Penn State’s Two-Factor Authentication (2FA) service provides a second layer of protection to a user’s digital identity (for example, an Access Account), as well adding protection to data, systems, and services.
The first layer (something you know) is the verification of the Penn State user ID and password, and the second layer (something you have) is generally a smartphone, but other options are available. 2FA uses the hosted Duo Security cloud-based two-factor authentication service.
2FA is connected to WebAccess, the University’s login authentication system for such services as Webmail (and other Penn State email services), ANGEL (and Canvas), and the Employee Self-Service Information Center (ESSIC).
2FA is also being used to protect a variety of Penn State services and systems, including Penn State Hershey, the College of Engineering, and a number of sensitive systems.
If you are a member of the Penn State community who would like to enroll in the 2FA, then please go to the How to Enroll in Two-Factor Authentication page.
If you are a Penn State IT/technical contact who will be implementing a specific integration of 2FA for an application or system, then go to the 2FA Integration Process page.
- Assurance for application owners that only authorized users can gain access to critical information.
- Meets federal and industry compliance regulations.
- No hardware for system administrators to deploy and manage.
- Users can use their existing smartphones; the convenience of integrating the “something you have” with something that users already have is a benefit to users while keeping service overhead costs low.
- Users can also use cell phones that are not smartphones, tablets, landlines, and hardware tokens (specifically, a Duo Token).
- Positive user experience with easy enrollment of a device and installation of the mobile app using the self-enrollment portal.
- All smartphone platforms are supported for users to authenticate with or without cell service.
- Real-time alert notification for fraudulent authentication attempts (smartphones only).
- Reliable hosted cloud-based service.
- Robust platform integration options for IT System Administrators.
- Flexible integrations with application login workflow to protect systems and services.
- User self-enrollment.
- Duo’s smartphone app provides a highly secure method of challenge and response (Duo Push) that mitigates many of the problems that can arise with traditional hardware tokens.
- Users can use Duo Push (smartphone only) for one-tap authentication (requires data connectivity).
- Users can generate a passcode through the Duo Mobile app (smartphone only) with no connectivity at all (mirroring hardware token functionality).
- Privacy is maintained with no passwords and personally identifiable information (PII).
2FA primarily relies on phones (smartphones are recommended) to be the device in the user’s possession. Other options are available.
Service Availability and Maintenance
For portions of the service that ITS maintains (the self-service portal, WebAccess, etc.), scheduled maintenance is performed during the daily maintenance window from 5:00 a.m. to 7:00 a.m. EST/EDT. During this time, systems and services may be affected. Unanticipated urgent service issues may require maintenance at other times.
- Service licensing is centrally funded.
- Smartphone and mobile app are free with use of this service.
- Service telephony credits for call use and SMS messages with traditional cell phones and landline phones is currently covered through ITS and is periodically subject to review.
- Text messages and voice calls are sent only when a user requests them (and should never be necessary with a smartphone) and would be billed by the user’s carrier in the same way that any other text message or call would be based on a user’s carrier plan. Penn State will not reimburse users for these charges. Note: If the charges when using Duo exceed a level that a user is comfortable with, then the user should consider switching to a landline phone rather than a cell phone for use with 2FA (understanding the limitations of a stationary phone).
- Hardware token devices typically used with this service are priced at $22.00 per device. Additional cost for other hardware token device alternatives can be expected. To purchase a hardware token, visit the Duo Token page of the Software at Penn State site.
IT Departments for use of this service through integration with a range of devices and applications. Documentation is available for a complete list of integrations.
This service is available for users in the following groups: faculty, researchers, staff, IT professionals, and students.
- Use with configured integration(s).
- Users must have a Penn State Access Account user ID and password. (Not intended for use with Short-Term Access Accounts—STAAs.)
- Enrollment of user(s) and phones, tablets, and/or hardware tokens.
- Installation of the Duo Mobile app for users intending to use Duo Push with a smartphone.
- Inquiries about accessible device alternatives and other token options should be directed to Identity Services.
If you are a Penn State technical contact who needs to implement an integration of 2FA for an application or system, then go to the 2FA Integration Process page.
If you are a member of the Penn State community who would like to enroll, then go to the How to Enroll in Two-Factor Authentication page.
User Enrollment will be completed through the Self-Service Enrollment Portal.
- How to install the Duo Mobile app:
- Self-service enrollment portal (where members of the Penn State community may enroll in the service or manage devices after initial enrollment has been completed)
- Enrollment Tips
- How to Use Enrolled Devices
- Logging in to 2FA through WebAccess
- When and How to Report Fraudulent Alerts
- Arranging the order of devices when using WebAccess
- Using 2FA While Traveling
- Frequently Asked Questions (FAQ)