Student using laptop

Multi-Factor Authentication (MFA)

UCr Gold Line

Verify Your Identity with the UCR Authentication Application

Multi-factor authentication (MFA), sometimes referred to as two-step verification, has become commonplace in banking, healthcare, and education because it adds an extra layer of protection against bad actors looking to steal your sensitive information. UC Riverside's MFA provider is Duo. To further bolster campus security and help ensure access is being granted appropriately, UCR is upgrading its Duo instance to offer a new suite of secure authentication options.

This change is taking place in accordance with the UC Cybersecurity Mandate 2025, which calls for all UC campuses to strengthen cybersecurity to help protect sensitive data, maintain operational continuity, comply with regulations, and mitigate financial risks.  

Security Outcomes Addressed

“Deploy and configure multi-factor authentication (MFA) on 100% of campus and health email systems.”

UCr Gold Line

Upgraded Duo Authentication Options

On February 24, 2025, UCR upgraded its Duo Mobile push notification to Duo verified push. New authentication options were made available as well: the Duo Desktop app, biometric authentication, and TOTP hardware security tokens. Highlanders still have the option to purchase and self-enroll a security key, so long as it utilizes WebAuthn/FIDO2.  

Less secure authentication options have been retired, including the option to receive a one-time code through SMS text and phone call, as well as the option to download lists of one-time use passcodes from MyAccount.

Employees with accessibility concerns may request an alternate authentication option by contacting the Workers' Compensation and Disability Program (WCDP). Students may contact the Student Disability Resource Center (SDRC). Additionally, those who are unable to use the preferred MFA methods (Duo Mobile, Duo Desktop, and biometric authentication) may request an ITS-issued TOTP hardware security token.
 

UCr Gold Line

MFA For All Email

Beginning December 2024, UCR enforced MFA on all campus and health email accounts, including both individual and ORG email accounts. Identity verification via MFA means that every time a Highlanders logs into email and other secure UCR resources, they are will be required to authenticate their login with a registered personal device.

Details of the change and its impact, as well as additional instructions and action items, are included in ITS’ direct email communications to all affected Highlanders.

UCr Gold Line

Frequently Asked Questions

  • Why is the UCR authentication application required?

    Mobile devices, such as cell phones and tablets, are devices we regularly carry on our person and are infrequently, if ever, accessed by others. As a result, using a personal mobile for MFA is the most effective way to verify one’s identity. Duo Mobile is a free application supplied by UCR’s MFA provider.  

  • What are the authentication options available to employees?

    ITS strongly recommends you use the Duo Mobile app, as it is UCR’s official MFA method and it offers comprehensive security features. Alternative methods include the Duo Desktop app and configuring biometric authentication on your device. If none of these options meet your needs and you require a hardware token, please request one from ITS (visit the “How can I request a hardware token?” FAQ).

  • How can I request accessibility accommodation?

    UCR employees with accessibility concerns can request accommodation from the Workers' Compensation and Disability Program (WCDP), while students can request accommodation from the Student Disability Resource Center (SDRC). Once the request is approved, WCDP and SDRC will work with ITS BearHelp to obtain an alternate authentication option. Additionally, those who are unable to use the preferred MFA methods (Duo Mobile, Duo Desktop, and biometric authentication) may request an ITS-issued TOTP hardware security token.

  • What is verified push? How is this different from a push notification?

    Verified push is an identity authentication method that requires users to input a unique code into their Duo Mobile app to verify their identity. The unique code is generated when a user tries to log into a secure UCR resource. This differs from a push notification, which only requires users to accept or reject a login attempt.

  • I use a mail client (e.g., Mac Mail) to access my UCR email account. How does the MFA requirement affect my mail client usage?

    Once you're enrolled in MFA, you will be asked to authenticate your login when you access your mail client for the first time. In most cases, the authentication is good for 8 hours. However, in some cases when you need to log back into your email account (e.g., you lost your VPN connection or you removed and re-added your email account to the mail client), you will be asked to use MFA again.

  • I am unable to download or update my Duo Mobile application. What should I do?

    Please upgrade to the latest operating system (OS) version of your mobile device to continue using the Duo Mobile application for authentication, and importantly, to continue receiving security updates and improvements for your device.
    (For iOS users: Note that effective February 17, 2025, Duo Mobile will no longer support iOS 15 or older versions)

  • Why do I need to exchange my ITS-issued hardware token?

    UC Riverside is upgrading its hardware security tokens from Hash-based Message Authentication Code (HMAC) based One-Time Password (HOTP) to the more secure Time-based One-Time Password (TOTP).

    If you have an ITS-issued security token, we ask that you evaluate whether or not it is still needed and, if needed, submit a request to exchange it for a TOTP token before October 10, 2025. After this date, HOTP devices will no longer work.

    We are making this change to further secure access to UCR resources. Passcodes generated through HOTP are susceptible to compromise if an attacker can phish and harvest these codes from a user because they only expire after they have been used. On the other hand, passcodes generated through TOTP are more secure as they expire every 30 seconds (even if they were never used). This prevents attackers from harvesting and using passcodes at a later time.

  • Where and when can I exchange my ITS-issued hardware token?

    You may exchange your ITS-issued hardware token anytime before October 10, 2025. After this date, HOTP hardware tokens will no longer work. ITS facilitates hardware token exchange and pick up at the Computing & Communication Center (open from Monday through Friday, 8:00 am to 5:00 pm). Please see the “How can I request a hardware token?” FAQ for more information.

  • How can I request a hardware token?

    Take the following steps to request a hardware token from ITS:

    1. Obtain Supervisor Approval: As with all university-owned equipment, supervisor awareness is crucial for proper inventory management by your unit leadership and ITS. Secure written approval from your supervisor using the Hardware TOTP Security Token Supervisor Approval Form to receive a TOTP hardware token.
    2. Submit a Request Ticket: Once you have your supervisor’s written approval, submit a ticket to request your new hardware token. 
      • Select the category “Accounts & Passwords” and subcategory “MFA.” 
      • In the Short Description field, indicate “TOTP hardware security token request.” 
      • Before submitting the ticket, add the Hardware TOTP Security Token Supervisor Approval Form you filled out as an attachment.
      • Submit the form and wait for a BearHelp technician to get in touch with you to process your request.
    3. Pick Up Your Hardware Token: Visit the Computing & Communication Center (open from Monday through Friday, 8:00 am to 5:00 pm) to get your hardware token. If you have an ITS-issued HOTP hardware token, please surrender it to receive your new TOTP hardware token. Your new ITS-issued TOTP hardware token will be connected to your user account and pre-registered with Duo, UCR’s MFA provider.

     

    When no longer in use, it is important that you return the hardware token to ITS.

  • What is the difference between managed and non-managed devices?

    Managed devices refer to devices (e.g., desktops, laptops, smartphones, and tablets) that are managed, secured, and maintained either by ITS (including Secured Device Services) or by local UCR IT departments. Non-managed devices are managed and maintained by individuals with no administrative support from IT.

  • What is the UC Cybersecurity Mandate and where can I learn more about it?

    The UC President has called for all UC campuses to achieve key cybersecurity outcomes by May 28, 2025, to help protect sensitive data, maintain operational continuity, comply with regulations, and mitigate financial risks. To learn more about the UC Cybersecurity Mandate, visit the dedicated UC Cybersecurity Mandate 2025 webpage.

UCr Gold Line

Learn About UCR's Response to the UC Cybersecurity Mandate

Let us help you with your search