Duo 2-Step Authentication

Duo SMS Authentication will no longer be supported starting midnight of January 7th, 2025.

For assitance enrolling in Duo Push notifications, please contact the Service Center at (661)654-4357.

Table of Contents

  1. What is 2-Step Authentication?

  2. Duo Verified Push

  3. 2-Step Hardware Fob

  4. Duo Code Phishing

  5. Frequently Asked Questions

What is 2-Step Authentication?

California State University, Bakersfield employs 2-Step Authentication to bolster the security of your CSUB account and safeguard university data, systems, and services. Utilizing the hosted Duo security cloud-based two-factor authentication service, this system enhances protection.

The initial layer of security (something you know) consists of your CSUB user ID and password. The second layer (something you have) involves a smartphone. This additional layer ensures heightened security for your account and university-related information, systems, and services.

CSUB’s 2Step process involves two steps: initially logging in with your password (something you know), followed by verification through your smartphone (something you have).

Currently, CSUB’s 2Step is implemented across various services including Microsoft Office 365 (Outlook, Word, etc.), MyCSUB, Canvas, and PeopleSoft.

To be able to manage your devices on your Duo account, visit the CSUB 2Step page. You can also call the CSUB Service Center at 661-654-HELP(4357).

Remember to NEVER share your Duo code with anyone requesting it, whether they contact you through phone, text, or email.

Duo Verified Push

Multifactor authentication (MFA) adds an additional layer of security to your account by requiring an approval from another factor (like your smart phone or hardware token) to login. However, hackers have started a new method, known as MFA fatigue, to try and gain access to your accounts. MFA fatigue works by bombarding your device with texts, calls, or push notifications to grant them access to your accounts. To stay one step ahead of these hackers, we’re introducing Duo’s Verified Push to help keep your accounts and information secure.

What is Verified Push?

Verified Push is Duo’s additional security against MFA fatigue. It works by sending a push notification to your device with a 4-digit passcode to login. If you are not currently attempting to login to a CSUB service, you can click the “I’m not logging in” button to report the attempt as fraudulent and notify the Information Security team.

You can activate your mobile push notifications by logging into the CSUB 2Step management portal, or by contacting the Service Center at 661-654-HELP(4357).

Screenshot of website providing a duo code along with a mobile screenshot of the app where the code must be entered or where you can report that the authentication attempt was not you logging in.

How do i login with verified push?

Logging in with Verified Push follows the same process as logging in with regular push notifications.

  1. Enter your CSUB email and password:

    Screenshot of CSUB login prompt where you enter your password.

  2. The Duo Universal Prompt will appear on your computer and ask you to verify the login with Duo Mobile. You can also select the “Other options” to use a hardware token.

    Screenshot of Duo push prompt where the code is provided. It also shows the buttons "Other options" and "I got a new phone".

  3. In the Duo Mobile app, you will receive the Verified Push notification asking you to enter the 4-digit code shown on your screen. If you receive this message when you are not trying to access a CSUB resource, click the “I’m not logging in” button to report the attempt as fraudulent.

    Screenshot of the Duo mobile app where you must enter the code, or select "I'm not logging in".

  4. Enter the 4-digit code shown on the screen in your device and click the "Verify” button to finish the authentication process. Once you’ve successfully authenticated, Duo Mobile will approve the login and you can access CSUB resources as you normally would.

    Screenshot of the greenmark and "Approved" message given once you have successfully authenticated a login.

What if i authenticate with texts or phone calls?

Duo Verified Push is not available for authentication with texts or phone calls. We recommend using the Duo Mobile app to take full advantage of these security features.

The Duo Mobile app is completely safe to use. CSUB and the Office of Information Security is committed to making the Duo Mobile app the quickest and most secure way to verify your identity with multifactor authentication. The app uses hardly any data and does not give the university any access or visibility into your phone.

Duo Mobile cannot read your emails, track your location, or see your browser history.

2-Step Hardware Fob

If you do not have access to a smartphone, using a hardware fob offers a dependable alternative to Duo Push authentication. Users can authenticate logins by generating unique codes directly from the device itself. This method provides a tangible and reliable means of authentication, irrespective of internet connectivity or smartphone dependence. By pressing a button on the fob, users can generate a one-time passcode, enhancing the security of their login process. This approach is particularly advantageous for those who prefer a physical token for authentication or operate in environments where smartphone usage may be impractical or restricted.

