2-Step FAQ

Frequently Asked Questions

General

What do I do if I don't have a university supplied smartphone and don't want to use my personal phone?

You don't need a smartphone (iPhone, Android, etc.) to use CalNet 2-Step.  While a smartphone is convenient, you can use your office phone. (See Enrolling a Landline)

You can also pick up a Simple Hardware Token which will generate passcodes for you to use on demand.  These are free of charge for University employees.

I enrolled in 2-Step, but the CAS (or CalNet) login screen still says that I need to enroll. What do I do?

Sometimes the CAS login screen (what we think of as the CalNet screen) takes a day to get the message that you have enrolled in 2-Step. Check again tomorrow, and you will see that the CAS screen has reverted back to the normal screen.

What if I don't have cellular data?

CalNet 2-Step supports multiple options for authentication without internet access or a cellular data plan. All of these options work without internet access. 

  • If you have a smartphone (Android or iPhone), you can use the Duo application and tap the key icon to display a passcode that changes every 30 seconds.
  • Print backup passcodes. Go to your CalNet 2-Step Console and click on the "Get Backup Passcodes" button to see a list of ten passcodes. You can print the passcodes out and use them to login while traveling.
  • Click the "Remember for 30 days" checkbox when you perform a CalNet login from a browser and you will not be prompted for a passcode for 30 days.
  • If you have wifi on your smartphone, you can also use the Duo application with push notification to login.
  • Get a Simple Hardware Token

Do I need to do a second-step verification every time I log into CalNet?

If you keep Duo's default prompting action during device enrollment, you can later easily set your second-step (Duo) login to remember you for 30 days. The next time you're prompted for a second-step verification, select the Remember me for 30 days checkbox, which stores a cookie in your browser. Note that you will have to make this selection for each different browser that you use.

I use Citrix to access my applications. Do I have to do a second step verification every time I log in?

We are currently exempting the Citrix browsers from 2-Step verification until we are ready to require 2-Step for the Citrix login level. Our goal is to only require 2-Step verification when you log into Citrix so that you don't have to do this for the browsers within the Citrix environment. This will go in effect as of April 16, 2018.

Can I use Google Authenticator to generate codes instead of using the Duo Mobile app?

No, CalNet 2-Step Verification works only with the Duo Mobile app.

Does 2-Step Verification work with SPAs (Special Purpose Accounts)?

2-Step Verification is set up so you can opt in with your individual CalNet account only. So if you opted for 2-Step and logged in directly to your SPA (“spa-account+mycalnetID”), you won’t be challenged for the second step. However, if you logged in with your CalNet ID to access an SPA (“+mycalnetid”), you will be challenged for the second step before you can select your SPA.

Is it possible to enable 2-Step for SPAs?

Currently, no. Keep in mind that SPAs are not protected under their current design, so it may be risky to use an SPA for routine administrative access to critical systems.

Will Duo work on a private network?

A web proxy is needed to use Duo on an RFC1918 network. Duo will not work without configuring a proxy for the browser to get to Duo's IP address.

After enabling 2-Step, I received an email with the warning Be careful with this message. It contains content that's typically used to steal personal information. Should I be concerned?

We worked with the bConnected team to correct this. However, if you still get this message, don't be concerned. You may select Ignore, I trust this message.

Which web browsers can I use for 2-Step?

If you are using a phone or tablet, or a YubiKey as an HOTP token, you can do the 2-Step using any browser. If you are using a YubiKey as a U2F token, Google Chrome is the only compatible browser. Note: If you find you’re unable to use 2-Step on a particular browser, please contact calnet2-stephelp@berkeley.edu.

What is the difference between using my YubiKey as an HOTP or U2F device?

While Simple Hardware Tokens are recommended for people who wish to use a physical token.  Information about YubiKeys is available under Other Verfication Devices.

Even though I check the Remembered Me box, I still get challenged for 2-Step each time I authenticate. Why?

The Remembered Device feature works by setting cookies on your browser. Check your browser settings to see if it's blocking cookies.  You can set an exception in your browser's security settings to allow third-party cookies from Duo Security.

Duo's cookies are only used to remember a Remembered Device. The cookies and associated data are never used for advertising or marketing purposes.

Use the following formats to add exceptions for Duo-served cookies:

  • Internet Explorer *.duosecurity.com
  • Firefox https://duosecurity.com
  • Chrome [*.]duosecurity.com

Note: Safari does not allow third-party exceptions.

How much data does a Duo Push request use?

Duo Push authentication requests require a minimal amount of mobile data – less than 2 KB per authentication. This amount of data usage falls well within a "typical" push notification. While concerns regarding data usage are certainly understandable, the bandwidth consumed by Duo Mobile for many authentication requests every day would have an overall negligible effect on mobile data use. For example, you would only consume 1 megabyte (MB) of data if you were to authenticate 500 times in a given month. That's over 16 authentications per day, which is well above the average authentication threshold of our most aggressive users.

Can I still use 2-Step on my account when I leave the university?

You can use 2-Step on your account for as long as you have your CalNet ID.

I just want to receive texts but I have a smartphone. How do I set that up?

Follow these steps instead.

I have a personal and work phone. Which one do I enroll?

We recommend that you enroll both of them. You’ll have the option to choose which phone to use for 2-Step each time you authenticate.

What is a Simple Hardware Token and how much does it cost?

It’s a device that can generate a one-time use passcode for you to use when doing the 2-Step. You can pick one up for free at designated locations; please refer to this page for more information.

What's the difference between a YubiKey and a Simple Hardware Token?

