Penn Computing

Penn Computing

Computing Menu Computing A-Z
Computing Home Information Systems & Computing Penn

Main Service Page

Penn WebLogin two-step verification: FAQ

Opting In & Account Management

  • Q. What can I manage about my enrollment in two-step verification?
  • Q. Why can I print my one-time-use codes but not my password?
  • Q. I'm trying to set up a friend to help me; why can't I find them in the search results?
  • Q. I opted out of the two-step verification service, but I still see a lot of functions on the settings page; am I really opted out?
  • Q. How do I update the email address used for notifications about two-step verification?
  • Q. I have more than one phone (or other device) running Google Authenticator. Can I use both?
  • Q. What devices can be used with two-step verification - must I use a smartphone?
  • Q. Can I use both a smartphone and a hardware token (keychain fob)?
  • Using Two-Step Verification

  • Q. How do I find my Two-step verification code?
  • Q. How long is a single-use code sent to my phone valid?
  • Q. Do I to have to enter a two-step verification code every time I log in using PennKey WebLogin?
  • Q. What if I share a trusted browser with someone else using two-step verification?
  • Q. What applications will prompt me for a second factor?
  • Authenticator Apps

  • Q. What authenticator applications can I use with Penn's Two-Step Verification?
  • Q. I already use Google Authenticator with my Gmail account. Will Google Authenticator work with both Gmail and Penn's two-step verification service?
  • Q. I already use Microsoft Authenticator with my Microsoft account. Will Microsoft Authenticator work with both Microsoft and Penn's two-step verification service?
  • Q. I'm having trouble with Google Authenticator - the "Edit" button doesn't do anything.
  • Q. What is Google's involvement in Penn's two-step verification service?
  • Troubleshooting

  • Q. I just got a new phone, and now Google Authenticator doesn't show my user@upenn.edu account any more. What should I do?
  • Q. I'm having trouble logging in or I don't have my phone - how do I log in now?
  • Q. I'm not in the pilot, so why do I see a prompt for the verification code?
  • Q. I requested a single-use code via text message to my phone and it still hasn't arrived. When I can expect it?
  • Q. I wasn't prompted for a two-step verification code when I logged in. I'm enrolled in the service and I'm not using a trusted browser. What happened?
  • Q. I've selected "Trust this browser" but it doesn't seem to stick. What might be going wrong?
  • Making Two-Step Verification Better

  • Q. I have ideas for improving two-step verification; whom should I contact?


  • Opting In & Account Management


    Q. What can I manage about my enrollment in two-step verification?
    A. You can use the Manage settings page to opt in/out, generate new printable single-use codes, or opt in using a new mobile device. You can also configure your self-service support or "lifeline" options. You will need a two-step verification code in order to access this page.


    Q. Why can I print my one-time-use codes but not my password?
    A. Your password is reusable, so if someone steals it, they can keep using that password with your account over and over again. One-time-use codes can only be used once and are easily invalidated if necessary. Two-step verification is based in the idea of 1) something you know (your password) and 2) something you have (your smartphone or token, or your printed codes).

    You should also store your codes in your wallet. You're likely to always know where your wallet is and immediately notice when it's missing. That way, you can quickly invalidate your codes if your wallet is stolen or lost. Also, even if it is lost, the person who steals or finds it only has your one-time-use codes, and can't log in without your password. Don't write down your password!


    Q. I'm trying to set up a friend to help me; why can't I find them in the search results?
    A. A friend must be a current student or member of the faculty or staff in order to appear in the results. Remember to search by their PennKey (the portion of their Penn email address before the @ sign). If your friend has elected to suppress their listing in the Directory's Penn view for privacy reasons, some information about them may not display in the search results.


    Q. I opted out of the two-step verification service, but I still see a lot of functions on the settings page; am I really opted out?
    A. Yes, you're opted out. Your profile information remains, in case you decide to opt in again later, so you don't have to re-enter everything. Your activity log also remains available in case you wish to review it.


