Skip to content Skip to navigation

Two-Step Authentication

On December 13, 2014, the two-step authentication service was updated to offer more ways to authenticate. The method you currently use to authenticate will continue to work but you may want to use some of the new authentication methods. See the Transition Your Two-Step Authentication page for more information.

Overview

Two-step authentication uses two types of authentication to verify your identity. First, you need to log in with your SUNet ID and password. Then you need  a physical device that you control—such as your mobile phone, tablet, or landline phone—to verify your identity. This type of authentication is required to access Stanford systems that have higher than normal levels of security, such as critical business or infrastructure systems. In addition, two-step authentication can help protect your Stanford account should someone else learn your password.

There are five physical devices that you can use to provide the second factor of two-step authentication. Each device has one or more authentication methods available.

Device Type Authentication Options Supported Platforms
Smartphone
  • Duo Mobile push notification
  • Duo Mobile passcode
  • SMS text message
  • Phone call
  • iOS
  • Android
  • Windows Mobile
Tablet
  • Duo Mobile push notification
  • Duo Mobile passcode
  • iOS
  • Android
  • Windows Mobile
Mobile Phone
  • SMS text message
  • Phone call
  • Mobile phones with SMS text messaging capability
Landline
  • Phone call
  • All phones
Hardware Token
  • Passcode
  • A "keychain" hardware token displays two-step codes at a push of a button.

Note: If you currently use Google Authenticator for your second factor you can continue to do so. However, you are no longer able to set up Google Authenticator on your smartphone or tablet. The Duo Mobile app is the preferred replacement.

Getting started

To get started, select the device you want to set up:

One device must be designated as your default device, and your default device must have a preferred way to authenticate. WebLogin prompts you to authenticate using your default device and preferred method but you have the option of authenticating using a different device (if you have other devices set up) or method.

You are encouraged to enroll multiple devices as a backup in case the device you normally use for authentication is lost or  unavailable. All applicable authentication methods for a device are automatically available.

Setting two-step preferences

Once you've set up two-step authentication, you have the option to change some of your preference settings to allow for more security. For more information, see:

What to expect once you've set up two-step authentication

Once you enable two-step authentication, you may see an extra page after you sign into a Stanford resource via WebLogin. This page prompts you to authenticate on your default device using the default method you set up. You also have the option to authenticate using another method on your device or using another device that you have previously set up. The frequency that you are asked to authenticate on your default device varies, depending upon:

  • the website you link to (for added security, some sites always require an two-step authentication)
  • your Two-Step Auth challenge level setting
  • your individual browser settings (whether or not you clear cookies)
  • whether or not you use more than one computer and web browser (two-step authentication is requested at least every 28 days for each computer and each browser you use to access protected websites)
  • if you uncheck I use this machine regularly on the WebLogin screen (a good practice when using a shared computer) a two-step authentication cookie is not set

How you authenticate depends upon the device and method you chose for two-step authentication: 

  • If you chose Duo Mobile push notifications: a push notification is sent to the device, and you can review the request and tap Approve to authenticate. Internet or cellular access is required.
  • If you opted to use a Duo Mobile passcode: launch the application to see your current authentication code. Because the app runs on your device, you don't have to have cellular or internet access to get your authentication code.
  • If you chose SMS Text Message:  your authentication code is sent to your cell phone by text message.
  • If you chose Phone Call: you receive an automated phone call that requires you to press or tap any key on your phone to authenticate.
  • If you selected Printed List: locate the next unused number on your printed list (which is why we recommend carrying it with you) and enter this number as your authentication code; then cross it off your list.

Information for international travelers

We recommend that anyone who travels internationally and needs to log in to Stanford websites set their two-step authentication method to Duo Mobile Passcode. You can use Duo Mobile Passcode to generate your authentication code without an Internet or cellular connection. If you don't have a smartphone or tablet, hardware tokens that generate codes will be available starting February 2015.

Note: If you travel internationally or have an international phone number and have SMS Text Messaging set as your two-step authentication method, the text messages you receive may incur substantial roaming charges.

Duo integration with RDP/SSH/PAM

First, follow-along with the documentation for the remote administration protocol of your choice:

RDP: https://www.duosecurity.com/docs/rdp

SSH/PAM: https://www.duosecurity.com/docs/duounix

In the documentation linked above, you will be prompted for an integration key, a secret key and an API hostname. Follow the instructions below to integrate with the Stanford University Duo installation.

You will need to be authenticated with Kerberos as the principal that is associated with the node as a NetDB administrator. You will also need to install wallet to generate the API keys for integrating your authentication method with Duo. Run the following command where [fqdn] is replaced with the fully-qualified domain name of the node:

​​wallet get duo-pam [fqdn]

Getting help

For assistance, please submit a HelpSU request.

Last modified June 19, 2015