2FA: Log in to WebAccess using Two-Factor Authentication

Article Intended For

Penn State faculty, staff, students, and other affiliates currently enrolled in two-factor authentication (2FA).

Introduction

Each time you authenticate your log in to WebAccess, you have the opportunity to select the device and the method you would like to use.  The choices you see on the 2FA Authentication Required screen reflect the devices you've enrolled.

This article includes the following information:

General Instructions for Authentication

What to Do If You Receive an Authentication Request You're Not Expecting

Specific Instructions for Each Method of Authentication (including which are available for each device)

Step-by-Step Instructions

General Instructions for Authentication

1. Navigate to the website or service you wish to log in to.

NOTE: If you have already logged in to another resource using WebAccess today, you may not be required to log in again in order to gain access to other WebAccess protected sites.

2. On the WebAccess log in screen, enter your user ID (Example: abc123) and password to log in to your Penn State Access Account; then click Log In. 

The 2FA Authentication Required screen is displayed. A drop-down list shows the devices you have enrolled for 2FA, using the nicknames you chose when you enrolled them.

3. Choose the method you would like to use to authenticate:

1. From the drop-down list of your enrolled devices, select the device to which you would like the 2FA service to send an authentication request and the method you would like to use.

OR

2. If you have used one of your enrolled devices to generate a passcode, or have been provided a passcode by the IT Service Desk, enter it in the box provided.

4. Click Log In.  If you selected one of your enrolled devices, rather than entering a passcode, use the device to complete the authentication process.

See Specific Instructions, below, for more details about using each method.

What to Do If You Receive an Authentication Request You're Not Expecting

When should I deny a request?

If you receive a phone call or Duo Push authentication request when you're not trying to log in to the requesting service, you should deny the request.

When should I report a fraudulent request?

Reporting a fraudulent request will lock your account. So, before you report an authorization phone call or Duo Push notification as fraud, see knowledge base article 2FA: I got a Request to Authenticate When I Wasn't Trying to Log In to learn about other reasons you may receive an unexpected authorization request.

NOTE:  If you deny a Duo Push notification, the app will immediately prompt you to identify the request as either a mistake or fraud.  If you're not familiar with the other reasons for an unexpected authentication request, choose Mistake, and review the above referenced knowledge base article. 

Specific Instructions for Each Method of Authentication

The list below indicates the method(s) of authentication that are available for each type of device. 

Click one of the following links to navigate to the section of this article that describes how to use the specific device and method you're interested in.

Smartphone - Duo Mobile app installed and active

• Duo Push (requires internet connection)
• Duo Passcode (does not require internet connection)
• Phone Call
• SMS Text Passcode

Smartphone - Duo Mobile app not installed or not active

• Phone Call
• SMS Text Passcode

Basic Cellphone

• Phone Call
• SMS Text Passcode

Landline

• Phone Call

Tablet with Duo Mobile app installed and active

• Duo Push (requires internet connection)
• Duo Passcode (does not require internet connection)

Duo Token

• Hardware generated Passcode

Apple Watch

• Duo Push
• Duo Passcode

Use Duo Push to Authenticate

Device Requirement:  The Duo Push method can be used with the following enrolled devices:

• A smartphone on which the Duo Mobile app has been installed and activated
• An Apple watch on which the Duo Mobile app has been enabled
• A tablet on which the Duo Mobile app has been installed and activated

Additional Requirements: 

• The phone or tablet you're using to authenticate must have an internet connection.
• To receive Duo Push notifications on your Apple Watch:
  • You must enroll and install Duo Mobile on your iPhone
  • You must enable Apple Watch notifications for Duo Mobile.  See knowledge base article 2FA: Add (Enroll) a Phone for Use with Two-Factor Authentication to learn how.
  • Your phone must be locked.

Instructions:

On the phone or tablet you're using for authentication:

1. Make sure the screen is unlocked (unless you wish to authenticate using your Apple Watch, in which case your phone must be locked).

