Two-step Verification Rollout

Communicators Toolkit

This document contains:

  • Overviewpage 2
  • Roll Out Schedule page 3
  • Sample Newsletter Languagepage 4
  • FAQspage 5
  • Appendix: Terminology Guidepage 7

Also available in the toolkit folder (Harvard account required)

  • Presentation slides (PPT)
  • Collateral files: Poster, handout
  • Graphics, digital signage
  • :30 video (coming soon)

Contact:

Acacia Matheson, HUIT Communications

617-495-1824,

Overview

  • Harvard is a high priority target for cybercriminals because of our open networks and valuable information. We deal with thousands of attempted hacks every day.
  • Commonly, individual credentials (log in names and passwords) are used to gain unauthorized access to individual accounts and University systems. Widely adopting two-step verification on HarvardKey will protect our accounts and make us significantly more secure.
  • Two-step verification uses a second device, commonly a mobile phone, to verify your identity when you log in. This prevents cybercriminals from using your credentials to access your Harvard account and University networks, even if they have your password.
  • Starting this fall, faculty, staff, and students* will be required to use two-step verification when accessingHarvardKey-protected resources, and when logging on to the Harvard network remotely through Virtual Private Networks (VPN). Members of the Harvard community will be notified of the requirementon a rolling basis over the fall semester.
  • *Some members, such as DCE students, HMS affiliates, and retirees are encouraged, but not required to use two-step verification on HarvardKey at this time. Everyone will be required to have active two-step verification to connect remotely using VPNs. Two-step verification is not currently available on HarvardKey for alumni.
  • Many other institutions, including MIT and Stanford, are already requiring the use of two-step verification.
  • By using two-step verification, you are protecting:
  • Your personal data like direct deposit information and your Social Security Number. If a cybercriminal reaches this information, they can divert your paycheck, file a fraudulent tax return, or open new accounts in your name.
  • University data like sensitive research and administration information. Theft of this kind of information can result in lost grants, harm to critical research initiatives, and the exposure of private information about Harvard and its community.
  • Other people's data at Harvard. Although you may not have direct access to sensitive information beyond your personal data, a cybercriminal who steals your account can leverage it to access additional accounts and systems that hold other people's information at Harvard.

Get started at huit.harvard.edu/twostep.

To see when you will be required to use two-step verification, visit huit.harvard.edu/twostep/schedule.

Roll Out Schedule
huit.harvard.edu/twostep/schedule

Individual who have not activated two-step verification on HarvardKey will receive a weekly email starting approx. 4 weeks before their requirement date.

Population / First email communication / Requirement date
VPN users / 9/12 / 9/28
Graduate School of Design / 9/12 / 9/28
Central Administration / 9/13 / 10/5
Division of Continuing Education (FAC/STAFF)*
Harvard Divinity School
Radcliffe / 9/20 / 10/12
Faculty of Arts and Sciences (faculty/staff/students)
Graduate School of Arts and Sciences
Paulson SEAS / 9/29 / 10/19
Chan School of Public Health
Harvard Medical School/Dental* (Quad only) / 10/12 / 11/1
Graduate School of Education
Harvard Kennedy School
Harvard Law School
Harvard Business School/Publishing / 10/25 / 11/17
TOTAL

Sample Newsletter Language

Two-step verification will soon be required for HarvardKey

To help protect against the pervasive threat of online attacks, the University will soon require the use of two-step verification to access HarvardKey-protected applications and resources. Community members will be asked to activate two-step verification on a rolling basis over the fall semester. Get started at .

FAQs

Why is Harvard requiring two-step verification?

Where will I need to use two-step verification?

When will two-step verification be required for me?

What if I travel or work overseas?

Other FAQs

Online Resources

  • Online and printable step-by-step instructions/general information
    Huit.harvard.edu/twostep
  • Set up a mobile phone
    huit.harvard.edu/twostep/mobile
  • Set up a tablet
    huit.harvard.edu/twostep/tablet
  • Set up a landline/non-smartphone
    huit.harvard.edu/twostep/landline
  • Request a hardware token
    email:
  • Add second device
    huit.harvard.edu/twostep/add-second-device
  • Remember me for 30 days

FAQs

What is two-step verification?