    Q. How do I update the email address used for notifications about two-step verification?
    A. We use your email address of record from the Online Directory, so you can update it there, or from the two-step verification Manage settings page, click "Profile," and follow the link to "edit email address."


    Q. I have more than one phone (or other device) running Google Authenticator. Can I use both?
    A. Yes. You can either opt them both in at the same time, or add a new one later. Just go to the Manage settings page and click "Add phone or device."


    Q. What devices can be used with two-step verification - must I use a smartphone?
    A. This list of recommended apps for various types of smartphones indicates which mobile operating systems will work. NOTE: your device does not need to have a data plan in order for you to participate. Indeed, once you've installed the app, your device doesn't even need network access at all. The app simply runs on your device and performs a calculation to determine the next verification code for your account.

    If you do not have a device that can run an authenticator app, you can use a hardware token (keychain fob). ISC is using the SafeID/Blade tokens from Deepnet Security. You can purchase a hardware token from the Computer Connection, and expect it to last 3 years.


    Q. Can I use both a smartphone and a hardware token (keychain fob)?
    A. Yes. It's easiest to activate the hardware token first, and then activate the app on your smartphone. However, the reverse order is possible too, and the Manage settings page will step you through the process.

    Using Two-Step Verification


    Q. How do I find my Two-step verification code?
    A. Launch the authenticator app on your phone (the same app you used to enroll) or press the button on your hardware token (keychain fob); a code will automatically be displayed. If more than one code is visible, use the one labeled with your pennkey@upenn.edu. A new code is generated every 30 seconds (on an authenticator app, a countdown clock will be visible). Penn WebLogin will still accept a verification code after the authenticator app or hardware token generates a new code, but you should enter it promptly. If you wait too long, it will expire and you will have to start over.


    Q. How long is a single-use code sent to my phone valid?
    A. The code must be used within 20 minutes.


    Q. Do I to have to enter a two-step verification code every time I log in using PennKey WebLogin?
    A. Yes, unless you elect to trust your browser. If you're using a browser that only you have access to, you can check "Trust this browser" when entering a verification code in the two-step verification log-in screen, and you'll only be prompted again if you haven't logged in from that browser in the past 30 days.


    Q. What if I share a trusted browser with someone else using two-step verification?
    A. If you log in with two-step verification and trust the browser, any user who has previously trusted that browser in that computer account will have to enter their second factor when subsequently logging in. In other words, a browser can only be trusted for one user at a time.


    Q. What applications will prompt me for a second factor
    A. Any application that authenticates using Penn Weblogin should automatically require the second factor once you've opted in; this includes single sign-on, so you'll need to enter your second factor for Penn+Box both on the web and in the application. You will not have to enter a second factor for any application that uses Active Directory (like your desktop login), Kerberos (like Assignments), or RADIUS (like AirPennNet).


    Authenticator Apps


    Q. What authenticator applications can I use with Penn's Two-Step Verification?
    A: Penn maintains a list of recommended apps for various types of smartphones in common use at the University. Penn WebLogin two-step verification is built on the OATH open industry-wide standard, using the TOTP algorithm. The apps listed in the link above have been widely tested at Penn and are known to be compatible and supported with Penn's implementation, but any authenticator app that can generate codes using TOTP should work with Penn WebLogin two-step verification.

    If you do not have a smartphone, you can use a hardware token (keychain fob): a small device that perpetually generates new codes for your account. Any hardware token that uses OATH TOTP should be compatible with Penn's two-step verification, service. ISC is using the SafeID/Blade tokens from Deepnet Security; you can purchase one from the Computer Connection.


    Q. I already use Google Authenticator with my Gmail account. Will Google Authenticator work with both Gmail and Penn's two-step verification service?
    A. Yes. You'll see two codes on the Google Authenticator screen - one with your Gmail address, and one with your Penn address.


