Protecting your Lafayette NetID with Two-Step Login

Two-step login provides an additional layer of security so that attackers can’t access protected systems using only your NetID password. It also prevents password guessing attacks from succeeding. Two-step login helps keep your NetID, your personal information, and the College’s digital assets safe.

How does two-step login work?

Two-step login requires a second factor such as your office or cell phone, a passcode, or a hardware token when authenticating to a service. You still use your password, but in addition to something you know (e.g., your password), the second step requires something you have (e.g., your mobile phone).

An example of two-step login you likely are familiar with is a bank debit card. It isn’t possible to withdraw money using only a PIN (something you know). You must also swipe a card (something you have).

Your password plus your device proves you are you and allows you to access services.

Each time you use your NetID to log into a service that supports two-step login, you will be prompted to complete a second step. Two-step login protects applications that use SSO for authentication, including VPN. It does not apply when logging in to non-SSO services (e.g., WordPress), the wired or wireless network, or campus computers.

Two-step login can remember trusted devices. A “remember me” setting allows you to skip the second step for 30 days on a trusted device such as your Lafayette-issued laptop, desktop, or home computer. If you use another browser on the same device, or use a different device, you will be prompted for two-step login again.

What devices or second factors can I use?

Two-step login supports a number of devices and methods of authentication.

  • Push using Duo Mobile on a smartphone or tablet
  • Passcode using Duo Mobile
  • YubiKey / Universal 2nd Factor (U2F) Token
  • Phone call to mobile or landline

 

 

What does ITS recommend?

ITS recommends you use the Duo Mobile app on your smartphone and only use phone callback to your office landline as a secondary option.

If you do not have a cell phone, or prefer not to carry one during the day, consider a U2F hardware token instead. It can go on a keychain and the cost is minimal. Departments may purchase U2F tokens for staff at their own discretion.

I will be traveling abroad. Is there anything I need to know?

Please review the information found on Two Step Login while abroad.

How about if I am an international student or will be living abroad for a time?

We recommend using DUO Mobile for authenticating to Two-Step Login. Keep in mind Google Play Store might not be available in some regions, so plan ahead. If you intend to buy a local SIM card at your destination for an existing Android device, be sure you have Duo Mobile installed prior to departure.

If you will have a different phone while abroad and find you are unable to install Duo Mobile, you can use phone callback for two-step login. But if you will not have access to the new phone until your arrival, be sure to generate SMS codes prior to arrival.

Registering Devices for Two-Step Login

Enrolling in Two-Step Login

  1. Browse to an application that uses SSO, such as webmail.lafayette.edu.
  2. After authenticating with your Lafayette NetID and password, a two-step login frame will prompt you to enroll. Click the “Start setup” button.
  3. Select the type of device you are adding. ITS recommends you register at least two devices, including a mobile phone and, as a backup, your office landline. Select “Mobile phone” and click the “Continue” button.
  4. Enter your phone number. Make sure it is correct by clicking the checkbox. Click the “Continue” button.
  5. Verify ownership by receiving a call or a text at the number you just entered. You will be given a 6-digit code.
  6. Enter the code you received by call or text and click “Verify”.
  7. Make sure the green check mark appears, then click “Continue”.
  8. You will now see your phone added Under “My Settings & Devices”. The default “When I log in” setting of “Ask me to choose an authentication method” allows you to select a device and authentication method for each login. This is recommended because it will provide you with an option when you do not have access to your default device. From here, you can click on “Add another device” or “Continue to Login” to go to the service you were trying to access.
  9. Clicking on “Continue to Login” will show a green “Enrollment successful” bar. Checking “Remember me for 30 days” allows you to skip the second step for 30 days on a trusted device. To proceed with logging in to the service, choose an authentication method.
  10. To use Duo Push and generate passcodes with your mobile phone, install the Duo Mobile app.

Installing Duo Mobile

Installing Duo Mobile on your smartphone enables you to use Push, an easy method for two-step login. Push notifications are sent to the Duo Mobile and you simply touch the screen to approve requests. Duo Mobile also generates passcodes and without needing a cell or wifi signal. You can easily install the Duo Mobile on your smartphone or tablet and activate it using a QR code. This guide also covers reactivating Duo Mobile.