If you'd like to get set up with a hardware fob for Duo authentications, you can call the Service Center at 661-654-HELP(4357). You can also create a request on ServiceNow using the 2Step Fob Request.

Duo Code Phishing

Remember to NEVER share your Duo code with anyone requesting it, whether they contact you through phone, text, or email.

Below is an example of attackers successfully tricking a student into giving them their Duo authentication code. Once they got the code they were able to login to the student's email and send out phishing emails to a majority of campus.

Screenshot of messages from a phone. Attacker messages the student "Hi [name]. This is [name] from CSUB IT Help Center. We recently receive a notification that you are no longer a student of the school and want to permanently delete your CSUB Account [student's email] Confirm if YES/NO." The student responded "no". The attacker messaged "You will receive a Duo Push on your number ending with [4 digits of student's phone number] from the system now, Please approve Duo Push, to avoid deletion and in order to protect your CSUB account Understood?". The student responded "yes". The attacker responded "A text message passcode. Sent to your phone. What is the code?". Then the student responded with their Duo code.

Frequently Asked Questions

All students, staff, and faculty accounts are required to be protected with 2Step verification. This decision follows industry standards set by business and education.

Protecting your data and identity is something we do not take lightly and we are certain using 2Step is the best solution to the growing problem of password theft and compromised accounts.
All services that are accessed by logging in to the Shibboleth authentication server will require 2Step verification. The list includes, but is not limited to:
  • AcademicWorks
  • Alma Library Reference
  • Box.com
  • CSU Learn (SumTotal)
  • CSU Sharepoint
  • CSUB Business Continutiy Plan (Kuali)
  • CSYou
  • Campus Marketplace
  • Cayuse424
  • Common Financial System
  • Digital Measures
  • eProcurement
  • Finance Data Warehouse
  • Handshake
  • InfoReady
  • Lynda/LinkedIn Learning
  • Modo Labs Admin
  • MyID
  • OrgSync
  • Parchment
  • PeopleAdmin
  • Qualtrics
  • Questica
  • SAP Concur
  • ServiceNow
  • Slack
  • SumTotal Library Reference
  • Zoom Conferencing
No, the 2Step system is designed so that when you login you will have the option to "Remember Me for 12 hours". If you check this box, then 2Step will remember you on that specific computer, using that specific browser for the next 12 hours--across all services.

If you go to a different computer or use a different browser, then you will have to authenticate with 2Step again.
When you first claim your account or are logging in for the first time, you will be taken to a Duo prompt that will guide you in enrolling your device.
Go to the Duo Device Management Portal and login with your CSUB NetID and password. On the 2Step verification page you will see your devices listed.

Click the link that says "Add another device" and you will be guided through the process of adding a device to 2Step.

If you have other devices enrolled in 2Step, such as a hardware fob or tablet, then use those to authenticate.

If you only have one device activated on your 2Step account and do not have access to that device, then please contact the ITS Service Center at 661-654-HELP(4357) for assistance.

If you get a push notification from the Duo app that you did not request, that means someone else is trying to log in using your account and your CSUB account may have been compromised.

Tap the Deny button in your Duo app. You will be asked if this was a suspicious login, tap Yes.Then go to MyID and reset your password as soon as possible. Doing so will ensure access to your account remains secured.

As soon as possible, inform the ITS Service Center at 661-654-HELP(4357) or servicecenter@csub.edu if this occurs.

If your phone number is the same:
If your phone number has changed:
  • If you already setup an alternative/secondary 2Step device, then login to the Duo Device Management Portal. Then click "Manage Devices". Click "Enroll another device" to enroll your new phone. You can then remove your old phone by clicking the trash icon.
  • If you do not have an alternative/secondary device enrolled in 2Step, then call the ITS Service Center at 661-654-HELP(4357) for further assistance

Office of Information Security

Main Office
InformationSecurity@csub.edu
(661) 654-3425

Doug Cornell
Information Security Officer
dcornell@csub.edu
(661) 654-3474
Office: LIB ITV2C

Return to Information Security Home