Skip to content Skip to site navigation Skip to service navigation

Two-Step Authentication

Note: On March 30, login and two-step authentication screens and options are changing. Learn more.

Note: As of March 30, 2018, the ability to generate new printed lists will be discontinued.  The SMS (text message) option will also be discontinued in 2018.  To improve usability, the frequency of two-step prompts for most websites has been reduced from once every 28 days to once every 90 days.


Two-step authentication uses two forms of authentication to verify your identity. First, you enter your SUNet ID and password. Then you need a physical device such as your mobile phone, tablet, or landline phone to complete the login. This approach protects your Stanford account from fraudulent access.

There are five physical devices that you can use to provide the second factor of two-step authentication. Each device has one or more authentication methods available.

Device Type Authentication Options Supported Platforms
  • Duo Mobile push notification
  • Duo Mobile passcode
  • SMS text message (no longer recommended)
  • Phone call
  • iOS
  • Android
  • Windows Mobile
  • Duo Mobile push notification
  • Duo Mobile passcode
  • iOS
  • Android
  • Windows Mobile
Mobile Phone
  • SMS text message (no longer recommended)
  • Phone call
  • Mobile phones with SMS text messaging capability
  • Phone call
  • All phones
Hardware Token
  • Passcode
  • A "keychain" hardware token displays two-step codes at a push of a button.

Note: If you currently use Google Authenticator for your second factor you can continue to do so. However, you are no longer able to set up Google Authenticator on your smartphone or tablet. The Duo Mobile app is the preferred replacement.

Getting started

To get started, select the device you want to set up:

One device must be designated as your default device, and your default device must have a preferred way to authenticate. WebLogin prompts you to authenticate using your default device and preferred method but you have the option of authenticating using a different device (if you have other devices set up) or method.

You are strongly encouraged to set up a backup device in case your primary device is lost or unavailable.

What to expect with two-step authentication

Once you enable two-step authentication, you may see an extra page after you sign into a Stanford resource via WebLogin. This page prompts you to authenticate on your default device using the default method you set up. You also have the option to authenticate using another method on your device or using another device that you have previously set up. The frequency that you are asked to authenticate on your default device varies, depending upon:

  • the website you're accessing (for added security, some sites always require an two-step authentication)
  • your individual browser settings (whether or not you clear cookies)
  • whether or not you use more than one computer and web browser (as of March 30, 2018, two-step authentication is requested at least every 90 days for each computer and each browser you use to access protected websites)
  • whether you check the Remember me for 90 days box during the login process (as of March 30, 2018)

How you authenticate depends upon the device and method you chose for two-step authentication: 

  • If you chose Duo Mobile push notifications: a push notification is sent to the device, and you can review the request and tap Approve to authenticate. Internet or cellular access is required.
  • If you opted to use a Duo Mobile passcode: launch the Duo app on your mobile device and click the key icon to see your current 6-digit code. Because this method is time-based, you don't need cellular service or internet access.
  • If you chose Phone Call: you receive an automated phone call that requires you to press or tap any key on your phone to authenticate.

Information for international travelers

We recommend that anyone who travels internationally and needs to log in to Stanford websites use the Duo Mobile Passcode option or a hardware token. You can use Duo Mobile Passcode to generate your authentication code without an Internet or cellular connection. If you don't have a smartphone or tablet, hardware tokens that generate codes are available.

Last modified March 23, 2018