  1. Browse to an application that uses SSO, such as webmail.lafayette.edu.
  2. After authenticating with your Lafayette NetID and password, the two-step login frame will display. Click on “My Settings & Devices” in the left menu.
  3. To access your settings, you’ll need to first authenticate using two-step login. If you have “Remember me for 30 days” checked, or something other than the default “When I log in” setting of “Ask me to choose an authentication method”, you will need to open a new Private (in Firefox) or Incognito (in Chrome) in your browser to get to this screen. After authenticating, click on “Device Options” next to your mobile number.null
  4. Click on the blue “Activate Duo Mobile” button. If you are re-activating Duo Mobile because of an OS update or getting a new phone, you will see the “Reactivate Duo Mobile” button.
  5. Select the radio button for the type of phone you have.
  6. Download Duo Mobile to your phone through Google Play or the Apple App Store.
  7. Scroll down and click the green “I have Duo Mobile Installed” button.
  8. Open the app on your phone, tap the “+” button, and move your phone’s camera over the QR code to scan it. You may need to scroll down to see the code.
  9. When it scans successfully, a green check mark will appear over the QR code. An entry for Lafayette College will show in Duo Mobile.
  10. Scroll down and click the green “Continue” button. You will be returned to “My Settings & Devices”.

Activate Duo Mobile using an email address instead of a QR code

You can activate Duo Mobile using email instead of scanning a QR code. To do this, you need to be able to access an email account from the same device where the mobile app is installed. First, follow steps 1. through 7. above.

  1. Instead of scanning the QR code, click the “Or, have an activation link emailed to you instead.” link.
  2. Enter a valid email address for an account you can access from your mobile phone.
  3. A blue bar will appear instructing you to click on the link in the email.
  4. Click the emailed link and open a window in either a browser or the app. This will add an account to the app. Click the green “Continue” button to be returned to “My Settings & Devices”.
  5. “Send Me a Push” will appear as an authentication method. Click on it and then open Duo Mobile on your phone. Touch the green “Request waiting. Tap to respond … “ bar, then the green “Approve” button.

Adding a YubiKey / Universal 2nd Factor (U2F) Token

  1. Browse to an application that uses SSO, such as my.lafayette.edu.
  2. Select “Add a new device” from the menu on the left.
  3. Select the U2F token radio button and click “Continue”.
  4. A pop-up window will open. If it does not, check your browser settings to make sure that pop-ups are not being blocked.
  5. Next, insert your YubiKey. It is important that you do not click off of the pop-up when you insert your token. If you do, you will have to close the pop-up and open a new one for it to recognize the key. The pop-up will open and prompt you to insert the U2F token and as long as the token flashes while being inserted, you can tap it to authenticate.
  6. A green check mark will show up showing success.
  7. You will now see the U2F token in the list of devices in “My Settings & Devices”.
  8. Now when attempting to login in, if a U2F token is present and plugged in, you will see a blue alert pop-up and tell you “Use your U2F token to login.”
  9. Once you tap the U2F key, the alert will change to green and tell you “Success! Logging you in…”.

Setting DUO to Remember Me for 30 Days

  1. After entering your Lafayette credentials, check Remember me for 30 days” and click the appropriate green button for your authentication method (e.g., Send Me a Push, Call Me).
  2. If the checkbox is greyed out and you automatically received an authentication request, click [Cancel]. It means you had chosen a method for your “When I log in” setting other than the default of “Ask me to choose an authentication method”. Continue by following step 1 above.

Creating Passcodes

You can use Duo Mobile with the passcode method of authentication on your cell phone or tablet without wifi or a cell signal. To generate a passcode, click the key or arrow icon next to your account in Duo Mobile. In the two-step login frame in your browser, click the green “Enter a Passcode” button, enter the code from your mobile device, then click “Log In”.

You can also text yourself SMS passcodes to keep with you in case you do not have access to any of your devices. They are especially useful when travelling abroad. SMS codes are one-time use only and sent in groups of ten. To use them, click on the green “Enter a Passcode” button in the two-step login frame in your browser. Then click on “Text me new codes” in the blue bar. Each time you use the passcode method for two-step login, the first digit of the next code in the series will be shown in the blue bar.

Adding a New Mobile Device or Landline

  1. Browse to an application that uses SSO, such as my.lafayette.edu.
  2. Select “Add a new device” from the menu on the left.
  3. Select the Landline (or another) device type and click the green “Continue” button.
  4. Enter your phone number and make sure the box is checked confirming it is correct. Click the green “Continue” button.
  5. Click the “Call me” button. You will receive an automated call with a message containing a 6-digit code. Enter the code and click “Verify”.
  6. Make sure the green check mark appears, then click the green “Continue” button.
  7. Under “My Settings & Devices”, you will now see two phones as options for two-step login. You can change your default device if you like.

Accessing My Settings & Devices

  1. Browse to an application that uses SSO, such as my.lafayette.edu.
  2. If you have “Remember me for 30 days” checked or something other than “Ask me to choose an authentication method” set, you will need to open a new Private or Incognito window in your browser to get to the two-step login frame.
  3. Choose an authentication device and method.
  4. After you authenticate, you will be able to access My Settings & Devices.

Two Step Login FAQ

Tagged in: