Two-Factor Authentication (2FA)
Two-factor (authentication) adds an extra layer of protection to student, employee, and affiliate Penn State Access Accounts to defend against unauthorized login attempts. 2FA allows you to have an extra layer of security on your devices (including personal devices like smartphones, tablets, and landlines) without any additional cost to you. If someone tries to access your account and you’ve enrolled on a smartphone, you’ll receive a real-time alert notification. 2FA meets federal and industry compliance regulations.
What is 2FA?
Penn State’s Two-Factor Authentication (2FA) adds a second layer of protection to your digital identity and helps to protect Penn State’s information.
The first layer (something you know) is the verification of your Penn State user ID and password. The second layer (something you have) is typically a smartphone, although other options are available. Scroll down to see some of the other devices you may enroll in 2FA.
Why does Penn State use 2FA?
Penn State takes cybersecurity very seriously. Not only does 2FA protect your digital identity from unwanted logins, it also protects sensitive University information.
2FA is connected to WebAccess, the University’s login authentication system for such services as Office 365, Canvas, LionPATH, and WorkLion.
When enrolled in 2FA, you will be prompted to enter your user ID and password into WebAccess. If the credentials match (meaning, the correct user ID and password combination was entered), you will then be prompted to use one of your enrolled devices to complete the login process.
Penn State uses the hosted Duo Security cloud-based two-factor authentication service.
How do I enroll in 2FA?
You can enroll at any time by visiting 2fa.psu.edu and completing the enrollment process.
Do I have to enroll in 2FA?
Please select your role from the options below to determine whether you’re required to enroll in 2FA, and how to unenroll.
I am a full-time employee
If you are a full-time employee, you must be enrolled in 2FA regardless of the amount of credits you may also be earning as a student. You cannot unenroll while you’re a full-time employee.
I am a part-time student and I work for Penn State
If you are a part-time student (less than 12 credits for Undergraduates, less than six credits for Graduate students) and you work for Penn State in any capacity (full or part-time), you are required to be enrolled in 2fa. You cannot unenroll while working for Penn State
I am a full- or part-time student, but I do not work for Penn State
If you are a student (full-time or part-time) and you are not working for Penn State in any capacity, you are not required to enroll in 2FA at this time.
To unenroll, you may log in to 2fa.psu.edu and remove your enrolled devices.
Please note: if you wish to use a system protected by 2FA (for example, webapps.psu.edu or many College of Engineering services), you must be enrolled in 2FA.
I am a retiree
At this time, retirees are not required to be enrolled in 2FA. If you are a retiree and wish to un-enroll, you can do so by logging into 2fa.psu.edu and removing all your enrolled devices.
Please note: Emeritus users MUST enroll in 2FA.
What kind of devices can I enroll in 2FA?
Note: Penn State also uses VASCO tokens which cannot be used for 2FA. Only Duo tokens can be enrolled for use with 2FA and must be purchased from the software.psu.edu website. Some departments may be able to supply you with a Duo token, but this is at the discretion of the department for which you work for.
Please see the following Knowledge Article for step-by-step instructions on enrolling a Duo token.
Note: Only Yubikeys that are purchased through software.psu.edu can be enrolled in Penn State’s integration of 2FA. If you purchase a Yubikey from any vendor other than software.psu.edu, it cannot be enrolled. This is due to a pre-configuration that must take place through our vendor to integrate the key with our system.
The software.psu.edu site is currently sold out of Yubikeys and no new orders have been placed due to upcoming configurations. Please check back later to see if more are available for purchase.
Because tablets do not have an associated phone number, you must install the Duo Mobile App and cannot utilize the Phone Call or SMS Code options (only Push Notifications and Passcodes are available).
Please see the following Knowledge Article for step-by-step instructions on enrolling a tablet.
Can I enroll multiple devices?
Yes! If you have already enrolled at least one device, you can log back into 2fa.psu.edu and click the “Add New Device” icon to enroll another.
We recommend that you enroll at least two devices in case your primary device is not available or becomes disabled.
How do I log in after enrolling?
Please see the following Knowledge Article on how to use a Duo push notification, phone call, or passcode to log in to WebAccess using 2FA.
How do I request a 2FA integration?
If you are a Penn State technical employee who needs to implement an integration of the 2FA service for an application or system, you will need to complete the 2FA integration request form.
After submission, you will be contacted by IAM staff who will provide you with integration keys that are required for your deployment.
Please visit https://duo.com/docs prior to submission to see which services and systems Duo 2FA supports, and to make sure you know which specific integration to enter into the Integration Type field on the form.