As part of Penn’s Identity & Access Management (IAM) Program, improvements to the Two-Step Verification user experience were implemented on November 14, 2023 with the release of Duo Universal Prompt. Duo Universal Prompt is a vendor-supplied Multi-Factor Authentication (MFA) application that replaced Penn’s custom solution for PennKey Two-Step Verification. PennKey is now integrated directly with Duo for a seamless user experience. Duo Universal Prompt provides a modern, secure, easy-to-use login interface and a simpler way to add and manage devices.
Who Is Affected?
All PennKey Two-Step users and PennKey support providers are affected by the changes.
What Changed?
Current PennKey Two-Step Verification users do not have to re-download the Duo Mobile app, but will see the following changes:
- Users will see the new Duo Universal Prompt UI instead of the previous Penn custom interface during PennKey WebLogin (see screenshots to the right).
- All existing “Trust this browser” sessions will have expired.
- Users need to authenticate with Two-Step upon their first login after rollout.
- Duo Universal Prompt enforces a 60-day limit on trusted browsers. Browser trust is now enabled by clicking “Yes, this is my device” during login.
- New login options are supported – USB security keys and Touch ID (Apple).
- Some legacy Two-Step functions were retired.
- PennO365 Two-Step also changed to Duo Universal Prompt – Device trust now works across PennKey SSO and O365 logins.
- The PennKey Login UI was refreshed and modernized with no functionality changes.
The following legacy Two-Step functions were retired upon rollout of Duo Universal Prompt. See below for replacement information for retired functions:
Function To Be Retired | Replaced By | Notes |
---|---|---|
“Generate Codes” (printed codes) |
Code generating function within Duo Mobile app or Duo fob |
If generating codes from within Duo Mobile app, users do not have to be online (no phone or internet service needed) |
User Dashboard (enroll, manage settings, trouble logging in) |
Duo Device Management Portal |
Use the Duo Device Management Portal to add, rename, or delete devices |
New Google Authenticator Registrations |
Duo Mobile app |
Existing Google Authenticator registrations will continue to work but are not supported or recommended |
New SafeID fobs (will no longer be distributed on campus) |
Duo fobs and hardware security keys |
Existing SafeID fobs will continue to work |
“Help a Friend” |
N/A |
Method no longer supported |
Two-Step Admin Console (PennKey Support Providers) |
New PennKey support application/Penn Community |
Training sessions on using the Two-Step support tools in the new PennKey support application were held for support providers |
Documentation
- Two-Step Verification help documentation website
- Duo's documentation: Duo Universal Prompt guide.
Managing Devices
- Use the Duo Device Management Portal to add, rename, or delete devices:
- Duo documentation to Add Another Device when in the Duo Device Management Portal.
- Duo documentation to Rename or Remove a Device when in the Duo Device Management Portal.
User Help
- Users can find support contacts on the Two-Step Verification help contacts page
- See the Two-Step Information for LSPs page for:
- More information on the Duo Universal Prompt rollout (including policy changes)
- Links to end-user resources
- Common technical issues
- Info on how to escalate an issue
- FAQs
- For Two-Step documentation, visit the Two-Step Verification help site
- For Identity Proofing guidance, see the ID Proofing Guidance for PennKey Administrators document
- For issues, support providers may contact ISC Client Care
- For user help contacts, see the Two-Step Verification help contacts page