On the device you're using to log in to the site you want to access (laptop, desktop, phone, or tablet):

1. Navigate to the website or service you wish to log in to.
2. On the WebAccess log in screen, enter your user ID (Example: abc123) and password to log in to your Penn State Access Account; then click Log In.

The 2FA Authentication Required screen is displayed.  A drop-down list shows the devices you have enrolled for 2FA, using the nicknames you chose when you enrolled them.

3. If it's not already selected, select the smartphone or tablet you wish to use to authenticate from the drop-down list of enrolled devices.

If you have previously downloaded and activated the Duo Mobile app, Duo Push will already be selected as the default method of authentication.

NOTE:  If Duo Push is not displayed as an option, you may need to re-activate Duo Mobile.  See knowledge base article 2FA: Activate or Re-Activate DUO Mobile on my Smartphone to Receive 2FA Push for additional information.

4. Click Log In.

A log in request is sent to your authentication device. 

On the device you're using to authenticate (your smartphone, tablet, or Apple watch):

5. A log in request notification is displayed on your screen.  It shows the name of the resource requesting authentication (in this case, WebAccess), and offers the option to Approve or Deny the request.

Follow the on-screen instructions to approve the request.  The website you're logging in to appears as soon as you approve the authentication request.

Use a Duo Passcode to Authenticate

Device Requirement:  The Duo Passcode method can be used with the following enrolled devices:

• A smartphone on which the Duo Mobile app has been installed and activated
• An Apple Watch on which the Duo Mobile app has been enabled
• A tablet on which the Duo Mobile app has been installed and activated

Additional Requirements: 

• The phone or tablet you're using to authenticate does NOT need to have an internet connection.
• The phone or tablet you're using to authenticate does NOT need to have a cellular connection.
• To use your Apple Watch to generate a Duo Passcode, you must have enrolled and installed Duo Mobile on your iPhone and enabled Apple Watch notifications for Duo Mobile. See knowledge base article 2FA: Add (Enroll) a Phone for Use with Two-Factor Authentication to learn how.

Instructions:

On the device you're using to log in to the site you wish to access (laptop, desktop, phone, or tablet):

1. Navigate to the website or service you wish to log in to.
2. On the WebAccess log in screen, enter your user ID (Example: abc123) and password to log in to your Penn State Access Account; then click Log In.

The 2FA Authentication Required screen is displayed.  A drop-down list shows the devices you have enrolled for 2FA, using the nicknames you chose when you enrolled them.

On the device you wish to use to authenticate (your smartphone or tablet):

3. Open the Duo Mobile app. 

On your Android or iPhone:

1. If Penn State is the only account you have linked to Duo Mobile, a Duo passcode is displayed on your screen as soon as you open the app on your Android or iPhone.

2. If you have more than one account linked to Duo Mobile on your Android or iPhone, tap the down-arrow (  ) next to your Penn State account to expand it and show your Duo passcode.

On your Windows phone:

Tap the green key symbol  or Generate Passcode , depending on your version of Windows.

On the device you're using to log in to the site you wish to access (laptop, desktop, phone, or tablet):

4. In the Passcode box on the 2FA Authentication Required screen, enter the six-digit code generated by Duo Mobile.

5. Click Log In.

The website you're logging in to appears.

If it doesn't, return to the Duo app on your phone and tap the refresh symbol (  ) to generate a new passcode.  Enter the new passcode in the Passcode box on the 2FA Authentication Required screen, and try again.  If you're not logged in at this point, call the IT Service Desk for assistance.

Use a Phone Call to Authenticate

Device Requirement:  The phone call method can be used with the following enrolled devices:

• An enrolled smartphone with or without the Duo Mobile app installed
• An enrolled basic cellphone with voice and text only (non-smartphone)
• A landline telephone

Additional Requirements:

• If you're using a smartphone or basic cellphone to authenticate, it must have a cellular connection.

