Skip to content Skip to site navigation Skip to service navigation

Two-Step Authentication

  • With the implementation of the Duo Universal Prompt on Oct. 25, all legacy printed lists have been deprecated and can no longer be used. Please use Duo Push or another authentication option.
  • The SMS (text message) and phone call options are not recommended for user groups deemed to be at greater risk of targeted compromise, such as IT staff and high profile users who access High Risk data. These methods may be disabled for members of these user groups (with prior change communication) or those who opt in to have it disabled. Additionally, this option incurs a per-use telephony fee for the University.

Overview

Two-step authentication uses two forms of authentication to verify your identity. First, you enter your SUNet ID and password. Then you need a physical device such as your mobile phone, tablet, or landline phone to complete the login. This approach protects your Stanford account from fraudulent access.

There are seven physical devices that you can use to provide the second factor of two-step authentication. Each device has one or more authentication methods available.

Device Type Authentication Options Supported Platforms
Smartphone
  • Duo Mobile push notification (recommended)
  • Duo Mobile passcode
  • SMS text message (not recommended)
  • Phone call (not recommended)
  • iOS
  • Android
  • Windows Mobile
Tablet
  • Duo Mobile push notification (recommended)
  • Duo Mobile passcode
  • iOS
  • Android
  • Windows Mobile
Mobile Phone
  • SMS text message (not recommended)
  • Phone call (not recommended)
  • Mobile phones with SMS text messaging capability
Landline
  • Phone call (not recommended)
  • All phones
Hardware Token
  • Passcode
  • A "keychain" hardware token displays two-step codes at a push of a button.
YubiKey
  • Passcode (deprecating)
  •  With the enablement of the Security Key option, an existing Yubikey used to generate a passcode should be self-enrolled as a Security Key, after which the previous Yubikey record can be removed (unless there is still a need for passcode-based authentication for non-web-enabled services).
Security Key
  • Security key
  • A U2F/FIDO2 compatible device (such as Yubikey) can facilitate passcodeless two-factor authentication.

Note: If you currently use Google Authenticator for your second factor you can continue to do so. However, you are no longer able to set up Google Authenticator on your smartphone or tablet. The Duo Mobile app is the preferred replacement.

Getting started

To get started, select the device you want to set up:

One device must be designated as your default device, and your default device must have a preferred way to authenticate. Stanford Login prompts you to authenticate using your default device and preferred method but you have the option of authenticating using a different device (if you have other devices set up) or method.

You are strongly encouraged to set up a backup device in case your primary device is lost or unavailable.

What to expect with two-step authentication

Once you enable two-step authentication, you may see an extra page after you sign into a Stanford resource via Login. When prompted for Two-Step Authentication, you will always be offered your last-used authentication method.  To choose a different authentication method from what is provided initially in the prompt, you can select Other options to choose one of the other options that may be available to you. How frequently you are asked to authenticate on your default device varies, depending upon:

  • the website you're accessing (for added security, some sites always require a two-step authentication)
  • your individual browser settings (whether or not you clear cookies)
  • whether or not you use more than one computer and web browser (two-step authentication is requested at least every 90 days for each computer and each browser you use to access protected websites)
  • if you are prompted with a screen that asks if you want to trust the browser. You’ll have the option to select “Yes, trust browser.” This takes the place of the “Remember Me” screen. If you click “Yes, trust browser” the browser will automatically remember you, and you will not be prompted to authenticate for that application or service for the next 90 days.

How you authenticate depends upon the device and method you chose for two-step authentication: 

  • If you chose Duo Mobile push notifications: a push notification is sent to the device, and you can review the request and tap Approve to authenticate. Internet or cellular access is required.
  • If you chose a Duo Mobile passcode: launch the Duo app on your mobile device and click the key icon to see your current six-digit passcode. Enter the passcode on the two-step authentication screen to authenticate. Because this method is time-based, you don't need cellular service or internet access.
  • If you chose SMS text message: you receive a text message on your device containing a passcode. Enter the passcode on the two-step authentication screen to authenticate.
  • If you chose Phone Call: you receive an automated phone call that requires you to press or tap any key on your phone to authenticate.
  • If you chose Hardware Token: press a button on the token to obtain a passcode, then enter the passcode on the two-step authentication screen to authenticate.
  • If you chose Security Key: press the Security Key sensor when prompted to authenticate.

Information for international travelers

We recommend that anyone who travels internationally and needs to log in to Stanford websites use the Duo Mobile Passcode option, Security Key, or a hardware token. You can use Duo Mobile Passcode to generate your authentication code without an Internet or cellular connection. If you don't have a smartphone or tablet, obtain a security key or hardware token.

Some links for troubleshooting Duo issues

Last modified October 31, 2022