Dear colleagues,
We are constantly working to make technology safer and easier to use. That is why we are introducing Risk-Based Authentication for Multi-Factor Authentication (MFA) — also known as your CalNet verification or 2-Step — on March 18, 2025. You must take action if you use SMS text messages or a simple hardware token for CalNet MFA verification.
What’s changing and why?
Many universities and UC campuses, including Berkeley, have experienced phishing attacks leading to stolen login details and misdirected paycheck deposits. We will enable Verified Duo Push to enhance our system security and discontinue SMS text messages and simple hardware tokens for CalNet MFA verification. We recommend moving to the Duo Mobile app. If you already use the Duo Mobile App, be sure it is updated, and learn how to use Verified Duo Push.
Take action to avoid interruption
If you have a smartphone: Enroll your smartphone following these instructions.
If you do not have a smartphone:
- You must request a security key before March 1 by emailing calnet2-stephelp@berkeley.edu.
- Also, we recommend downloading your Duo Bypass Codes as a backup.
Visit our MFA Security Enhancements page to learn more about these changes and the benefits of risk-based authentication.
We appreciate your support. Together, we can protect our data and preserve Berkeley's excellence.
Tracy Shinn, Associate Vice Chancellor for IT and Chief Information Officer
Allison Henry, Chief Information Security Officer
This message was sent to all employees campus-wide. If you are a manager who supervises UC Berkeley employees without email access, please circulate this information to all.