View All How To

Two-Step Verification (FAQ)

Overview

Two-Step Verification

Two-Step Verification provides an added layer of protection when accessing PennKey-protected web sites and applications. After you log in with your PennKey and password, you’ll use a device in your possession to verify your identity.

With Two-Step, your data is protected, even if your PennKey password is compromised.

To enroll in Two-Step, visit: https://twostep.apps.upenn.edu (See our FAQ: "How do I enroll in Two-Step?" and the Two-Step Verification User Guide)

How do I use Two-Step?

Two-Step is easy to use and provides numerous verification options, so you’ll always be able to access your data – even if you’re not connected to a cellular data or Wi-Fi network.  

After enrolling in Two-Step, you’ll:

  1. Log in with your PennKey and password as usual
  2. Verify your identity using a device in your possession. You can choose to:
    • Use the Duo Mobile app on your iOS or Android smartphone to receive push notifications or generate single-use verification codes to enter into your browser (Recommended!)
    • Receive SMS messages with verification codes.
    • Receive automated phone calls.
    • Generate verification codes using a SafeID keychain fob purchased from the Computer Connection

You can also enter a pre-printed single use verification code into your browser, or use an additional back-up option if you don’t have access to your device. If you are unable to obtain a verification code using either your primary or back-up methods, the Two-Step Verification Code Hotline may be able to assist.  The hotline can be contacted at (215) 746-2222 during business hours (Monday – Friday, 8:00am – 6:00pm EST).  Additionally, the IT organization of your school or center may have a Two-Step Administrator who may be able to assist you.

Penn recommends using Duo Mobile app on your iOS or Android smartphone or device for the best Two-Step experience.

For additional information on verification options, see our FAQ: “What are the different methods and devices for logging in with Two-Step?

 


Answers to common questions about Two-Step Verification can be found below.
 

Penn is requiring all staff to enroll in Two-Step Verification in order to protect University information assets and community members’ personal information. Many of Penn’s peer institutions have already implemented Two-Step, as have banks, financial services providers and companies such as Apple and Google. As more and more of the University’s interactions with its students, faculty, staff, and alumni occur over web-based applications, the need to protect your data from those with criminal intent or a personal grudge is continually increasing.

Password-related security breaches are happening with increasing frequency all over the world. When such breaches occur, users’ passwords and other personal information are then sold to other hackers, or even simply released openly to the world. Considering that users frequently re-use passwords at multiple websites, the security provided by a simple password becomes weaker each year.

In short, relying on passwords to protect our personal and organizational security is not sufficient. We must take steps to improve the security posture of both the University as a whole and you, our individual users.

One of the simplest and most effective methods to do so is to encourage wide adoption of Two-Step Verification for access to Penn web resources.

  1. If using the Duo Mobile application, search for “Duo Mobile” in your iOS or Android device’s app store, then download and install the app. Duo Mobile is free to download and use.
  2. Think of at least two PennKey holders who could confirm your identity by hearing your voice. During the enrollment process, you’ll be asked to identify these friends as part of the “Phone-a-Friend” feature (see attached FAQs).
  3. From your computer’s browser, go to Penn’s Two-Step Verification enrollment page at https://twostep.apps.upenn.edu and follow the instructions in the app to enroll in Two-Step and register your device. For detailed a step-by-step visual guide, consult the Two-Step Verification User Guide.
  4. At the end of the enrollment process, you’ll receive 20 pre-generated single-use verification codes. Save or print these to use as a backup login option (see FAQs).
  5. You’re good to go!

With Two-Step, all Penn web resources that prompt you for PennKey and password will now also require you to provide Two-Step Verification. However, during the log-in and verification process, you can choose to check the box for “Trust this browser.” This means you won’t be prompted to use Two-Step for subsequent logins, provided you use that same browser at least once every thirty days.

Note: The “Trust this browser” feature is set for an individual browser on an individual computer. If you switch to a different browser or use a different computer, you will need to complete Two-Step Verification for that new browser – but you can trust more than one browser.

No, Two-Step is only required for resources accessed through Penn’s WebLogin system. The following resources do NOT use Two-Step:

  • Microsoft O365 –  O365 uses a separate account and separate log-in page altogether.
  • Air PennNet – While Air PennNet does use your PennKey, it does not require Two-Step.
  • Your Penn desktop/laptop computer – These are not integrated with WebLogin and do not use Two-Step.
  • Any application that is not a web-based application is not affected.
  • Any web-based application that does not use the Penn WebLog-in page is not affected.

Duo Mobile (https://duo.com) is an application that allows you to use your Android or iOS device for Two-Step Verification. Duo Mobile is free to download and use.

