WashU 2FA Two-Step Authentication

Passwords are increasingly easy to compromise. They can often be stolen, guessed, hacked or phished – even without you knowing.

WashU 2FA—a two-factor (or two-step) authentication service provided by Duo, an industry leader in cyber security services—adds a second layer of security to your WUSTL Key account when accessing the many WashU systems, which contain sensitive personal information. By verifying your identity through the use of a second device, hackers and identity thieves are prevented from logging in these systems, even if they know your WUSTL Key ID and password and you’ll be alerted immediately if someone tries to log in using your credentials.

When must I use WashU 2FA?

2FA (provided by Duo) will soon be expanding to include the student population. This expansion is needed to further reduce the impact of phishing and other malicious campaigns which are engineered to steal student’s personal and sensitive information. All students will be required to use 2FA when accessing most WashU systems and services from off-campus networks.

WashU 2FA Support & Questions

Please contact the WashU IT Service Desk at 314-933-3333.

WashU 2FA

WashU 2FA extends protection to most WUSTL Key enabled sites, allowing users to opt-in to two-factor authentication while logging into websites that don’t currently require 2FA authentication.

Below are a few examples of these supported sites:

  • One.wustl.edu
  • Office 365 Outlook Web App (email on the web)
  • Blackboard (for students)
  • Learn@Work

How It Works

  1. Enrollment in WashU 2FA is simple. Visit the WashU 2FA enrollment wizard.
  2. Choose when you want the protection applied.
    • The default setting is Only when off campus – remote locations such as a business or residential internet connection. However, you have the option to choose Always – from all sign-in locations, both on and off campus.
  3. Select Save Changes.
  4. Under the Information section, select Enroll in WashU 2FA to enroll your device in Duo.
  5. Under the Choose your Device Type section, select the type of device you would like to enroll and select Continue.
    • We recommend using a smartphone for the best experience, but you can also enroll a landline telephone or iOS/Android tablet.
  6. Finally, follow the prompts based on the device you have chosen to enroll, and that’s it! You can enroll an unlimited number of devices.

Duo Mobile App

When enrolling a smartphone, you have the option to also install the Duo Mobile app. Duo Mobile runs on your smartphone and helps you authenticate quickly and easily. Without it you will still be able to log in using a phone call or text message, but for the best experience, we recommend that you use Duo Mobile. Follow the platform-specific instructions on the screen to install Duo Mobile.

After installing our app:

  1. Return to the enrollment window and select I have Duo Mobile installed. Once enrolled in Duo, you’ll log in to the WashU system as usual with your WUSTL Key ID and password. This is the first step of authentication.
  2. Next, you’ll verify your identity using the device you’ve enrolled with Duo. This is the second step of authentication. This will eliminate extra steps, taken in the past, to ensure better security.

For information on using Duo with cell phones that are not smartphones and landline telephones, visit the Using Duo With Any Cell Phone or Landline Quick Guide.


FAQ

Duo—an industry leader in easy-to-use, world-class security platforms—developed Duo 2FA, a two-factor authentication service that utilizes a secondary device such as a phone or tablet to confirm your identity when you access sensitive information, such as that contained in the university HRMS application. This service provides enhanced security and protects you in the event that someone manages to obtain your login credentials.

Two-factor authentication commonly works by asking for something you know (your password) in combination with something you have (your mobile phone) to confirm your identity across a variety of account activities–such as accessing your accounts from new devices, verifying transactions, or recovering your accounts.

Use of WashU 2FA is required: when accessing WUSTL Key Single Sign-on (SSO) from any non-trusted network and when accessing the WashU CFU User VPN login portal from any network.

The WashU 2FA service is for current WashU employees, students, and anyone (parents, university partners, vendors, visitors and/or contractors) who may access the services listed above.

No, enrollment for access to identified systems is mandatory.

Yes! You can enroll your mobile phone, your landline phone, and your tablet.

Yes. Open the Duo app on your smartphone or tablet and select the Duo key icon in the upper right-hand corner of the screen to generate a passcode. Generating passcodes does not send any kind of message or use data and you can generate passcodes even when you are not connected to a network. Using Duo to generate passcodes will not incur any data or text messaging costs.

Yes. In the Duo mobile app, simply click the key on the upper right-hand side of the screen or select the Generate Passcode button on Microsoft OS devices to generate a numeric passcode that you can use without a network connection. Alternatively, you can use the Duo text passcodes feature to generate a list of single-use passcodes that you can use if you won’t have access to your phone at all.

The second factor of authentication is separate and independent from your username and password. Duo never sees your password.

Yes. Duo accepts international phone numbers.

Duo 2FA devices cannot be registered to more than one person. If you are trying to add a device (such as a home phone) that is shared with someone else, and that device has already been registered to another person, you will receive an error message.

WashU 2FA Duo registrations are refreshed every 24 hours.

Lost or stolen mobile computing devices must be reported to the Privacy Office or the Information Security Office immediately. This shall occur before the user of the device cancels the service with the provider. You can review the Mobile Device Security Policy here. You must also log in to the WashU 2FA service and unenroll the device.

Please call the WashU IT Service Desk 314-933-3333 to verify information and have the old device removed.

  1. Visit the enrollment wizard to access the enrollment wizard.
  2. Scroll down and select manage enrollment.
  3. Choose an authentication method other than Send Me a Push
    1. Option 1:
      1. Select Call Me and then follow the instructions from the automated call.
    2. Option 2:
      1. Select Enter a Passcode.
      2. Select Text me new codes.
      3. Once you have received the code(s) via text, enter one of the codes into the field and then select Log In.
  4. Select add another device and then Continue.
  5. Select your device type and then Continue.
  6. Enter your phone number.
  7. Select the checkbox next to: (XXX) XXX-XXXX This number already exists, replace it?
  8. Select Continue.
  9. Choose your device type and then Continue.
  10. The next screen will prompt you to download the Duo app to your new phone.

    • If you have not installed the app, install it on your new phone and then select I have Duo mobile installed.
    • If you have already installed the app, immediately select I have Duo mobile installed.
  11. After you select I have Duo Mobile installed, you will have to activate Duo on your new phone by scanning the barcode on your computer screen.
    1. Open the Duo Mobile app on your phone.
    2. Tap the “+” button.
    3. Hold your phone up to the computer screen to scan the barcode.
    4. Once scanned, a green checkmark will appear across the barcode. Select Continue.
    5. You will be redirected back to the My Settings & Devices screen.

  12. Your new mobile device connection is complete.

While the app transfers from device to device, the configuration of each device is specific and will need to be reactivated on new devices.

In the DuoMobile App there is a key next to WashU2FA- clicking this key has a hidden code. You can request to be texted codes (list of 10) prior to leaving cell service and they can be used in order. You can also call the WashU IT Service Desk and request a one-time use one-hour expiring bypass code.

Mobile Push Mobile Passcode Phone Code SMS Text Message Temporary Passcode
Enroll a smartphone (recommended) X X X X
Enroll a tablet X X
Enroll a basic cell phone X X
Enroll a landline phone X
Call the WashU IT Service Desk (314) 933-3333 X