About MFA @ UCSB
UC Santa Barbara joins other UC campuses in taking meaningful action to help our UCSB community guard itself against cybercrime.
Multi-factor Authentication (MFA) adds an additional layer of security by verifying not only that the person knows a password, but that the person also has access to a registered device, like a personal smartphone. UCSB has partnered with Duo Security, a system that makes it easy for you to enable MFA. Watch this video demonstrating how to use MFA with the Duo App.
On May 7th, UCSB will be implementing changes to Duo MFA:
- SMS/text codes and phone callback will be disabled. If you currently rely on receiving an SMS/”Text Me” code or a phone callback from Duo to login to UCSB applications, you’ll need to:
- Download the Duo Mobile app on your device and set your default authentication to Duo Push (if downloaded before May 7), or Push Verified Duo or Passcode, if downloaded on May 7 or later.
- Request a free hard token. When requesting a hard token, be aware that it can take 1-2 days for processing if you are on campus and a week or more if you work remotely. Please plan accordingly.
- Duo Verified Push will be deployed. If you already use Duo Mobile, your login experience will look different. Duo Verified Push displays a unique 4-digit verification code in the login window of the protected application. The user enters this 4-digit code into their Duo Mobile app to complete the authentication process.
- You do not need to take any action to implement Duo Verified Push, but we recommend you familiarize yourself with this change. Watch a demo of Duo Verified Push here.
Why is UCSB implementing these changes?
These changes will make our logins more secure, reduce risks related to weak MFA options, and ensure compliance with current UCPath requirements.
They address the critical need for stronger MFA methods to protect UC employee data. UC has experienced several successful phishing attacks that compromised employee credentials, bypassed location multi-factor authentication systems, and led to unauthorized access to UCPath accounts. Attackers subsequently altered direct deposit information, redirecting paychecks to fraudulent accounts.
Duo Push, in particular, has been exploited in cyberattacks through a method known as MFA fatigue attacks or push bombing. These attacks rely on users getting overwhelmed or tricked into approving a login request they didn’t initiate.
Duo Verified Push is more secure than a standard Duo Push because it adds an extra step to ensure the individual approving the login is the legitimate user.
Quick Links
- MFA SUPPORT/HELP
- Duo Verified Push - Coming May 7, 2025
- Got a New Phone? (same number)
- Got a New Phone? (different number)
- Enroll via the Duo App (recommended)
- Test Your MFA Device (recommended)
- Update Duo Mobile to latest version
- No App? No problem
- MFA FAQ
- Using MFA When Traveling Abroad
Need help?
Find support information here.
Ready to take the next step?
Enroll your smartphone in MFA with Duo now!
MFA for Application Developers and Administrators
For information about onboarding Duo, requesting Duo keys, and more, visit the MFA for App Developers & Administrators page.