Duo Mobile is simple to set up and provides two options for completing your second login step.

  • Use Duo Push to automatically receive a “push notification” on your device when you log in. You only need to press “Approve” on your device to complete the login. After you press “Approve,” your web browser automatically detects the approval and completes the login without any further action from you. You can select Duo Push as your primary verification method during the enrollment process.
  • Open the Duo Mobile app on your iOS or Android device to generate a single-use verification code, and then enter that code in your browser. Codes are generated by the app without requiring a connection to the Two-Step servers. No Wi-Fi or cellular data connection is required.

USING TWO-STEP VERIFICATION  

For the best user experience, Penn recommends using Duo Mobile on your iOS or Android device.

After enrolling in Two-Step, you’ll continue to log in with your PennKey and password in your web browser and then will use a device in your possession to complete the second step of the log-in process.

You can select your primary and back up verifications methods during the enrollment process. Options include:

  • Install the Duo Mobile app on your Android or iOS phone or other device in order to receive Duo Push notifications that you tap and approve or generate single-use verification codes to enter in your browser.
  • Receive a text message with a single-use verification code on your mobile phone and enter the code into your browser (No smartphone required).
  • Receive an automated phone call on your mobile phone or landline. (No smartphone required)
  • Use a SafeID keychain fob purchased from the Penn Computer Connection to generate a single-use verification code to enter into your browser. Please contact your LSP for information about using a key fob.
  • Enter a pre-printed single-use verification code – When you are without your primary method (forgot your phone, away from your desk, etc.), you can use pre-generated single-use verification codes that are created and printed (or saved) when you enroll in Two-Step. Once enrolled, you can generate a new set of passcodes if you use up or lose the original set. Visit https://twostep.apps.upenn.edu/ and click “Manage settings” to generate new codes.

There are two main considerations for choosing a verification method:

  1. The devices to which you have access
  2. Whether or not you’re connected to a Wi-Fi or cellular data network.

You can select the method that best fits your circumstances.

 

Method

Device(s)

Network connectivity

Duo Push – Best user experience

  • Receive an automated push notification on your device
  • Tap “Approve” to verify your identity and complete your login

iOS or Android Device (phone or tablet) with Duo Mobile app installed

Wi-Fi or cellular data connection is required

Duo Mobile Single-Use verification code

  • Launch the Duo app on your device to see a single-use verification code
  • Enter code in browser when prompted
  • Can use instead of “Push” whenever Wi-Fi or cellular data connections are weak/non-existent
  • Excellent fallback method for international travel

iOS or Android Device (phone or tablet) with Duo Mobile app installed

Does not require Wi-Fi or cellular data connectivity

Single-use verification codes are generated by the app without requiring a connection to the Two-Step servers

 

Text message

  • Automatically receive a text message with a single-use verification code
  • Enter code in browser when prompted

Any text-capable mobile phone

Cellular data connection is required

Phone call/landline (Recommended back up option)

  • During enrollment, enter a phone number for a landline that you can easily access
  • At log-in time, you will receive an automated phone call allowing you to confirm or deny the Two-Step request

Any landline or mobile phone

 

Phone service required

SafeID keychain fob (from Penn Computer Connection)

  • Automatically generate a single-use verification code using the fob
  • Enter code into browser when prompted
  • Device must be purchased through the Computer Connection at the Penn Bookstore
  • Please contact your LSP for more information about using a fob

SafeID fob

Does not require Wi-Fi or cellular data connectivity; keychain fob is self-contained

If you don’t have access to your primary and back up Two-Step devices, and need to access a PennKey-protected resource, you have two options:

Pre-generated passcodes

When you enroll in Two-Step, you’ll receive 20 pre-generated passcodes that can be saved or printed. To use your passcodes:

  1. Log in with your PennKey and password.
  2. When prompted, enter a passcode in your browser.
  3. Each code works one time, and must be used in consecutive order (cross them out as you use them!)

If you lose your codes, you can log in to the Two-Step enrollment app, click “Manage settings,” and generate a new list. Note that you’ll need access to your primary or back up Two-Step device to generate a new set of codes.

Phone-A-Friend/Help-A-Friend

Phone-A-Friend/Help-A-Friend allows a pre-registered person to voice-verify you and give you a one-time-use code. When you enroll Two-Step, you may designate other PennKey Two-Step users to act as a “lifeline” if you are ever unable to get a Two-Step code on your own (if you forget your smart-phone, for example). These should be people who can identify you by voice, and who are enrolled in Two-Step.