To use a YubiKey, once you’ve inserted it into a USB port, you can touch your YubiKey and it will automatically generate a code and complete the 2-Step. (See this page for images) To use a simple hardware token, you will need to manually type in the code that it generates. (See this page for images).

Where can I get a YubiKey?

Work with your department’s buyer to purchase your YubiKeys. The Yubico website shows the types of YubiKeys available. The newer ones come with both U2F and OATH-HOTP capability. We recommend the YubiKey 4 Series.

Will Duo Mobile work with an international phone number?

Yes. The Duo Mobile app will still function properly on an international smartphone.

Should I take any precautions before travelling abroad?

It is best to use passcodes when you are travelling abroad. See the Travel page for more tips.

Can I use a VPN with 2-Step?

Although the campus VPN is not yet directly integrated with CalNet 2-Step Verification, any CAS-protected site you access via the VPN will still provide 2-Step protection via the CAS service itself.

Why did the “Remember me for 30 days” option forget me?

Please make sure that cookies are turned on for your browser, and that they are not automatically deleted. Instructions on how to configure cookies for different browsers can be found here (Chrome Firefox Safari Opera Edge). Also, the remember me function is specific to the browser and computer or device you enabled it on. So, using a different browser or device will not “remember” you.

Does “Remember Me” not defeat the purpose of 2-Step?

Actually, no! Even if an attacker knew your username and passphrase, they would still have to access the same physical computer and use the same browser to take advantage of remember me. The probability for this is so low that it makes “Remember Me” a safe and convenient addition.

Troubleshooting

I left my phone or hardware token at home.

Did you set up a second device or print out backup passcodes? If so, use those for 2-Step Verification. If not, contact calnet2-stephelp@berkeley.edu.

My phone was lost or stolen.

Did you set up a second device or print out backup passcodes? If so, use that when you log into to the CalNet Account Manager’s Manage 2-Step Verification form, and in the Device Control Panel (My Settings and Devices), delete the lost phone.

If you don’t have a second device or backup passcodes, contact calnet2-stephelp@berkeley.edu.

Why am I having trouble receiving Duo Push notifications?

Check your phone to make sure you allow Duo Mobile to send you notifications on your phone.

You may be having trouble receiving push requests if there are network issues between your phone and the Duo service.

Many phones have trouble determining whether to use WiFi or a cellular data channel when checking for push requests. Simply switching the phone to airplane mode and then back to normal operating mode again often resolves these issues, if a reliable internet connection is available. Similarly, the issue may be resolved by turning off the WiFi connection on your device and using the cellular data connection. A Duo Push notification is only 2 KB.

You can also check the time and date on your phone and make sure those are correct. If the date and time on your phone are manually set, try changing your device's configuration to sync date and time automatically with the network.

If you are still having trouble, contact calnet2-stephelp@berkeley.edu.

I have replaced my smartphone and need to reactivate it with Duo. What do I do?

When you get a new smartphone with the same phone number, you will need to reactivate the device from the Duo Control Panel in order to use it for 2-Step.

If you have backup passcodes, go to mycalnet.berkeley.edu and use a passcode for the second step.  If you don't have backup passcodes, go to mycalnet.berkeley.edu  and at the Duo login, click on "Enter Passcode."  Then tell Duo to text you new passcodes to use. Use a passcode to complete the second step.

When you are logged in,  select Manage 2-Step. At the Device Control Panel, select Enter Passcode and use another passcode to authenticate with Duo one more time. You'll be taken to My Settings and Devices. From there, click on Device Options next to the device on which you need to reactivate Duo. Click on Reactivate Duo Mobile to display a QR code. Open Duo Mobile on your phone, click Get Working, and then scan the QR code.

Note: If you have set up a secondary device, you may use that to authenticate. If you don’t have backup passcodes or a secondary device, please contact calnet2-stephelp@berkeley.edu to get help on this issue.

I use Citrix to access my applications. When I log into an application, I get the CAS screen but it hangs afterwards. What should I do?

The application you are trying to access may be restricted to only campus IP addresses and therefore is not allowing the Duo application for the second step verification. We are working on fixing this.

I'm not sure I enrolled properly. How do I test it?

Log into your CalNet Account Manager and go to the Manage 2-Step Verification page. In the Device Control Panel, select the device you want to test. Then click on the green button corresponding to the authentication method you want to test, and depending on what you chose, you would approve the Duo Push, type in a code, or insert a hardware token into your USB port. If you are successful, you should then see “My Settings and Devices” in your Device Control Panel, which means you’re good to go!

Why did the “Remember me for 30 days” option forget me?

Please make sure that cookies are turned on for your browser, and that they are not automatically deleted. Instructions on how to configure cookies for different browsers can be found here (Chrome Firefox Safari Opera Edge). Also, the remember me function is specific to the browser and computer or device you enabled it on. So, using a different browser or device will not “remember” you.

My Duo app doesn't have an option to add accounts as detailed in the instructions.

You may have downloaded the wrong app - Google has a similarly named Duo app that is used for video calls. The DUO App you need for CalNet has a green, square icon and is made by Duo Security, Inc. For reference, this is the app that should not be used:

Duo by Google

When I try to use my UC Berkeley account to log into my desktop Adobe CC app, the login page errors. What should I do?

This is a known and documented bug that we are currently working with Adobe to solve. In the meantime, please use this workaround method:

On your desktop/laptop computer, instead of using the Adobe CC (Creative Cloud) App first to try to sign-in to Adobe, use another Adobe app (such as Adobe Acrobat DC) to sign in first. You can download Acrobat manually from here. Then sign in to Adobe via the Acrobat application using your berkeley.edu account to activate Adobe CC.   

Need More Help?

Contact calnet2-stephelp@berkeley.edu