Skip to content Skip to navigation

How Two-Step Authentication Works


A good way to think of two-step authentication is like keeping a safe in your house. Your front door has a lock on it (password) that keeps your things safe. Some of your possessions — such as a passport or heirlooms — are too important to be trusted to an ordinary door lock. You keep those items securely inside your safe, requiring a would-be thief to get past both your front door and your safe's lock before they can steal your most valuable possessions.

Traditionally, when you want to log into your account at Stanford, you've used your password to do so, similar to opening your front door with your house key. While a password is a good way of keeping your account safe, if someone figures yours out, they can easily use that information to access your private data and see whatever you're allowed to see.

Two-step authentication makes it much harder for people to access your most sensitive or important data, by providing you with a second way to protect it, much like the safe in your house. Someone who wants to access two-step protected data in your account will need to use two "authentication steps" before they can get into it.  The first authentication step is  your SUNet ID and password.  The second authentication step is provided by a physical device that you have with you.


To set up your second factor for two-step authentication, you first need to select a device to use to for authentication.  Your choices are smartphone, tablet, mobile phone, landline and printed list. Each device has one or more methods that can be used to authenticate, such as SMS text message, push notification, passcode, and phone call. You need to designate one device as your default device and select a preferred way to authenticate with that device. All authentication methods for a device are enabled when the device is set up but the login page presents your default method first.

Setting up additional devices to use as a backup in case you lose or forget your default device is recommended so that you don't get locked out of your account.

There are various methods you can use to authenticate, depending on your device:

Duo Mobile Push Notification (for smartphones and tablets)
In order to use this method you need to install the free Duo Mobile app and activate it on your device. A push notification is sent to the device, and you can review the request and tap Approve to authenticate. Once a push notification is sent to your device you have 60 seconds to approve the request. Internet or cellular access is required to use this method.
Authenticator Application (for smartphones and tablets)
Duo Mobile is recommended, although if you already have Google Authenticator set up for two-step authentication you can continue to use it . Whenever Stanford's WebAuth system asks for a two-step authentication code, launch this application and a code will appear on your smartphone's screen, which you simply type in like a password. The passcode generator runs on your device so you don't have to have cellular or internet access to get your authentication code (as you do with push notifications and SMS text messages).
SMS Text Messaging (for smartphones and mobile phones with SMS text messaging capability)
If you pick this method, an authentication code is texted to your device from a 313 area code. Normal rates for text messages apply.  If you plan to travel out of country or have an international number, you may want to use an authenticator application, as you might be responsible for the extra charges on international roaming text messages.
Phone Call (for smartphones, mobile phones, and landlines)
With this method, you receive an automated phone call that requires you to press any key on your touch-tone phone  to approve the login request. 
Printed List
When you select this, you receive a list of eighteen authentication codes that you can use when presented with a request  for two-step authentication. The codes must be used in the order printed and are only good for one use. We recommend that you cross out each one with a pen when it's used. When you're down to your last authentication code, go back to the page where you signed up for two-step authentication and use that last code to create a new printed list with eighteen more authentication codes. Note: if you set your challenge level to always require two-step authentication, you will need to keep the last two codes to get a new list.
We recommend treating your printed list like a credit card: keep it in a purse or a wallet where it'll be convenient for you to access, but protected from theft.


After you have set up at least one two-step authentication device and method, you can set other options to protect your account .

Challenge level

You may not want to use two-step authentication to keep your account safe, but you're required to sign up for it because you have to access High Risk Data. Or, you may want the security of knowing that anyone who guesses your password still can't access your account without your second step. You can choose your challenge level, which determines how often you're asked to supply an authentication code when authenticating with Stanford's WebAuth servers. There are two levels:

  • Require two-step authentication once per device every 28 days: This is the default setting. This challenge level ensures that you're prompted for your authentication code at least once every 28 days per device/browser (as well as when you log in to a site that requires two-step authentication). 
  • Always: A challenge level of always ensures that you will be prompted for your authentication code whenever you authenticate with WebAuth. This setting has a higher overhead than the preceding two, but it also provides extra protection for your account.

Off-campus login behavior

Some people do not want their Stanford account to be accessed by anyone (including themselves) from outside of Stanford's network. This setting allows you to choose whether or not your two-step-protected information can be accessed from anywhere in the world or only on Stanford's network.

  • Allow Two-step authentication logins from off-campus: This is the default setting for two-step authentication. It won't restrict access to your account in any location.
  • Deny logons from off-campus: When this setting is selected, you will only be able to use two-step authentication when on a Stanford network address. This means that you'll either have to be physically present on-campus — or else connecting through Stanford's Virtual Private Network — to use two-step authentication.

Applications and two-step authentication

Some data at Stanford requires a high degree of protection to keep it secure. If you think that your data needs a higher than normal level of protection, you can require users to authenticate with two-step authentication when accessing it. You have a couple of choices in how you protect your data, depending on how much security it requires.

  • Random two-step authentication: With random two-step authentication, roughly twenty percent of a user's attempts to access your data will require them to use their authentication code to get access. If a user has been asked for an authentication code, the system will keep requiring it until that user has supplied one, so a potential attacker can't bypass the system just by reloading until the system only asks for a one-step authentication. This is less secure than requiring two-step all of the time, but it does represent a good compromise between security and user convenience.
  • Always require two-step authentication: If your data is extremely sensitive, you can choose to always require two-step authentication so that you'll always have a high level of trust in your users' identities.

To learn how to add two-step authentication, see Two-Step Authentication for Application Owners.

Please submit a Help ticket if you have questions about which option is right for your application.

Last modified February 9, 2017