Two-Step Login provides an additional layer of security so that attackers can’t access protected systems with only your NetID. It also prevents online password guessing attacks from succeeding. Two-step login helps keep your NetID, your personal information, and the College’s digital assets safe.

How does Two-Step Login work?

Two-Step Login requires a second factor such as your office or cell phone, a passcode, or a hardware token when authenticating to a service. You still use your password, but in addition to something you know (e.g., your password), the second step requires something you have (e.g., your mobile phone).

An example of two-step login you are likely already familiar with is a bank debit card. It isn’t possible to withdraw money from a bank account using only a PIN (something you know). You must also swipe a card (something you have).

Your password plus your device proves you are you and allows you to access services.

Each time you use your NetID to log into a service that supports two-step login, you will be prompted to complete a second step. Two-step login protects applications that use single-sign on for authentication. It does not apply when logging into non-SSO services (e.g., WordPress), the wired or wireless network, or campus computers.

Two-step login can remember trusted devices. A “remember me” setting allows you to skip the second step for 30 days on a trusted device such as your Lafayette-issued laptop, desktop, or home computer. If you use another browser on the same device, or use a different device, you will be prompted to use two-step login again.

What devices or second factors can I use?

Two-Step Login supports a number of devices and methods of authentication.

  • Push using Duo Mobile on an smartphone or tablet
  • Passcode using Duo Mobile
  • YubiKey/Universal 2nd Factor (U2F) Token
  • Phone call to mobile or landline

 

 

What does ITS recommend?

ITS recommends that you use Duo mobile app on your smartphone and use phone callback to your office landline as a secondary option.

If you do not have a cell phone, or prefer not to carry one during the day, consider a U2F hardware token. It can go on a keychain and the cost is minimal. At their discretion, departments may purchase U2F tokens for staff.

Traveling or living abroad?

Please review the information found on Two Step Login while abroad.

Registering your Devices for Two-Step Login

Enrolling in Two-Step Login

  1. Browse to an application that uses web single sign-on, such as my.lafayette.edu.
  2. After authenticating with your Lafayette NetID and password, the two-step login frame will display prompting you to enroll. Click the “Start setup” button.
  3. Select the type of device you are adding. Information Technology Services (ITS) recommends you register at least two devices, including a mobile phone and, as a backup, your office landline. Select “Mobile phone” and click the “Continue” button.
  4. Enter your phone number. Make sure it is correct by clicking the checkbox. Click the “Continue” button.
  5. Verify ownership by receiving a call or a text at the number you just entered. You will be given a 6-digit code.
  6. Enter the code you received by call or text and click “Verify”.
  7. Make sure the green check mark appears, then click “Continue”.
  8. You will now see your phone added Under “My Settings & Devices”. The default “When I log in” setting of “Ask me to choose an authentication method” allows you to select a device and authentication method for each login. This is recommended because it will provide you with an option when you do not have access to your default device.From here, you can click on “Add another device” or “Continue to Login” to go to the service you were trying to access.
  9. Clicking on “Continue to Login” will show a green “Enrollment successful” bar. Checking “Remember me for 30 days” allows you to skip the second step for 30 days on a trusted device. To proceed with logging in to the service, choose an authentication method.
  10. To use the Push method of authentication with your mobile phone and be able to generate passcodes, install the Duo Mobile app.

Installing Duo Mobile

Installing Duo Mobile on your smartphone enables you to use Push, an easy authentication method for two-step login. Push notifications are sent to the mobile app and you simply touch the screen to approve requests. Duo Mobile also generates passcodes and can do so without a cell or wifi signal. You can easily install the app on your smartphone or tablet and activate it using a QR code. The guide also covers reactivating Duo Mobile.

