Two-Step Authentication FAQ General Questions Q: Why is Stanford requiring this additional step? A: Hackers, including foreign state-sponsored entities, are attacking university computer systems with ever-increasing frequency and sophistication. Two-step authentication provides an extra level of security for Stanford s data. By requiring a second factor of authentication, it is much more difficult for someone to impersonate you online. This step will help to protect direct deposit information, research, intellectual property and faculty, staff and student personal information. Stanford will likely require additional measures in the near future, including password strength requirements, upgrades/replacements of old operating systems such as Windows XP and encryption of laptops and mobile devices. Q: Does this affect my current use of a personal home computer to log in to webmail or other University resources, or a personal mobile device to access University web sites? A: Two-step authentication doesn t change University policy on use of computers or mobile devices; it simply adds a second piece of authentication regardless of what computer or device is used to access University data. We continue to encourage encryption of all computers and mobile devices that are used for this purpose. Q: What applications currently require two-step authentication? A: Among others, direct deposit, W-4 withholding allowances, RegAdmin, Workgroup Manager, and NetDB currently require two-step authentication. The list is small so far, but will grow rapidly. Oracle Financials is scheduled to go behind two-step on September 30th and we anticipate that well before the end of the Fall Quarter, 2013, the University s financial, student and HR systems all will require two-step authentication.
Two-Step Setup Process Q: What will happen when two-step authentication is required and I have not yet enabled it? A: When you begin to log in to any WebAuth protected resource (webmail, Axess, etc.), but instead of proceeding to their destination, they will stop at a screen that says, You must set up two-step authentication before accessing any resources at Stanford that are protected by WebAuth. To do so, go to Accounts. The link to the Accounts app takes the user directly to the 2-Step Auth tab, which includes a large button to enable two-step authentication. Q: What should I take into consideration when picking the authorization method? A: There are a variety of choices, so here are some suggestions as to which method may work best for you. Do you have an unlimited texting plan? If so, SMS may be the right option for you. Do you travel frequently where you don t get good coverage? If so, we recommend an Authenticator app. If you have no smartphone or device that can receive SMS texts, a printed list may be your best choice. If you have no smartphone or device that can use an Authenticator app or receive SMS texts, and have no access to a printer, you can choose the printed list, but save to a.pdf file on your computer. Q: What if I don t have a phone I can use for the SMS or Authenticator app options, and I don t have access to a printer? A: You can still use the printed list option. Rather than choosing a printer, you can print to.pdf, then save the.pdf file on your computer. Q: Can I set up two-step authentication to use the Authenticator app on more than one device? A: Yes you can, but you have to be prepared and set it up correctly. Here's how:
1. Collect all of the devices that you may want to use for authentication codes. If you have multiple tablets or mobile phones, get them all together. 2. Install the Google Authenticator app on each device. (It is available for both ios and Android). 3. Go to accounts.stanford.edu and set up 2-step authentication using Google Authenticator. 4. When shown the QR code, open the Google Authenticator app on EACH device and scan the code. You can scan the code on multiple devices, but it must be the same QR code. If you are missing a device, you can save the QR code image for later by right-clicking and saving the image to your hard drive. 5. Use one device to enter a code on the confirmation page. Using Two-Step Q: What should you do if you don t have your second factor at hand and you absolutely, positively need to do something? 1. Call 5-HELP to disable two-step authentication. The staff at the service desk will verify your identity and can disable your two-step setting. 2. Go to accounts.stanford.edu and select the 2-Step Auth tab. 3. Click the Enable button. 4. Select the Printed List method. 5. Print your list and use it until you have your mobile device again. You can save the image of the printed list as a.pdf so that you can display it on your computer or print a replacement copy in case of loss. 6. When you have your mobile device again, return to accounts.stanford.edu and select the Change/Remove button and return to the authentication method you had before. Q: What if I set up Google Authenticator, then had to set it up again. Now it shows two codes that are different. Which one do I use? A: If you have already set up two code generators in your Authenticator app, you will need to delete the older one. Usually, the older one is earlier on
the list, because the app adds new codes to the bottom. If you have turned off 2-step or changed your method, your Authenticator app won t know about the change. First, open the app and tap the Edit icon. Tap the red delete icon and confirm that you are ready to delete your prior SUNetID@stanford.edu authentication set up. If you have not yet set up a second code generator, delete the prior set up, then tap the plus icon to scan the new barcode from the Accounts app. Q: How long are the two-step authentication printed list codes valid? A: The printed list is valid until they are all used or until you change to a different method. Q: I ran out of printed list codes before I realized I needed to save two to log in and reset. What can I do? A: You can always call the IT Service Desk at 650-725-HELP (650-725-4357) at any time, day or night. They will disable your two-step settings, so that you can connect to accounts.stanford.edu and set up two-step again and get a new list. If you have your security level set to the highest option, "Always", you need to handle your printed list slightly differently from the way you would at the default "every 28 days" level. At the default challenge level, "every 28 days": you use the printed codes, one by one, till you have used #19 at that point, you connect to accounts.stanford.edu you login with your SUNet ID and password you select Manage, then Two-Step Auth you use #20 to validate your identity for two-step you proceed and get a new printed list. At the highest challenge level, "always", you will need to use one code when you connect to accounts.stanford.edu; you'll be asked to login with your SUNet ID and password, and because you've selected "always" you'll need a code to verify your identity. Therefore the process looks like this: you use the printed codes, one by one, till you have used #18 (not 19) at that point, you connect to accounts.stanford.edu you login with your SUNet ID and password
since you've selected "always", you're asked to enter a code, and here you enter #19 now you can select Manage, then Two-Step Auth you use #20 to validate your identity for two-step you proceed and get a new printed list. you may wish to circle #18 on your new list as a reminder that once you've used this one, it's time to get a new list Q: If I ve used some, but not all, of the codes on my printed list, and I want to print a new list, can I do that? A: Yes. You can go to accounts.stanford.edu and produce a new printed list. At that time, the codes on the first list will become invalid. Q: How do I make changes? I think I picked the wrong choice. A: Go to accounts.stanford.edu, click on Manage and you can change your level or your method of authentication. Other Requirements Q: What if I haven t changed my password or viewed the required security video yet? A: You will be prompted to do each of those things before you can use WebAuth to log into Stanford web content. More Information Q: Where can I get more information about two-step authentication? A: The home page for two-step authentication is: https://itservices.stanford.edu/service/webauth/twostep From this page you can get detailed information on getting started with two-step authentication, setting your preferences, making changes, and what to expect. Q: I m responsible for an application or site that requires WebAuth. How can I set up a two-step requirement for my application? A: We ve developed a special page for application owners: https://itservices.stanford.edu/service/webauth/twostep/app_owner