Penn State’s Two-Factor Authentication (2FA) is an important security measure that adds a second layer of protection to an individual’s Access Account or to a particular Penn State system or website; however, 2FA is not foolproof. In other words, 2FA reduces the risk of a compromised account but does not eliminate the risk entirely.
For example, 2FA is still susceptible to phishing scams, and as multi-factor authentication systems becomes more common, phishing scams will become more complex and occur more frequently. It’s the nature of the cat-and-mouse game between security staff and hackers.
Do Not Accept Unrequested Authentication Attempts
Remember, when using 2FA, you will only be prompted for authentication upon your request.
Refuse any attempts to authenticate that you did not initiate yourself.
If you get an email that says you’ll be getting a phone call or push notification requesting that you confirm your identity, do not respond to the email and do not accept any authentication attempts that might follow.
If a push notification pops up on your phone that you didn’t request it, then reject it, and if you believe that it is a fraudulent attempt to access your account, then use the app to report it as fraud. If you receive a phone call requesting authentication that you did not request, then hang up without authenticating. You can also report an unrequested phone authentication attempt as fraud by contacting the IT Service Desk.
Lost or Stolen Device
If one of your devices is lost or stolen, then either go to 2fa.psu.edu to remove the device (as long as you have a second device registered or have another device to replace the lost or stolen device) or contact the IT Service Desk.
For more information see “What if I lose my phone, tablet, or hardware token?”
Duo Will Never Ask for Password
Duo, Penn State’s partner in 2FA, will never ask for your user ID and password. If you receive such a request, do not respond.