Two-Step Verification: FAQ

Penn is requiring all faculty, staff, and students to enroll in Two-Step Verification in order to protect University information assets and community members’ personal information. Many of Penn’s peer institutions have already implemented Two-Step, as have banks, financial services providers and companies such as Apple and Google. As more and more of the University’s interactions with its students, faculty, staff, and alumni occur over web-based applications, the need to protect your data from those with criminal intent or a personal grudge is continually increasing.

Password-related security breaches are happening with increasing frequency all over the world. When such breaches occur, users’ passwords and other personal information are then sold to other hackers, or even simply released openly to the world. Considering that users frequently re-use passwords at multiple websites, the security provided by a simple password becomes weaker each year.

In short, relying on passwords to protect our personal and organizational security is not sufficient. We must take steps to improve the security posture of both the University as a whole and you, our individual users.

One of the simplest and most effective methods to do so is to encourage wide adoption of Two-Step Verification for access to Penn web resources.

Consult the Two-Step Verification: getting started page for quick instructions on how to enroll. For detailed, step by step instructions including screenshots, see Two-Step Verification: detailed instructions.

With Two-Step, all Penn web resources that prompt you for PennKey and password will now also require you to provide Two-Step Verification. However, during the log-in and verification process, you can choose to check the box for “Trust this browser.” This means you won’t be prompted to use Two-Step for subsequent logins, provided you use that same browser at least once every thirty days.

Note: The “Trust this browser” feature is set for an individual browser on an individual computer. If you switch to a different browser or use a different computer, you will need to complete Two-Step Verification for that new browser – but you can trust more than one browser.

No. At this time, Two-Step is only required for resources accessed through Penn’s WebLogin system. Currently, the following resources do NOT use Two-Step:

• Microsoft O365 –  O365 uses a separate account and separate log-in page altogether.
• Air PennNet – While Air PennNet does use your PennKey, it does not require Two-Step.
• Your Penn desktop/laptop computer–these are not integrated with WebLogin and do not use Two-Step.
• Any application that is not a web-based application is not affected.
• Any web-based application that does not use the Penn WebLogin page is not affected.

Duo Mobile (https://duo.com) is an application that allows you to use your Android or iOS device for Two-Step Verification. Duo Mobile is free to download and use.

Duo Mobile is simple to set up and provides two options for completing your second login step.

• Use Duo Push to automatically receive a “push notification” on your device when you log in. You only need to press “Approve” on your device to complete the login. After you press “Approve,” your web browser automatically detects the approval and completes the login without any further action from you. You can select Duo Push as your primary verification method during the enrollment process.
• Open the Duo Mobile app on your iOS or Android device to generate a single-use verification code, and then enter that code in your browser. Codes are generated by the app without requiring a connection to the Two-Step servers. No Wi-Fi or cellular data connection is required.

For the best user experience, Penn recommends using Duo Mobile on your iOS or Android device.

After enrolling in Two-Step, you’ll continue to log in with your PennKey and password in your web browser and then will use a device in your possession to complete the second step of the log-in process.

You can select your primary and back up verifications methods during the enrollment process. Options include:

• Install the Duo Mobile app on your Android or iOS phone or other device in order to receive Duo Push notifications that you tap and approve or generate single-use verification codes to enter in your browser.
• Receive a text message with a single-use verification code on your mobile phone and enter the code into your browser (No smartphone required).
• Receive an automated phone call on your mobile phone or landline. (No smartphone required)
• Use a SafeID keychain fob purchased from the Penn Computer Connection to generate a single-use verification code to enter into your browser. Please contact your LSP for information about using a key fob.
• Enter a pre-printed single-use verification code – When you are without your primary method (forgot your phone, away from your desk, etc.), you can use pre-generated single-use verification codes that are created and printed (or saved) when you enroll in Two-Step. Once enrolled, you can generate a new set of passcodes if you use up or lose the original set. Visit https://twostep.apps.upenn.edu/ and click “Manage settings” to generate new codes.

There are two main considerations for choosing a verification method:

1. The devices to which you have access
2. Whether or not you’re connected to a Wi-Fi or cellular data network.

You can select the method that best fits your circumstances.

If you don’t have access to your primary and back up Two-Step devices, and need to access a PennKey-protected resource, you have two options:

Pre-generated passcodes

When you enroll in Two-Step, you’ll receive 20 pre-generated passcodes that can be saved or printed. To use your passcodes:

1. Log in with your PennKey and password.
2. When prompted, enter a passcode in your browser.
3. Each code works one time, and must be used in consecutive order (cross them out as you use them!)

If you lose your codes, you can log in to the Two-Step enrollment app, click “Manage settings,” and generate a new list. Note that you’ll need access to your primary or back up Two-Step device to generate a new set of codes.

Phone-A-Friend/Help-A-Friend

Phone-A-Friend/Help-A-Friend allows a pre-registered person to voice-verify you and give you a one-time-use code. When you enroll Two-Step, you may designate other PennKey Two-Step users to act as a “lifeline” if you are ever unable to get a Two-Step code on your own (if you forget your smart-phone, for example). These should be people who can identify you by voice, and who are enrolled in Two-Step.

To use this feature:

1. On the Two-Step log-in page (the one that you see after supplying your PennKey and Password, which collects Two-Step codes), click the “Phone-A-Friend” button.
2. On the resulting page, click the Authorize Friends to Retrieve A Code
3. Call your friend, and ask them to login to http://twostep.apps.upenn.edu/ and click Manage settings.
4. From the Manage settings page, they can click Help-A-Friend to reach a page where they can select your name from their list of friends and supply you with a one-time-use code to get through Two-Step login. 
5. Enter the code on the Two-Step log-in page, and click Login.
6. That’s it!

Lifelines can help you to access a PennKey-protected resource if you temporarily don’t have access to your primary or back-up Two-Step device. While they are not required, you're strongly encouraged to set them up so that you have options to get out of a difficult situation.

If you're new to Penn, you can enroll and use Two-Step Verification without lifelines, but you are strongly encouraged to add and use lifelines once you arrive on campus.

Pre-generated passcodes

When you enroll in Two-Step, you’ll receive 20 pre-generated passcodes. Make sure to print these codes out and store them in a secure location. Alternatively, you can take a picture of the 20 passcodes with your smartphone and upload that picture to a secure remote location, such as Penn+Box.

Friends

Friends are Penn affiliates who can voice-verify you and give you a one-time-use code. Follow the instructions in the FAQ entry above to learn how to designate Two-Step Friends.

Two-Step allows you to securely access your data from anywhere in the world – even if your Two-Step verification device isn’t connected to Wi-Fi or a cellular network. The Duo app on your device can generate six-digit verification codes without a real-time Wi-Fi or cellular connection.

If you swap your phone’s SIM cards while travelling, you will still be able to use the Duo Push form of Two-Step, as it works over an Internet connection, and does not rely on your phone number remaining constant. If you don’t wish to use Duo Push (although that is the most convenient and secure method we offer) and instead prefer to have your codes communicated to you via text or voice-call, simply add all of your SIM cards’ phone numbers on your Two-Step Verification user profile. With the extra numbers registered, you can select any one of them at login time, as well as whether you would like a text or a voice call, and your code will be sent immediately to the number of your choosing.

To add, change and select phone numbers, visit: https://twostep.apps.upenn.edu and click Manage Settings.

For additional information, see the "Two-Step Verification: Before you travel" resource article.

NOTE: Some classroom PCs at Penn allow a user’s data to remain on the machine after logout.  Other classroom PCs are configured to erase that data immediately upon user logout. Computers that erase all of a user’s data on logout cannot make use of the “Trust this browser” feature.

• If you’re teaching in a classroom where the PC allows user data to remain after logout (or if you teach using your own computer) you will only need to perform Two-Step Verification on that PC the first time you log in. After that, Two-Step will remain valid for you on that browser, as long as you use it to log into a PennKey-protected website at least once every 30 days.
• In many of Penn’s shared classrooms, the room PC is configured to erase each user’s activity immediately after logoff from the machine. As a result, those PCs cannot use the “Trust this Browser” feature.  In those rooms, Two-Step will be required when lecturers sign in with their PennKey at the start of the class.
• If you’re teaching in a classroom with no Wi-Fi or cellular connectivity, you can still use Two-Step. The Duo app on your device can generate six-digit verification codes without a real-time Wi-Fi or cellular connection.

You can manage your Two-Step account at any time by going to https://twostep.apps.upenn.edu/ and selecting Manage settings. From the Two-Step Verification settings page, you can choose to:

1. Unenroll (note that you will not be able to access PennKey-protected web resources until you re-enroll).
2. Add an additional phone or device.
3. Update your profile, including back-up verification options such as a second phone number and information for “Phone-A-Friend.”
4. Generate a new set of twenty passcodes to use if you don’t have access to your device.
5. View information about using Duo Mobile.
6. Untrust browsers.
7. View your Two-Step Verification activity.
8. Help a friend by generating a one-time passcode when requested.

If you’re already enrolled in Two-Step and get a replacement phone, you will need to configure a new Duo Mobile profile for your replacement phone. See Two-Step Verification: configuring a replacement phone for step-by-step instructions.

No. The Duo application uses Internet connectivity for push notifications, and requires no connectivity at all to generate 6-digit codes. If your phone number changes, you only need to visit http://twostep.apps.upenn.edu and choose Manage settings to update your phone numbers for the Call Me/Text Me features, because these rely on your phone number. All other Two-Step methods (Duo Push, Duo Mobile codes, key chain fob, and pre-printed codes) are unaffected by changes to your cell phone number.

No. All currently enrolled users and their devices will continue to work. However, the following steps are recommended:

• Visit https://twostep.apps.upenn.edu to verify and update your settings (phone numbers, list of friends for “Phone-A-Friend.” However, you do not need to re-enroll.
• If you are already enrolled, but are not using Duo Mobile, we recommend you consider switching to Duo Mobile and using Duo Push notifications for the most convenient Penn Two-Step experience. However, if you are currently using another method for Penn Two-Step Verification and would like to continue using it, you may do so.

Duo Mobile push notifications are faster and easier!

Using Google Authenticator with Two-Step requires you to enter a six-digit code from the app on the Two-Step log-in page and then click “Log-in.”

Duo Push automatically sends a notification alert to your device when you log in. You only need to tap Approve on your device to complete the login. After you tap Approve, your web browser automatically detects the approval and completes the login without any further action from you.

That said, you can continue using Google Authenticator for Two-Step Verification if you prefer to do so.

Search for “Duo Mobile” in App Store (iOS) or the Google Play Store (Android) then download and install the app. Duo Mobile is free to download and use. Follow the detailed instructions to set up Duo Mobile.