CalNet 2-Step Tips
CalNet 2-step verification (a.k.a. 2-factor authentication or 2FA) is a security measure designed to protect your CalNet account from an attacker who have stolen your CalNet credentials. The 1st step of CalNet authentication is usual (filling CalNet ID and pass-phrase in the web browser form). The 2nd step is verifying your identity using a hardware device the attacker can not have (like your smart or landline phone). The 2-step verification is available for faculty, staff and students, and we encourage you to enroll before it becomes mandatory (deadline for faculty and staff April 16, 2018; deadline for students September 24, 2018). The enrollment is easy, takes few minutes and becomes effective immediately.
- The 2-step verification is tied to campus central authentication service (CAS), that is it works only with web applications designed for CAS authentication. Here are few examples of such applications: bMail http://bmail.berkeley.edu, CalCentral https://calcentral.berkeley.edu/, department website https://math.berkeley.edu/cas, CalNet account manager.
- You will not be asked to confirm your identity if you login to your desktop computer using CalNet credentials. Neither will you go through the 2nd (verification) step if you access your mail from Unix command line. That means you still must protect your CalNet credentials by all means.
- The 2-step verification process won't do much good if your computer or mobile device is compromised or running unsupported (vulnerable) software. All your university owned and personal devices must comply with minimum security standards for network devices.
Is your web browser safe?
It is vitally important to keep your web browser safe. Ask yourself these questions:
- Is my browser up to date?
- Update it if the answer is no and you have administrative privileges on your computer.
- Do I have Flash plugin installed?
- It is not recommended, but keep it up to date if the answer is yes.
- Do I have Java plugin installed?
- You might not need it, but, again, keep it up to date if the answer is yes.
- Do I have ad blocker installed?
- It is recommended because it may block unsafe ads.
This third-party site might help to answer the above questions. Note that the version of Firefox browser installed on department managed Unix computers is not the latest. This is normal and does not mean that it is not safe. All department Unix systems are updated regularly.
Enroll first device
Go to CalNet account manager and enroll your first device. The options are:
- smart phone
- Recommended option for technically inclined users. It requires installing an additional app called Duo Mobile.
- Not recommended as the first device unless it is always with you. It also requires installing Duo Mobile.
- landline phone
- Recommended option for non-technical users. It may be either a cell or traditional landline or VoIP phone. No additional app needed, but the phone has to be within your reach.
- simple hardware token
- Recommended option for full-time university employees who do not have a smart phone or tablet device.
Generate backup passcodes
It is recommended to generate backup passcodes after you enrolled your first verification device. Just click on the Get Backup Passcodes button at the bottom of CalNet 2-step manager page, then print the passcodes and keep them safe. You will need them if you lose access to your verification device.
Enroll another device
According to CaNet 2-step tips, you may enroll more than one device. When you get to your second step verification, you can choose which device to use. Select another device from options suitable for the first one plus YubiKeys hardware token intended for advanced users, especially, those who travel a lot.
Remember me for 30 days
If you don’t want to do the second step verification each time you log in, you can check the "Remember Me for 30 Days" checkbox before you authenticate. This feature works by setting cookies on your browser and is specific to the browser and computer or device you enabled it on. Thus using a different browser or device will not “remember” you. Check your browser settings to make sure it's not blocking third-party cookies.
If you get locked out
If you have lost your phone and don’t have a second device or backup passcodes, contact firstname.lastname@example.org (from personal email account) or call campus shared services at 510-664-9000, option 1.
If you missed the deadline
If you are a student and missed the deadline, go to https://calnetweb.berkeley.edu/calnet-2-step/if-you-missed-2-step-deadline.