Harvard accounts are actively stolen for fraud and intelligence gathering. Thousands of attempts are made every day to steal Harvard passwords. Two-step verification uses a pre-registered device in your possession, such as your smartphone, to confirm your identity when you log in with HarvardKey. That way, even if your password is stolen, cybercriminals can't get into your account without having that device as well.
By using two forms of verification, you are protecting
If you get a new smartphone or mobile device, you need to add the new phone (and remove the old one) by visiting the HarvardKey self-service portal and choosing "Set-up & Manage Your Two-Step Verification" in "Manage Your Services & Account." If the number is the same, you can get a phone call or SMS text message there in order to get into the Manage Devices page. If you still have your old phone, you could also use the app on that to authenticate with the "Push" feature.
A good resource to learn more about where you can use two-step verification (also called two-factor or multi-factor authentication) is twofactorauth.org. While you have to use two-step verification with your HarvardKey, deploying it with other services you use (at Harvard and elsewhere) is a great way to enhance your online security.
HUIT licensed Duo for most of our HarvardKey users. However, alumni are not currently included in the licensing agreement. If you are an Alumni, without any other active role at the University, your HarvardKey is not eligible for two-step verification.
Yes! It is strongly encouraged that you add at least two devices (for example your mobile phone and a landline) to your Duo two-step verification. That way if you cannot access one device you have a back-up for getting your code and logging in. Within the Two-Step Verification settings box, click on the link that says 'Add a new device' (under the shield) to add your second device. You can add up to five devices.
If in your Duo Device Options you select a default and say always use this device, there will not be a 'remember me' option available. Duo will always use the device you selected at each login. Go back to the settings and uncheck that box (to enable the 'Remember Me' option for web applications). Also, you may have tight privacy settings in your browser - so that it may be unable to create a cookie to track your 'Remember Me' selection. Contact the HUIT Service Desk for support in confirming your browser privacy settings.
Yes you can! After logging in with your HarvardKey, you will be prompted for two-step verification. Check the box "Remember me for 30 days" before choosing a verification method. You will be remembered on that device and browser, and you will not need to confirm your identity with two-step verification again for 30 days.