Support IT's Guide to Multi Factor Authentication: Role Accounts


Overview


As part of UC San Diego's plan to meet the UC systemwide cybersecurity investment initiative, multi-factor authentication (MFA) will be required to role accounts starting February25,2025. This includes both accounts identified as role accounts in MailUPD (Affiliation: A) and ad hoc accounts created in Active Directory. 

This requirement is being put in place to comply with the Secure Connect Program objective of ensuring that 100% of mail-enabled accounts are protected by MFA. This will impact SSO authentication using Active Directory and ADFS authentication. It will be enforced on all accounts and affiliations. For ADFS authentications, DUO has been mandated since the last ADFS farm upgrade completed over a year ago.

Critical Concepts


There are 3 different ways a role account may be used: 

For Service Accounts that is not mail-enabled or cannot use MFA


Option 1: Request OAUTH tokens/credentials 

  1. Submit a ticket and let us know you need to request an OAUTH token. 

Option 2: Request a DUO Bypass

  1. Before requesting a DUO bypass, check if your account is mail-enabled. If your account is not mail-enabled, you should be switching your authentication method to OAUTH.
  2. You can submit a ticket to request a temporary DUO bypass. In your ticket include your name and the reason for needing the bypass. This will be reviewed yearly and will need to be renewed. Upon approval, the person making the request will be listed as a sponsor in MailDB to track account ownership. 

A bypass should only be requested for the following:

If you still have questions or need additional assistance, please contact the ITS Service Desk. You can call us at (858) 246-4357, email us at support@ucsd.edu, or submit a ticket at support.ucsd.edu.