  1. Browse to an application that uses web single sign-on, such as my.lafayette.edu.
  2. After authenticating with your Lafayette NetID and password, the two-step login frame will display. Click on “My Settings & Devices” in the left menu.
  3. To access your settings, you’ll need to first authenticate using two-step login. If you have “Remember me for 30 days” checked or something other than the default “When I log in” setting of “Ask me to choose an authentication method”, you will need to open a new Private (in Firefox) or Incognito (in Chrome) in your browser to get to this screen. After authenticating, click on “Device Options” next to your mobile number.null
  4. Click on the blue “Activate Duo Mobile” button. If you are re-activating Duo Mobile because of an OS update or new phone, you will see the “Reactivate Duo Mobile” button.
  5. Select the radio button for the type of phone you have.
  6. Download Duo Mobile to your phone through Google Play or the App Store.
  7. Scroll down and click the green “I have Duo Mobile Installed” button.
  8. Open the app on your phone, tap the “+” button, and move your phone’s camera over the QR code to scan it. You may need to scroll down to see the code.
  9. When it is scanned successfully, a green check mark will appear over the QR code. An entry for Lafayette College will show in the mobile app.
  10. Scroll down and click the green “Continue” button. You will be returned to “My Settings & Devices”.

Activate Duo Mobile using an email address instead of a QR code

You can activate Duo Mobile using email instead of scanning a QR code. To do this, you need to be able to access an email account from the same device where the mobile app is installed. First, follow steps 1. through 7. above.

  1. Instead of scanning the QR code, click the “Or, have an activation link emailed to you instead.” link.
  2. Enter a valid email address for an account you can access from your mobile phone.
  3. A blue bar will appear instructing you to click on the link in the email.
  4. Click the emailed link and open a window in either a browser or the app. This will add an account to the app. Click the green “Continue” button to be returned to “My Settings & Devices”.
  5. “Send Me a Push” will appear as an authentication method. Click on it and then open Duo Mobile on your phone. Touch the green “Request waiting. Tap to respond … “ bar, then the green “Approve” button.

Add a YubiKey/Universal 2nd Factor (U2F) Token

  1. Browse to an application that uses web single sign-on, such as my.lafayette.edu.
  2. Select “Add a new device” in the menu on the left.
  3. Select the U2F token radio button and click “Continue”.
  4. A pop-up window will open. If it does not, check your browser settings to make sure that pop-ups are not being blocked.
  5. Next, insert your YubiKey. It is important that you do not click off of the pop-up when you insert your token. If you do, you will have to close the pop-up and open a new one for it to recognize the key. The pop-up will open and prompt you to insert the U2F token and as long as the token flashes while being inserted, you can tap it to authenticate.
  6. A green check mark will show up showing success.
  7. You will now see the U2F token in the list of devices in “My Settings & Devices”.
  8. Now when attempting to login in, if a U2F token is present and plugged in, you will see a blue alert pop-up and tell you “Use your U2F token to login.”
  9. Once you tap the U2F key, the alert will change to green and tell you “Success! Logging you in…”.

Create a batch of one-time use SMS Passcodes

You can use Duo Mobile with the passcode method of authentication on your cell phone or tablet without having wifi or a cell signal. To generate a passcode, click the key or arrow icon next to your account in Duo Mobile. In the two-step login frame in your browser, click the green “Enter a Passcode” button, enter the code from your mobile device, then click “Log In”.

You can also text yourself SMS passcodes to keep with you in case you do not have access to any of your devices. The one-time codes are sent in groups of ten. To use them, click on the green “Enter a Passcode” button in the two-step login frame in your browser. Then click on “Text me new codes” in the blue bar. Each time you use the passcode method for two-step login, the first digit of the next code in the series will be shown in the blue bar.

Add a Landline

  1. Browse to an application that uses web single sign-on, such as my.lafayette.edu.
  2. Select “Add a new device” in the menu on the left.
  3. Select the Landline option and click the green “Continue” button.
  4. Enter your phone number and make sure the checkbox is ticked that it is the correct number, then click the green “Continue” button.
  5. Click the “Call me” button. You will receive an automated call to your landline with a 6-digit code. Enter the 6-digit code that is read to you and click verify.
  6. Make sure the green check mark appears, then click the green “Continue” button.
  7. Under “My Settings & Devices”, you will see there are now two phones as an option to authenticate with. You can also change the default device here.

View My Settings and Devices

  1. Browse to an application that uses web single sign-on, such as my.lafayette.edu.
  2. If you have “Remember me for 30 days” checked or something other than the default “Ask me to choose an authentication method” set, you will need to open a new Private or Incognito window in your browser to get to the two-step login frame.
  3. Choose a device and method for two-step login.
  4. Once authenticated, you will be able to access your settings and devices.

Two Step Login FAQ