Skip to content Skip to navigation

Two-Step Authentication


Two-step authentication uses two types of authentication to verify your identity: your SUNet ID login/password, and an authentication code. This type of authentication is required to access Stanford systems that have higher than normal levels of security, such as critical business or infrastructure systems. In addition, two-step authentication can help protect your Stanford account should someone else learn your password.

There are three options available for receiving authentication codes:

  1. SMS text messaging to your mobile device.
  2. Smartphone authenticator applications.
  3. A printed list of your two-step authentication codes that you can carry with you.

Getting started

To use Two-Step Authentication you must first enable it and choose how you want to receive your authentication codes. Select the method you would like to enable:

  1. SMS text message
  2. Authenticator applications for:
    •  iPhone/iPad/iPod Touch
    •  Android
    •  Blackberry
    •  Windows Phone
  3. Printed list

Two videos that show you how to set up SMS text message authentication or Google Authenticator are available. These videos were produced by the School of Humanities and Sciences for their own use, but the information is applicable to all Stanford community members.

Setting two-step preferences

Once you've set up two-step authentication, you will have the option to change some of your preferences to allow for more security. For more information, see:

What to expect once you've set up two-step authentication

Once you enable two-step authentication, you may see an extra page after you sign into a Stanford resource via WebLogin. This page will prompt you to enter your authentication code, which is the number that you obtain from your two-step authentication method. The frequency that you are asked to enter an authentication code varies, depending upon:

  • the website you link to (for added security, some sites always require an authentication code)
  • your Two-Step Auth challenge level setting
  • your individual browser settings (whether or not you clear cookies)
  • whether or not you use more than one computer and web browser (an authentication code will be requested at least every 28 days for each computer and each browser you use to access protected websites)
  • if you uncheck I use this machine regularly on the WebLogin screen (a good practice when using a shared computer) a two-step authentication cookie will not be set

Where you will find this code depends upon what mechanism you chose for two-step authentication: 

  • If you chose SMS Text Message:  your authentication code will be sent to your cell phone by text message.
  • If you opted to use a smartphone authenticator app: launch the application to see your current authentication code. Because the app runs on your device, you don't have to have cellular or internet access to get your authentication code (as you do with SMS), and you'll never run out of authentication codes (as you can with the printed list).
  • If you selected Printed List: locate the next unused number on your printed list (which is why we recommend carrying it with you) and enter this number as your authentication code; then cross it off your list.

Information for international travelers

We recommend that anyone who travels internationally and needs to log into Stanford websites set their two-step authentication mechanism to Printed List or to Smartphone Authenticator. You can use Google Authenticator to generate your authentication code without an Internet or cellular connection.

Note: If you travel internationally and have SMS Text Messaging set as your two-step authentication mechanism, the text messages you receive may incur substantial roaming charges. Further, if your phone has an international number, you currently cannot use it to receive two-step authentication codes and you will have to pick one of the other two options.

If you expect to travel internationally and cannot set up Smartphone Authenticator as your two-step authentication method, Printed List is your best alternative.

Getting help

For assistance, please submit a HelpSU request.

Last modified November 15, 2013