This article, part of Penn State's ongoing Secure Penn State series, provides information about Penn State’s two-factor authentication (2FA) service, the changes taking place with WebAccess on Dec. 3, and next steps for faculty and staff members.
UNIVERSITY PARK, Pa. — Today, more than half of Web application compromises happen with passwords stolen by cyber criminals, according to the 2015 Data Breach Investigations Report. Many of these criminals use malware to evade anti-virus detection software and steal information. Because of these advanced techniques, many universities find password protection challenging. To help protect its academic, administrative and research data, Penn State reset more than 18,000 compromised passwords in fiscal year 2014–15.
As cyber attacks become an ever-increasing reality for higher education institutions, Penn State, along with other major universities, has accelerated its efforts to further safeguard research, data and digital identities. Among these security measures is an initiative to expand the use of two-factor authentication (2FA) by Penn State faculty and staff members.
While user IDs and passwords provide one layer of protection against cyber criminals, 2FA will offer a second layer of security when signing into Penn State systems and services. Since 2FA requires an additional identification component — usually in the form of a notification sent to mobile devices, tablets or desk phones — it is less vulnerable to theft.
WebAccess and 2FA changes on Dec. 3
Beginning on Dec. 3, 2FA will be activated on 2,300 websites behind WebAccess, the University’s login authentication system for such services as WebMail, ANGEL and the Employee Self-Service Information Center (ESSIC), among many others.
This change means anyone who is already enrolled in 2FA as of Dec. 3 will need to log in to WebAccess using their Penn State user ID and password combination and the device they’ve enabled with 2FA. Login will not change for students, faculty and staff members who are not enrolled in 2FA by Dec. 3.
Additional information about 2FA and WebAccess
If you are a faculty or staff member, the following information will help you learn more about what you need to do if you are 1) fully enrolled, 2) partially enrolled or 3) not enrolled in 2FA.
1) If you are fully enrolled in 2FA
On Dec. 3, you will be required to begin using 2FA to log in to WebAccess by verifying your identity using your Penn State user ID and password combination and the device you enrolled in 2FA. Although this is one additional step each time you log in to WebAccess, the process should be easy and quick.
If you haven’t already done so, it is important to enroll at least two devices (such as a smartphone and tablet) in 2FA to avoid difficulties authenticating if you lose or don’t have your only enrolled device with you.
2) If you are partially enrolled in 2FA
If you already started the 2FA enrollment process, but did not finish, you can complete your enrollment here.
If you choose to complete your enrollment now, you will be required to use 2FA each time you log in to WebAccess beginning on Dec. 3. It is also important that you enroll a second device in 2FA to avoid difficulty authenticating in case you lose or don’t have your only enrolled device with you.
3) If you are not enrolled in 2FA
If you are not enrolled in 2FA by Dec. 3, you do not have to do anything until 2FA becomes mandatory for all Penn State faculty and staff members in late spring 2016. However, you can take advantage of 2FA’s security features any time by opting in early.
2FA moving forward
Although enrollment in 2FA is optional at this time, all Penn State faculty and staff will be required to enroll in 2FA by the end of spring semester 2016.
The following Penn State community members will not be required to enroll in 2FA:
- Students
- Retirees
- Colleagues and research partners from other institutions who access Penn State systems using Friends of Penn State Accounts or their own university credentials
If you need assistance related to 2FA, contact the IT Service Desk at 2FAsupport@psu.edu. In addition, you can find answers to frequently asked questions about 2FA and the WebAccess rollout.