Two-Step Verification: FAQ

Penn is requiring everyone to enroll in Two-Step Verification in order to protect University information assets and community members’ personal information. Many of Penn’s peer institutions have already implemented Two-Step, as have banks, financial services providers and companies such as Apple and Google. As more and more of the University’s interactions with its students, faculty, staff, and alumni occur over web-based applications, the need to protect your data from those with criminal intent or a personal grudge is continually increasing.

Password-related security breaches are happening with increasing frequency all over the world. When such breaches occur, users’ passwords and other personal information are then sold to other hackers, or even simply released openly to the world. Considering that users frequently re-use passwords at multiple websites, the security provided by a simple password becomes weaker each year.

In short, relying on passwords to protect our personal and organizational security is not sufficient. We must take steps to improve the security posture of both the University as a whole and you, our individual users.

Consult the Two-Step Verification: Getting Started page for quick instructions on how to enroll. For detailed, step-by-step instructions including screenshots, see Two-Step Verification: Enrollment Instructions.

If you are required to use Two-Step, all Penn web resources that prompt you for PennKey and password will require Two-Step Verification. However, if you confirm "Yes, this is my device" during Duo verification, you will not be prompted again for 60 days if you are using the same browser and device.

No. At this time, Two-Step is only required for resources accessed through Penn’s WebLogin system. Currently, the following resources do NOT use Two-Step:

• AirPennNet – While AirPennNet does use your PennKey, it does not require Two-Step.
• Your Penn desktop/laptop computer–these are not integrated with WebLogin and do not use Two-Step.
• Any web-based application that does not use the Penn WebLogin page is not affected.

Duo Mobile is an application that allows you to use your Android or iOS device for Two-Step Verification. Duo Mobile is free to download and use.

Duo Mobile is simple to set up and provides two options for completing your second login step.

• Use Duo Push to automatically receive a push notification on your device when you log in. You only need to press “Approve” on your device to complete the login. After you press “Approve,” your web browser automatically detects the approval and completes the login without any further action from you. You can select Duo Push as your primary verification method during the enrollment process.
• Open the Duo Mobile app on your iOS or Android device to generate a single-use verification code, and then enter that code. Codes are generated by the app without requiring a connection to the Two-Step servers. No Wi-Fi or cellular data connection is required.

For the best user experience, Penn recommends using Duo Mobile on your iOS or Android device.

After enrolling in Two-Step, you’ll continue to log in with your PennKey and password in your web browser and then will use a device in your possession to complete the second step of the log-in process.

You can select your primary and back up verifications methods during the enrollment process. Options include:

• Install the Duo Mobile app on your Android or iOS phone or other device in order to receive Duo Push notifications that you tap and approve or generate single-use verification codes to enter in your browser.
• Receive a text message with a single-use verification code on your mobile phone and enter the code into your browser (No smartphone required).
• Receive an automated phone call on your mobile phone or landline. (No smartphone required)
• Use a Duo fob acquired from the Tech Center to generate a single-use verification code to enter into your browser.
• Use a Security Key purchased separately.

There are two main considerations for choosing a verification method:

1. The devices to which you have access.
2. Whether or not you’re connected to a Wi-Fi or cellular data network.

For information on the different methods and devices for logging in with Two-Step, see the Login Options page.

If you don’t have access to your primary and back up Two-Step devices, and need to access a PennKey-protected resource: see the Two-Step help page for contacts.

Two-Step allows you to securely access your data from anywhere in the world – even if your Two-Step verification device isn’t connected to Wi-Fi or a cellular network. The Duo app on your device can generate verification codes without a real-time Wi-Fi or cellular connection.

If you travel frequently, consider purchasing a Security Key (YubiKey and Feitian supported).

To add, rename, or delete devices, visit: https://upenn.edu/manage-twostep.

For additional information, see the "Two-Step Verification: Before you travel" resource article.

Duo recommends Security Key products from YubiKey and Feitian. All products recommended below will work on Penn’s Duo implementation.

For YubiKey, use their quiz to answer questions to get a recommendation on the optimal YubiKey product that best suits your needs.

For Feitian, review their product listing for Security Keys to select the best FIDO Security Key product for you.

NOTE: Some classroom PCs at Penn allow a user’s data to remain on the machine after logout. Other classroom PCs are configured to erase that data immediately upon user logout.

• If you’re teaching in a classroom where the PC allows user data to remain after logout (or if you teach using your own computer) you will only need to perform Two-Step Verification on that PC the first time you log in. After that, Two-Step will remain valid for you on that browser for 60 days.
• In many of Penn’s shared classrooms, the room PC is configured to erase each user’s activity immediately after logoff from the machine. In those rooms, Two-Step will be required when lecturers sign in with their PennKey at the start of the class.
• If you’re teaching in a classroom with no Wi-Fi or cellular connectivity, you can still use Two-Step. The Duo app on your device can generate  verification codes without a real-time Wi-Fi or cellular connection.

You can manage your Two-Step account at any time by going to the Duo Device Management Portal: https://upenn.edu/manage-twostep. From here, you can add, rename, or delete devices.

When you click Edit on your phone number's listing, you're editing only the label for your phone number (e.g., a descriptive label such as phone or My Mobile). Use the Add a device option instead (for details, see Two-Step Verification: Configuring a Replacement Phone).

If you’re already enrolled in Two-Step and get a replacement phone, you will need to configure a new Duo Mobile profile for your replacement phone. See Two-Step Verification: Configuring a Replacement Phone for step-by-step instructions.

See Duo documenation: How does changing a phone, number, or SIM card affect Duo Mobile?

No. All currently enrolled users and their devices will continue to work. However, we recommend you consider switching to Duo Mobile and using Duo Push notifications for the most convenient Penn Two-Step experience. If you are currently using another method for Penn Two-Step Verification and would like to continue using it, you may do so.

Users who used Penn's Two-Step Verification prior to November 14, 2023 may see Hardware Token options in their Duo Device Management Portal starting with "HOTP" or "TOTP." These tokens relate to legacy authentication methods, most of which are no longer supported. If you are not actively using any legacy Google Authenticator tokens, it is safe to delete these Hardware Tokens.