To use this feature:

  1. On the Two-Step log-in page (the one that you see after supplying your PennKey and Password, which collects Two-Step codes), click the “Phone-A-Friend” button.
  2. On the resulting page, click the “Authorize Friends to Retrieve A Code”
  3. Call your friend, and ask them to login to “http://twostep.apps.upenn.edu/” and click “Manage settings.”
  4. From the “Manage settings” page, they can click “Help-A-Friend” to reach a page where they can select your name from their list of “friends” and supply you with a one-time-use code to get through Two-Step login. 
  5. Enter the code on the Two-Step log-in page, and click Login.
  6. That’s it!

Generating a 6-digit code using the Duo Mobile app provides a secure option that does not require a Wi-Fi or a cellular data connection. The SafeID keychain fob (sold at the Penn Bookstore) also works without any connectivity, but does require that you remember to bring it with you.

As an additional precaution, it is recommended that you save or print passcodes generated by Penn’s Two-Step app to bring with you. Safe travels!

MANAGING YOUR TWO-STEP VERIFICATION PROFILE

You can manage your Two-Step account at any time by going to https://twostep.apps.upenn.edu/ and selecting the “Manage settings” button. From the Two-Step Verification settings page, you can choose to:

  1. Unenroll (note that you will not be able to access PennKey-protected web resources until you re-enroll).
  2. Add an additional phone or device.
  3. Update your profile, including back-up verification options such as a second phone number and information for “Phone-A-Friend.”
  4. Generate a new set of twenty passcodes to use if you don’t have access to your device.
  5. View information about using Duo Mobile.
  6. Untrust browsers.
  7. View your Two-Step Verification activity.
  8. Help a friend by generating a one-time passcode when requested.

If you’re already enrolled in Two-Step and get a new phone, you’ll need to unenroll from Two-Step and then re-enroll using your new phone.

  1. Search for “Duo Mobile” in your iOS or Android device’s app store, then download and install the app. Duo Mobile is free to download and use.
  2. Login to the Penn Two-Step application at http://twostep.apps.upenn.edu/
  3. Click the “Manage Settings” button.
  4. On the “Manage Settings” page, click the “Unenroll” button.
  5. Click “enroll” on the next page and then follow the directions for registering the Duo app on your iOS or Android device.

No. The Duo application uses Internet connectivity for “push” notifications, and requires no connectivity at all to generate 6-digit codes. If your phone number changes, you only need to visit http://twostep.apps.upenn.edu and choose “Manage settings” to update your phone numbers for the “Call Me / Text Me” features, because these, of course, rely on your phone number. All other Two-Step methods (Duo Push, Duo Mobile codes, key chain fob, and pre-printed codes) are unaffected by changes to your cell phone number.

No. All currently enrolled users and their devices will continue to work. However, the following steps are recommended:

  • Visit https://twostep.apps.upenn.edu to verify and update your settings (phone numbers, list of friends for “Phone-A-Friend.” However, you do not need to re-enroll.
  • If you are already enrolled, but are not using Duo Mobile, we recommend you consider switching to Duo Mobile and using Duo Push notifications for the most convenient Penn Two-Step experience. However, if you are currently using another method for Penn Two-Step Verification and would like to continue using it, you may do so.

Duo Mobile push notifications are faster and easier!

Using Google Authenticator with Two-Step requires you to enter a six-digit code from the app on the Two-Step log-in page and then click “Log-in.”

Duo Push automatically sends a notification alert to your device when you log in. You only need to press “Approve” on your device to complete the login. After you press “Approve”, your web browser automatically detects the approval and completes the login without any further action from you.

That said, you can continue using Google Authenticator for Two-Step if you prefer to do so.

  1. Search for “Duo Mobile” in your iOS or Android device’s app store, then download and install the app. Duo Mobile is free to download and use.
  2. Login to the Penn Two-Step application at http://twostep.apps.upenn.edu/
  3. Click the “Manage Settings” button.
  4. On the “Manage Settings” page, click the “Duo Mobile” button, and then follow the directions for registering the Duo app on your iOS or Android device.

 

 

 

 

How to install authenticator app:

An authenticator app generates verification codes for Penn WebLogin. In the case of the Duo Mobile app, you can also receive automated push notifications that you tap and approve.

On your phone or mobile device: Download the appropriate app for your platform by visiting the desired link below on with your mobile device. If you already have an authenticator app installed, you don't need to install anything else.

Ignore any set-up instructions specific to Gmail, Google, or other non-Penn accounts. Simply download the free app and install it on your device, then enroll in Two-Step Verification

Note: Penn WebLogin Two-Step Verification is built on the OATH open industry-wide standard, using the TOTP algorithm. The apps listed above have been widely tested at Penn and are known to be compatible and supported with Penn's implementation, but any authenticator app that can generate codes using TOTP should work with Penn WebLogin Two-Step Verification.