Two-Step Login processes balance cyber-security best practices with user convenience. They reflect the need to keep personal information and institutional data safe without impeding teaching and research activities.

Accessing web-based applications from shared computers—including those housed in classrooms—can be risky. In 2017, IT security staff discovered that unauthorized users had stolen HawkID credentials using devices connected to shared computers.

Two-Step Login reduces the risk by requiring users to confirm login attempts using devices only they possess.

Device options and methods available for Two-Step in the classroom include:

  • Mobile phones: Responding to a push notification sent to the Duo Mobile app, generating a one-time passcode in Duo Mobile, entering a passcode from a list previously sent by text message, or triggering a phone call and following login prompts.
  • Tablets or Apple Watches: Using Duo Mobile app options available for these devices.
  • Token devices: Entering a one-time passcode generated on a key fob token device available to faculty and staff from ITS.

Token devices are an option for faculty and staff who can’t use other supported devices for Two-Step Login (e.g., they need to log in from locations where phones are not permitted, or where phone/internet service isn’t available). See additional information about requesting and using token devices.

Faculty also can access web-based applications in the classroom using UI-provided or personal laptops that they control. Checking the “Remember me for 30 days” box when completing a Two-Step Login identifies your computer and web browser as a trusted device and permits subsequent logins from that device/browser to require only your HawkID and password for the next 30 days.

Article number: 
Last updated: 
March 8, 2018