    Q. I already use Microsoft Authenticator with my Microsoft account. Will Microsoft Authenticator work with both Microsoft and Penn's two-step verification service?
    A. Yes. You'll see two codes on the Microsoft Authenticator screen - one with your Microsoft address, and one with your Penn address.


    Q. I'm having trouble with Google Authenticator - the "Edit" button doesn't do anything.
    A. We've seen this problem with app version 1.1.4.757 on the iPhone. We recommend updating to the latest version of Google Authenticator. Alternatively, to work around the issue, select the "Legal Information" button, and then the "Google Authenticator" (back) button. This should make the "Edit" button active.


    Q. What is Google's involvement in Penn's two-step verification service?
    A. None. Google developed the open-source code for Google Authenticator based on the OATH open standard, and Google Authenticator is a widely used, freely available program for generating OATH TOTP codes. No data is transmitted to or from Google at any time, and any OATH TOTP authenticator app is compatible with Penn's two-step verification.


    Troubleshooting


    Q. I just got a new phone, and now Google Authenticator doesn't show my user@upenn.edu account any more. What should I do?
    A. You'll need to use the "Add phone or device" on the Manage settings interface, as follows.

    1. Go to the Service Page and click Manage settings.
    2. Log in: after you provide your PennKey password, you'll need to use a backup method to enter the verification code. If you have printed backup codes (e.g. in your wallet) use the next unused code. Otherwise, click the "Trouble logging in" link to have a single-use code sent to a backup phone you designated when you opted in.
    3. Once you're in the Manage settings interface, click "Add phone or device" and it will step you through the process.


    Q. I'm having trouble logging in or I don't have my phone - how do I log in now?
    A. If you've logged in during the past 30 days using a different browser and checked the "Trust this browser" box, try using that browser to log in. If you printed out single-use codes at the time you enrolled (or generated them afterwards using the two-step verification settings page) you can use one of those codes; enter the next unused one in sequence. If you don't have them, you can go to the trouble logging in page for help. You'll then be able to invoke one of the self-service support options you set up when you opted in: (1) send a single-use verification code to a backup phone number and/or (2) ask a friend to opt you out. If you still need help, contact your Local Support Provider.


    Q. I'm not in the pilot, so why do I see a prompt for the verification code?
    A. You will see this in certain cases if you have Javascript disabled for upenn.edu: (1) if you are using an application that requires reauthentication; or (2) if you typed your password incorrectly the first time. There will be red warning text to indicate that not all fields are required.


    Q. I requested a single-use code via text message to my phone and it still hasn't arrived. When I can expect it?
    A. Typically, texts are delivered within a few minutes, but delivery delays can happen depending on the cell carrier's infrastructure.


    Q. I wasn't prompted for a two-step verification code when I logged in. I'm enrolled in the service and I'm not using a trusted browser. What happened?
    A. During the pilot stage of this service, it is configured to "fail open" (to allow access using PennKey and password alone) should a technical problem occur. If such a problem does develop, it will be logged and investigated so that it can be corrected.


    Q. I've selected "Trust this browser" but it doesn't seem to stick. What might be going wrong?
    A. If trusting your browser doesn't work for you, check if it is:

    • in private or safe mode;
    • not acepting cookies from upenn.edu;
    • clearing cookies on exit, (e.g. "Keep cookies until I close Firefox");
    • shared with another user; or
    • has Javascript disabled for upenn.edu sites (using the Noscript add-on or otherwise).

    Making Two-Step Verification Better


    Q. I have ideas for improving two-step verification; whom should I contact?
    A. We'd love to hear your ideas - send email to two-factor-pilot-proj@lists.upenn.edu


    Service Alerts

    top

    Information Systems and Computing
    University of Pennsylvania
    Comments & Questions


    Penn Computing University of Pennsylvania
    Information Systems and Computing, University of Pennsylvania