Two-step verification adds an extra layer of security to your Harvard account. HarvardKey uses Duo Security to provide this service. You sign in with something you know (your HarvardKey password) and use something you have (commonly a mobile phone) to verify your identity. This way, cybercriminals cannot access your Harvard account, even if they have your password. HarvardKey has partnered with Duo Security to provide this service.

Is it difficult to use? Will it interfere with being able to access resources and applications?

Activating two-step verification on HarvardKey (huit.harvard.edu/twostep) should take less than 10 minutes and you will only need to do it once per device. There is an option to “Remember me for 30 days” (for each browser/device) that will allow you to verify your identity only once a month. Setting up a smartphone with Duo Mobile push notification is highly recommended for ease of use (one-tap approval). Users of Harvard Virtual Private Networks (VPNs) will need to enter a Duo passcode each time they use they begin a new VPN session.

What devices can I use? What if I don’t have a smartphone, or don’t wish to use my personal device?

While a smart phone with the Duo Security mobile app installed is highly recommended for ease of use, you can use a variety of devices and authentication methods to meet your needs. Use of a personal device is not required. Hardware tokens, provided by Harvard, require a USB port and do not work with mobile devices.

Devices and authentication methods that can be used:

How often will I need to use it?

Two-step verification on HarvardKey will need to be used to access HarvardKey-protected resources and applications. You can choose to use it every time, or just once a month for each browser by choosing “Remember me for 30 days” on the two-step verification screen directly after logging in with your HarvardKey (for each browser/device). In most cases, you can still log in to your computer and access desktop applications (including email) without having to use two-step verification.

What happens if I don’t have access to my primary device? What if I forget or lose my mobile phone?

It is expected that, at one point or another, you may not have access to the device you use as your second step. If you add a second device (strongly recommended) when setting up your two-step verification account, you may use that second device to authenticate. Additionally, the HUIT Service Desk has the ability to provide a one-time passcode over the phone (additional information will be required to verify your identity). Call the service desk at 617-495-7777 to speak to a support services specialist.

What if I travel often or work overseas?

Anyone who travels or works internationally and needs to log in to HarvardKey-protected resources can use Duo Mobile Passcode on their smartphone to generate an authentication code without an Internet or cellular connection. If you don't have a smartphone or tablet available, hardware tokens that do not require internet or cellular service are also available.

More information and step-by-step instructions: huit.harvard.edu/twostep

Appendix: Terminology Guide

Recommended / Do not use / Sample language
Two-step verification
Introducing the concept, headings, links /
  • Duo two-step verification
  • Two-step authentication
  • Two-factor
  • HarvardKey two-step verification
  • Multi-factor authentication
  • TSV, 2SV, MFA
  • Duo (as standalone) or Duo
/ Harvard is now asking all University community members to activate two-step verification on HarvardKey.
Mange two-step verification
(heading or link)
Duo Security or Duo mobile application or app
Referring to the company name and mobile application /
  • Duo two-step application
  • Two-step application
  • Duo
/ Download the Duo mobile application to your mobile phone.
Harvard has partnered with the two-step authentication provider, Duo Security.
Duo Mobile push notification
Duo passcode
SMS text message
Phone call
Referring to the authentication methods available / Duo Mobile push notification will send a prompt to your mobile phone.
Mobile phone
Tablet
Landline/non-smartphone
Hardware token
Referring to the types of physical devices that can be used to provide the second factor of two-step verification /
  • Cell phone
  • Flip phone
  • Dumb phone
  • Desk phone
  • Phone (stand alone)
  • YubiKey

Activate, Deactivate, Manage, Confirm, Prompt
Preferred verbs in instructional text about two-step verification. /
  • Enable
  • Disable
  • Verify
  • Ping
/ Activate two-step verification on your HarvardKey account.
Manage your two-step verification settings.
Two-step verification prompts users on their mobile phones to confirm their identities.
/twostep
URL extension for websites, applications, or VPN tunnels. /
  • /duo
  • /two-step

1

Last updated 1/14/19