(Click question to expand content.)
The following are required to enroll in 2FA to log in to resources protected by WebAccess:
- All employees, including both faculty and staff
- All students whose primary affiliation is identified as Student
- As of 7/31/2020, all individuals with Sponsored Accounts
- Retirees with emeritus status
For help with the enrollment process, see Enroll in Two-Factor Authentication.
To learn why Penn State requires two-factor authentication and how it benefits you, see Why Must Students Enroll in Two-Factor Authentication? or Why Does Penn State Require Me to Enroll in Two-Factor Authentication?
The following are not required to enroll in 2FA:*
- Alumni who are no longer taking courses or working for the University.
- Retirees who do not have emeritus status
- Individuals who have a business, academic, or research relationship with the University, but are not official students or employees (Sponsored Accounts).
To unenroll, call the IT Service Desk.
*Certain Penn State resources, such as College of Engineering Systems require users to be enrolled in 2FA even if they are not otherwise required to do so.
You do not need a smartphone to use 2FA. 2FA also works with cell phones, landline phones, tablets, hardware tokens, FIDO U2F security keys, and MAC devices with Touch ID. Although using the 2FA Duo Mobile app on a smartphone makes it easy to receive Duo Push notifications from WebAccess and to generate passcodes, it is just one of the ways you can use 2FA. To learn more, see knowledge article What Devices and Methods Can I Use for Two-Factor Authentication?
If you do not have a smartphone, cell phone, landline phone, tablet, Macbook Pro or Macbook Air, you will need to purchase a FIDO U2F security key, a keychain sized piece of hardware which is widely available from different manufacturers and retail sellers. See knowledge article Requirements for Using a Security Key for Two Factor Authentication to learn more. Although U2F security keys are preferred, a limited number of Duo hardware tokens are also available for purchase by faculty and staff only from Software at Penn State. Duo Tokens (another type of keychain-sized hardware) represent an older technology with more limited support.
It’s important to enroll more than one device in 2FA in case you misplace or something happens to your only enrolled device. For example, if you accidentally leave your cell phone at home, you could use your landline office phone, tablet, FIDO U2F security key or MAC device with Touch ID as a backup way to log in to WebAccess. To learn more about the types of devices you can use for 2FA and how to enroll them, see knowledge article Add (Enroll) Another Device for Use with Two-Factor Authentication (I'm Currently Enrolled).
See knowledge article I Can't Access my Enrolled Device(s) or Lost, Stolen, or Damaged Two-Factor Authentication Device.
Your ability to unenroll or opt-out depends on the nature of your affiliation with the University. Faculty, staff, students, those with sponsored accounts, and retirees with emeritus status are required to use 2FA to log in to WebAccess. As of May 12, 2020, all students are also required to enroll in 2FA.
As long as you are a member of one of those groups, you will not be able to unenroll from 2FA without losing your access to WebAccess protected sites such as WorkLion, LionPath, Office 365 applications, and Canvas. Individual exceptions can only be made for compelling reasons such as a disability, and must be approved by the appropriate department. To learn why Penn State requires two-factor authentication and how it benefits you, see Why Must Students Enroll in Two-Factor Authentication? or Why Does Penn State Require Me to Enroll in Two-Factor Authentication?
If you no longer fall into one of those categories, you may unenroll by contacting the IT Service Desk.
Most individuals with disabilities will find that at least one of the many options available for two-factor authentication will work for them. For assistance in finding a workable solution (or approval to opt-out if none can be found), students should contact Student Disability Services. Employees should contact the Affirmative Action Office
Keeping your devices updated with the latest software versions helps protect you and the Penn State resources you access from potential security issues. The out-of-date software notification is meant to encourage you to do so, and save you from having to check for the latest software versions on your own.
The notification will not prevent you from logging in. Simply click Let's update it to learn what's out of date and how to fix it, or choose Dismiss or Skip to temporarily ignore it. We realize it's not always in your power to update the software on your device.
For more information, see knowledge article Software Update Notification – Your Computer Software is Out of Date.
You will need to use 2FA to log in to WebAccess for as long as you are a faculty or staff member. When you leave Penn State, your affiliation with the University will change and you will no longer be required to use 2FA.
You can use the 2FA Duo Mobile app to generate a passcode without a cellular or wifi connection. Another option is to request 10 one-time use passcodes to use when you don’t have cell coverage. Landline phones, hardware tokens, FIDO U2F security keys and MAC devices with Touch ID also work with 2FA. To learn about the requirements for using various devices and methods of authentication, see knowledge article Device Requirements for Two-Factor Authentication.
As a security measure, you will be locked out of 2FA after ten consecutive attempts to log in to WebAccess using 2FA fail. Here are some suggestions for how to avoid getting locked out:
- Make sure you’re attempting to authenticate to a properly enrolled device that is currently available to you.
- Open the 2FA Duo Mobile app and approve the Duo Push notification when you request authentication.
- Log out of your computer daily to prevent your machine from trying to automatically authenticate to certain sites and systems.
If you do get locked out of 2FA, contact the IT Service Desk for assistance.
Yes, you can use 2FA with third-party accounts. If you use a smartphone with 2FA, the 2FA Duo Mobile app can integrate with such accounts as Google and Dropbox. Learn more at the guide.duo.com/third-party-accounts.
While we don't anticipate the student 2FA requirement will cause many disruptions (for instructional staff and faculty) in the classroom, below are some possible scenarios and recommended solutions.
Learn about the resources available to you at Get Help, on this site.
Yes, you can use 2FA while traveling abroad. You can use your smartphone or cell phone, enroll a new international phone, or buy a hardware token (before you leave) to use 2FA abroad. To learn more, see knowledge article Using Two-Factor Authentication While Traveling.
If you have a MacBook Pro or MacBook Air with touch ID, you may use it to authenticate when you log in to WebAccess. To learn how to enroll these devices, see knowledge article Add (Enroll) a MAC Device with Touch ID for use with Two-Factor Authentication.
Mobile device biometrics such as Apple Touch ID, Face ID, and Android Fingerprint cannot currently be used with Penn State 2FA.
Duo Mobile supports the use of biometrics with Duo Push, but only as a third form of authentication. If Penn State were to enable this option, you would be required to use biometric authentication in addition to approving the Duo Push. The University has elected not to enable this feature so as not to require you to perform an additional step.
A push notification is simply a message that appears in a banner or pop-up on your phone screen.
Push notifications are the simplest and most secure method of using two-factor authentication.
This method of authentication is available to anyone who has enrolled a smartphone for use with 2FA. Once you’ve installed and activated the Duo Mobile app on your phone, you’ll see a button called Send Me a Push on the 2FA Login Screen each time you log in to WebAccess.
When you choose Send Me a Push, the Duo 2FA process initiates ("pushes") a message to your phone to notify you that someone is requesting approval to log in to WebAccess with your ID. Once you approve the request, you confirm that you are the one attempting to log in, and are immediately logged in to the resource you're attempting to access.
To learn how to use this method, see knowledge article Use the Duo Mobile Push Method of Two-Factor Authentication.
See knowledge article Why Must Students Enroll in Two-Factor Authentication?