Changes coming to UCPath logins on July 31
In its ongoing efforts to protect UCOP and employee data, ITS is taking steps to strengthen security for UCPath logins. The following changes to the Duo authentication process will go into effect on July 31, 2024.
What’s changing
ITS will be enabling Duo’s Verified Push for UCPath logins. Currently, you simply accept or deny a Duo Push. Verified Push will require that you enter a code into the Duo Mobile app.
After you enter your username and password, a three-digit code will be displayed in your browser:
Duo Mobile will prompt you to enter the code and validate to continue:
Additional security enhancements
Risk-Based Authentication: If Duo detects a known attack pattern or anomaly (for example, you’re trying to log in on a laptop in New York and your phone is in Oakland), the app will automatically require a more secure factor of authentication. In this case, you may see a different prompt than usual (for example, Duo’s Verified Push instead of a Duo Push). The “stepped-up” authentication factor will be required until you have successfully authenticated using the more secure factor.
One-time mobile passcodes that expire: If you use a Duo Mobile Passcode as your second authentication factor when logging in to apps that require multifactor authentication, you will now see a 30-second timer below the passcode indicating how long it is valid. The passcode must be entered into the Duo prompt within this time frame. If the passcode expires, a new one will be created and will appear automatically.
Security tips
Take note of the following reminders:
- UCOP does not send passcodes via text.
- UCOP does not provide passcodes by phone call.
- UCOP does not allow the use of permanent bypass codes without an approved security exception.
- UCOP does not require users to use one type of Duo authentication over another (i.e., you will never be directed to enter a passcode via text instead of Duo Push). If you are asked for a specific Duo authentication factor, it is most likely fraudulent and should be reported to the Service Desk.
Security tokens are available for anyone who prefers to use this hardware instead of a smartphone to authenticate Duo. To order, contact the Service Desk. Once you have the hardware, you can connect your security key to your Duo account through the Duo app.
Need help?
If you have problems logging in, contact the Service Desk at servicedesk@ucop.edu or 510-987-0457.
Tags: cybersecurity, digital security, Duo, Duo logins, security, UCPath