Announcements Home Page Feature News & Events

May 12: Retire Passcode for WashU Two-Factor Authentication (2FA)

Washington University Information Technology will retire the use of Passcode as an authentication method for WashU Two-Factor Authentication (2FA) to enhance information security at the University on May 12 for all individuals who have not used the passcode authentication method within the last 90 days.  The Send Me a Push and Call Me options will remain as viable methods of WashU Two-Factor Authentication (2FA).

Passcode include:

  • SMS passcode (Text messages)
  • DUO Mobile Passcode
  • Hardware tokens that employ passcode

When Will Passcode Be Retired?

Non-Passcode Users

Individuals who have not used passcodes within the last 90 days will no longer have the passcode authentication method effective May 12.

Passcode Users

Individuals who have used passcodes within the last 90 days will no longer have the passcode authentication method effective May 26

If you have a business need to continue the use of passcode, such as International Travel, please submit a Policy Exception Form to the Office of Information Security.

Note: Both the use of current passcodes and the request for new passcodes will be retired.


Why Is Passcode Being Removed?

As our information security practices have improved and been more widely adopted at the University malicious actors have adapted their attacks, showing that the passcode method of two-factor authentication represents a security vulnerability. Passcode authentication is being removed from WashU 2FA to protect against this vulnerability.

Are Passcodes Being Replaced?

If you do not have an approved exception to continue use of Passcode, then the Passcode option is replaced by a new Bypass Code option, however bypass code is not replacing passcode.

  • If either the Send Me a Push or Call Me methods to validate your WashU 2FA enabled login are not feasible authentication methods, such as during International Travel, then please submit a Policy Exception Form to the Office of Information Security.

Can I Be Exempted From The Passcode Policy?

Individuals who have a need to continue utilizing the passcode authentication method must submit a Policy Exception Request to the Office of Information Security in order to retain access to this option.

To access the DUO Exception Request Form please:

  • Navigate to the DUO Exception Request Form (This is a vended 3rd party service)
  • Enter your WashU email address on the OneTrust login page
  • Enter your WUSTL Key login credentials and WashU 2FA if prompted to do so
  • Select Launch on the Duo Exception Request task.

Please note: The passcode policy exception is temporary and hence, may need to be requested more than once.


What Two-Factor Authentication Method Should I Use?

WashU IT and the Office of Information Security recommend individuals use the Send Me a Push authentication method linked to your mobile device. This method requires the mobile app to be installed and activated on your mobile device.

Instructions for enrolling inWashU 2FA and activating the DUO app on your mobile device can be found in our WashU 2FA Enrollment Instructions.

Notes:

  • The DUO Mobile App does NOT give WashU access to your mobile device. The DUO mobile app facilitates your DUO Authentication only.
  • If you have a Smartwatch connected to your Mobile device you can provide the DUO Authentication here as well without having to retrieve your phone from your bag, pocket, or purse.
  • DUO security has provided additional fraud detection options that will be enabled to help prevent anomalous push authentication attacks.

The Call Me authentication method will also remain available and allows you to verify your login via a phone, negating the need to utilize a mobile device.


How Will the WashU 2FA Authentication Screen Change?

If you have received an approved exception to the passcode retirement policy then the WashU 2FA Authentication screen will not change at all.

If you did not apply for an exception or receive an approval for your exception request then the passcode option will be replaced by a bypass code option.

Note:

  • The new bypass code option will not allow you to generate a new passcode nor does it allow you to use a previously generated passcode.
  • If either the Send Me a Push or Call Me methods to validate your WashU 2FA enabled login are not feasible authentication methods, such as during International Travel, then please submit a Policy Exception Form to the Office of Information Security.

Where Can I Get More Information About Two-Factor Authentication (2FA)?

Please visit the WashU Two-Factor Authentication (2FA) page on https://live-it-washu.pantheonsite.io for more information, frequently asked questions, enrollment instructions, and more.