Why is Harvard requiring two-step verification for HarvardKey?

Harvard accounts are actively stolen for fraud and intelligence gathering. Thousands of attempts are made every day to steal Harvard passwords. Two-step verification uses a pre-registered device in your possession, such as your smartphone, to confirm your identity when you log in with HarvardKey. That way, even if your password is stolen, cybercriminals can't get into your account without having that device as well.

By using two forms of verification, you are protecting

  • Your personal data like direct deposit account number and your Social Security Number. If a cybercriminal reaches this information, they can divert your paycheck or open new accounts in your name.  
  • Your University data like sensitive research and administration information. The theft of this kind of information can result in lost grants, harm to critical research initiatives, and the exposure of private information about Harvard and its community.
  • Other people's data at Harvard. Although you may not have direct access to sensitive information beyond your personal data, a cybercriminal who steals your account can leverage it to access additional accounts and systems that hold other people's information at Harvard.   

Two-step verification takes just a few minutes to set up, is easy to use, and in most cases requires your second step just monthly.

Activate two-step verification for HarvardKey now at http://huit.harvard.edu/twostep

I got a new phone, how do I move my two-step verification over to it?

If you get a new smartphone or mobile device, you need to add the new phone (and remove the old one) by visiting the HarvardKey self-service portal and choosing "Set-up & Manage Your Two-Step Verification" in "Manage Your Services & Account."   If the number is the same, you can get a phone call or SMS text message there in order to get into the Manage Devices page.  If you still have your old phone, you could also use the app on that to authenticate with the "Push" feature.   

Once into the Manage Devices page in HarvardKey, remove your old phone first. Then add the new phone (installing the Duo application as you register it).

How do I use a hardware token to access VPN with two step-verification?

Download a printable copy of these instructions >

If you do not have, or cannot reliably use a mobile phone or landline as your primary two-step verification device, please send a request for a hardware token to ithelp@harvard.edu.

A hardware token is a small device that, when plugged into your computer, offers two-factor verification with a touch of a button. Some important things to know about hardware tokens:

  • Tokens do not work with mobile devices, but can be used as an alternative two-step verification method for HarvardKey.
  • Each token is exclusive to a user and cannot be assigned to more than one HarvardKey account. 
  • Two-step verification must already be activated on your HarvardKey account with another device for a token to be added. Activate two-step verification now before following these instructions. 

Follow these steps for requesting and setting up your hardware token on your HarvardKey account.

1. Users must first set up two-step verification for HarvardKey with a primary device, such as a mobile phone or landline. Instructions can be found at http://huit.harvard.edu/twostep. If you do not have access to a primary device, contact ithelp@harvard.edu or call 617-495-7777.

2. To request a token, contact ithelp@harvard.edu with the subject line "Request a hardware token" or call 617-495-7777. Each hardware token must be pre-configured by HUIT.

3. Once you receive your token, insert it into an open USB port on your computer with the metal "Y" face up. 

4. For Windows users, your computer will recognize the device and automatically install the necessary software. When complete, a pop-up balloon will indicate the device is ready to use.

For Mac OS users, the first time you insert a hardware token, your computer will recognize it as a USB keyboard. Simply close the pop-up window to continue.  

5. Visit a HarvardKey-protected website or application, like the Harvard internal directory, connections.harvard.edu. When prompted for two-step verification, click Enter a Passcode.

6. Tap the metal "Y" on your token and you will be automatically logged in. If you experience difficulty, contact the HUIT Service Desk at ithelp@harvard.edu or 617-495-7777.

Where can I learn more about two-step verification?

A good resource to learn more about where you can use two-step verification (also called two-factor or multi-factor authentication) is twofactorauth.org.  While you have to use two-step verification with your HarvardKey, deploying it with other services you use (at Harvard and elsewhere) is a great way to enhance your online security.

Can I add multiple devices to my two-step verification?

Yes! It is strongly encouraged that you add at least two devices (for example your mobile phone and a landline) to your Duo two-step verification.  That way if you cannot access one device you have a back-up for getting your code and logging in.  Within the Two-Step Verification settings box, click on the link that says 'Add a new device' (under the shield) to add your second device. You can add up to five devices.

Why don't I have the 'Remember Me' option?

If in your Duo Device Options you select a default and say always use this device, there will not be a 'remember me' option available.  Duo will always use the device you selected at each login. Go back to the settings and uncheck that box (to enable the 'Remember Me' option for web applications).   Also, you may have tight privacy settings in your browser - so that it may be unable to create a cookie to track your 'Remember Me' selection. Contact the HUIT Service Desk for support in confirming your browser privacy settings.

Can I set two-step verification to automatically remember me for 30 days?

Yes you can! After logging in with your HarvardKey, you will be prompted for two-step verification. Check the box "Remember me for 30 days" before choosing a verification method. You will be remembered on that device and browser, and you will not need to confirm your identity with two-step verification again for 30 days.

Remember me for 30 days

Who can claim or manage my HarvardKey?

The short answer is YOU (and only you).  Per Harvard's Information Security Policy you may not share your password or access credentials with anyone. HUIT or any IT service at Harvard cannot reset your password for you.  The HarvardKey system is totally self-service - so that you are in control of all aspects of your own access.  Please do not share your HarvardKey information with any other person, even a trusted individual in your life.

Why is my HUID/password (PIN) login expiring?

The HUID/password (formerly known as PIN) login type no longer meets current Harvard IT security standards and will be retired over the fall of 2016. HUID/password users who have not yet claimed a HarvardKey are encouraged to do so as soon as possible, and will also be reminded by email in advance of their HUID/password credential expiring. Once your HUID/password credential expires, you will no longer be able to access many of your Harvard services until you claim your HarvardKey. Learn more about this here.