Multi-Factor Authentication (Duo) FAQ

What is multi-factor authentication (MFA)?

Multi-factor authentication, also referred to as two-step or two-factor authentication (2FA), is a security method that requires an individual to provide two or more forms (also called factors) of authentication to verify their identity to access a particular resource. These verification forms may include a password, a code sent via text, or a code sent via telephone.

How does MFA work?

MFA is commonly used for resources that contain sensitive or private information, like emails or online banking. Each time an individual logs in to an account with MFA, they must first provide their username and password (the first form of authentication) and then follow a prompt to send a code by telephone or text to the mobile device they have on file (the second form of authentication). This method verifies that the person who entered the username and password is actually the resource and should be allowed to access it.

How is MFA used at Cal Poly?

Cal Poly students, faculty, and staff must verify their identities with Duo when logging in to any web-based resource that requires a username and password, including My Cal Poly Portal, Cal Poly Canvas, Microsoft email and calendar, and more. If you have not already set up MFA, you will be prompted to do so when you try to access any resources behind a Cal Poly login. MFA is required for all Cal Poly accounts (except shared club/department accounts).

Do I have to use MFA every single time I log in to email and the Portal?

No. When you log in to Cal Poly resources and authenticate with Duo, you will see a screen that asks, “Is this your device?” If you click “Yes, this is my device,” it will save your response for 30 days, so you won’t have to keep authenticating each time you log in. If you select “No, other people use this device,” you must re-authenticate each time you log in.

How do I set up Duo MFA?

Check out our article, Set Up Multi-Factor Authentication (Duo), a walkthrough of getting started with Duo and enrolling the device you want to use to authenticate.

What kinds of devices can I use with Duo to verify my identity?

You can use:

The device you authenticate with must be set up through the My Cal Poly Portal. If you need to change this device any point, you must update your authorized device in the My Cal Poly Portal.

I don’t have a mobile device. What are my options?

Any member of the Cal Poly community can request and receive a Duo token at no cost. Tokens generate an authentication code without an internet connection or cell signal. You can request a token online via the Support Center. Tokens are sent by mail from the Service Desk and may take up to five days to be delivered to you.

Duo also allows for physical authentication by tapping a compatible security key (which you can purchase) or using a built-in biometric authenticator like Touch ID (available on some laptops).

The Service Desk also offers single-use bypass codes that can keep your account authenticated if your mobile device is temporarily absent.

How does MFA make Cal Poly accounts more secure?

Passwords are becoming increasingly easy to compromise. MFA adds another layer of protection to Cal Poly accounts, making it much harder for unauthorized people to access your personal information. Even if they know your password, they won’t be able to recreate a second authentication factor, such as a code that has been texted to you. Using MFA is now standard practice at most universities, including all 23 California State University campuses.

How will I be able to share my Cal Poly log-in with my parents?

Educational records are private and protected under the Family Educational Rights and Privacy Act (FERPA). Using Share My Info, students can share their Cal Poly information with trusted recipients, such as parents or scholarship donors. Share My Info is a Cal Poly web application that lets a student grant access to specific records or information to one person or a group.

What is Duo Universal Prompt?

Duo updated the authentication screen on February 19th, 2024, with a more streamlined design and enhanced security.

Log in to an application with Duo as you usually would. If you are due for a Duo push, the Universal Prompt will automatically replace the traditional prompt, changing the look of your login page.
Duo’s Universal Prompt will present the most secure method to authenticate your identity. (It is recommended you choose the default option for the first time.)
Duo will remember your choice and present that method the next time you log in.
You will notice visible changes on the login prompt. See the sample sequence of screenshots below for a preview of the new look compared to the old:

New Look	Old Look
The initial login screen looks the same as the old one. After you enter your username/password and click the Login button, though, you will see the new look (as shown in the screenshots below):

Duo may first present you with the PassKey/Touch ID option. If you don’t have a Passkey to use, simply click Close. Then click Other options and choose your preferred authentication method.

Now, Duo’s new universal prompt displays the most secure method for authenticating. From this screen, you may also choose Other options.

When you click Other options, this screen is displayed.

After you log in, Duo will ask whether this is your personal device to keep the settings for your convenience. If you indicate that you are using a non-personal device like a lab computer, the next user will get a new authentication prompt from Duo.


After the first time, the prompt is updated to include the Remember me checkbox. (Duo Push is shown below as one example; the authentication method varies based on user preference)