Skip to content Skip to site navigation Skip to service navigation

How to Fix Two-Step Authentication Issues with WebAuth Websites

If your WebAuth application requires two-step authentication, the user will need to log in and authenticate once with the new two-step screen, and then authenticate once with the legacy two-step screen. The legacy two-step authentication will go to the device that was the user’s default device before the March 30, 2018 change; the user cannot change this default on WebLogin.

What can users do to fix this?

Users will need to authenticate twice on legacy WebAuth sites that require two-step authentication. If necessary, however, they can take these steps to authenticate on their default device:

  1. Users will need to authenticate twice on legacy WebAuth sites that require two-step authentication. You will always be prompted for your last-used authentication method. When asked to do two-step authentication on the new system, the user can click Other options to change their device.

  2. When asked to do two-step authentication on the legacy system, the user can click the Authenticate a different way link to choose their default device.

    Image of push notification

If it is difficult for the user to change their default device each time they do two-step authentication on a WebAuth site, they can submit a Help ticket to permanently update their default device on the WebLogin server.

How can application owners fix this?

To make logging in simpler for users, application owners can change their WebAuth sites so that they do not require two-step authentication every day. To disable requiring two-step authentication on your WebAuth site, look in your Apache configuration and remove any lines like

WebAuthRequireInitialFactor m

or

WebAuthRequireSessionFactor m

Owners can also resolve this problem by migrating their application to SAML 2.0, which you are strongly encouraged to do now. All owners of legacy WebAuth sites will be required to migrate to SAML 2.0 by August 31, 2018.

Why is this happening?

All legacy WebAuth sites now redirect users to the Stanford SAML IdP (Identity Provider) to authenticate, where the user logs in to Stanford Login and does a two-step authentication using the new Duo interface. The IdP then directs the user back to the WebLogin server.

The WebLogin server knows that the user logged in, but does not know whether or not the user did a two-step authentication. If the WebAuth application requires two-step authentication, it asks the user to do another two-step authentication on the legacy screen.

Last modified October 26, 2022