Instructions:

On the device you're using to log in to the site you wish to access (laptop, desktop, phone, or tablet):

1. Navigate to the website or service you wish to log in to.
2. On the WebAccess log in screen, enter your user ID (Example: abc123) and password to log in to your Penn State Access Account; then click Log In.

The 2FA Authentication Required screen is displayed.  A drop-down list shows the devices you have enrolled for 2FA, using the nicknames you chose when you enrolled them.

3. If it's not already selected, select the phone you wish to use to authenticate from the drop-down list of enrolled devices.

4. Select Phone Call to indicate the method of authentication you wish to use, and click Log In.

The 2FA service generates a phone call to the phone you selected.

5. Answer the phone call and follow the instructions you hear to approve the authentication request.

The website you're logging in to appears as soon as you approve the authentication request.

Use SMS Text Passcode to Authenticate

Device Requirement:  The SMS text passcode method can be used with the following enrolled devices:

• Any enrolled device capable of sending and receiving text messages

Additional Requirements: 

• The phone you're using to authenticate does NOT need to have an internet connection.
• The phone you're using to authenticate must have a have a cellular connection in order to request and receive a list of passcodes in a text message.
• Once you receive the text message, you don't need a cellular connection to use the passcodes it contains for authentication.

Instructions:

On the device you're using to log in to the site you wish to access (laptop, desktop, phone, or tablet):

1. Navigate to the website or service you wish to log in to.
2. On the WebAccess log in screen, enter your user ID (Example: abc123) and password to log in to your Penn State Access Account; then click Log In.

The 2FA Authentication Required screen is displayed.  A drop-down list shows the devices you have enrolled for 2FA, using the nicknames you chose when you enrolled them.

3. Select the phone on which you wish to receive a text message from the drop-down list of enrolled devices.

4. Click Send text with Passcodes to My Cellphone (just below the box that says Passcode).

The 2FA service sends a text message with 10 one-time use passcodes to the phone you selected. 

5. On the 2FA Authentication Required screen on the device you're using to log in, enter one of the passcodes from the text message in the Passcode box, and click Log in.

The website you're logging in to appears.

NOTE:  You may use the remaining passcodes for future log-ins.  Each passcode may be used for one log in.  Each time you select the same phone for authentication, a hint just above the link you clicked in Step 4, above, indicates which of the remaining passcodes should be used next.

Use a Hardware Generated Passcode to Authenticate

Device Requirement: 

• Duo Tokens are the only type of hardware tokens that may be used for 2FA.  Other legacy hardware tokens, such as Vasco tokens, will not work.  To learn how to purchase a Duo Token, see knowledge base article 2FA: Purchase a Duo Token for Use with Two-Factor Authentication.

On the device you're using to log in to the site you wish to access (laptop, desktop, phone, or tablet):

1. Navigate to the website or service you wish to log in to.
2. On the WebAccess log in screen, enter your user ID (Example: abc123) and password to log in to your Penn State Access Account; then click Log In.

The 2FA Authentication Required screen is displayed.  A drop-down list shows the devices you have enrolled for 2FA, using the nicknames you chose when you enrolled them.

3. Press and release the button on your Duo Token to display a passcode.
4. Enter the passcode in the Passcode box on the 2FA Authentication Required screen and click Log In.

The website you're logging in to appears.

5. If the code you entered simply disappeared without logging you in:

• It may be that your token is out of sync. Tokens can get out of sync when the button is pressed too many times in a row and the generated passcodes aren't used for login. This may happen inadvertently, for example, when you carry your token in your pocket or handbag. Tokens may also get out of sync when you cross into a different time zone.
• If the first code you enter is not accepted, try re-syncing the token by repeating steps three and four up to three more times. NOTE: Wait for the code displayed on the token to disappear before pressing the button again.

• If, after entering three failed codes, you don't get a confirmation message with the fourth, contact the IT Service Desk for assistance.