you will be asked to use MFA again.
-
How can I request accessibility accommodations?
UCR employees with accessibility concerns can request accommodation from the Workers' Compensation and Disability Program (WCDP), while students can request accommodation from the Student Disability Resource Center (SDRC). Once the request is approved, WCDP and SDRC will work with ITS BearHelp to obtain an alternate authentication option.
-
I am unable to download or update my Duo Mobile application. What should I do?
Please upgrade to the latest operating system (OS) version of your mobile device to continue using the Duo Mobile application for authentication, and importantly, to continue receiving security updates and improvements for your device.
(For iOS users: Note that effective February 17, 2025, Duo Mobile will no longer support iOS 15 or older versions) -
What is the difference between managed and non-managed devices?
Managed devices refer to devices (e.g., desktops, laptops, smartphones, and tablets) that are managed, secured, and maintained either by ITS (including Secured Device Services) or by local UCR IT departments. Non-managed devices are managed and maintained by individuals with no administrative support from IT.
-
What is the UC Cybersecurity Mandate and where can I learn more about it?
The UC President has called for all UC campuses to achieve key cybersecurity outcomes by May 28, 2025, to help protect sensitive data, maintain operational continuity, comply with regulations, and mitigate financial risks. To learn more about the UC Cybersecurity Mandate, visit the dedicated UC Cybersecurity Mandate 2025 webpage.