Harvard uses DUO Security to provide two-step verification on HarvardKey.
Two-step verification is required to access HarvardKey-protected resources and applications, and to connect to the network using Harvard's Virtual Private Network (VPN) service.
Two-step verification is an extra layer of security designed to ensure that you're the only person who can access your Harvard account, even if your password is stolen. Verify your identity with a device in your possession, commonly a mobile phone, as part of your HarvardKey login.
Accessing HarvardKey-protected resources and applications will work a little differently with two-step verification.
Step 1: Log in to HarvardKey with your username and password
Step 2: Verify the log in with a device in your possession. You can authenticate with a mobile app or a landline.
- Authenticate using the Duo Mobile app passcode generator in areas with weak or unavailable cellular service, or for VPN access.
- Verify every time or just once a month with "Remember me for 30 days"
Roll Out Schedule
|School/Unit||Two-step verification will be required on...|
|Users of HUIT's Virtual Private Network (VPN)||Wednesday, September 28, 2016|
|Harvard Graduate School of Design||Wednesday, September 28, 2016|
|Central Administration, Museums, Inter-faculty Initiatives, and Allied Institutions||Wednesday, October 5, 2016|
|Radcliffe Institute for Advanced Study||Wednesday, October 12, 2016|
|Harvard Divinity School||Wednesday, October 12, 2016|
|Harvard Division of Continuing Education *Faculty and Staff Only*||Wednesday, October 12, 2016|
|Faculty of Arts and Sciences, including Harvard College and GSAS||Wednesday, October 19, 2016|
|Harvard John A. Paulson School of Engineering and Applied Sciences||Wednesday, October 19, 2016|
|Harvard Medical School *Quad only*||Tuesday, November 1, 2016|
|Harvard T.H. Chan School of Public Health||Tuesday, November 1, 2016|
|Library Special Borrowers||Tuesday, November 8, 2016|
|Harvard Business School and Harvard Business School Publishing||Thursday, November 17, 2016|
|Harvard Graduate School of Education||Thursday, November 17, 2016|
|Harvard Kennedy School||Thursday, November 17, 2016|
|Harvard Law School||Thursday, November 17, 2016|
|Division of Continuing Education (DCE) Students||Thursday, February 23, 2017|
**Non-quad HMS will be required on a rolling basis; retirees are strongly encouraged to use two-step verification on HarvardKey, but will not be required during this time period. Target date for full adoption is end of FY17. This service is not currently available for alumni.**
- Why is Harvard requiring the use of two-step verification?
Harvard is a high priority target for hackers, including foreign nation state-sponsored entities who attempt to access University systems with ever-increasing sophistication and frequency. Two-step verification is designed to provide an extra level of security, and to make it more difficult for an impersonator to use Harvard credentials to access our systems. This step will greatly enhance our information security, and help to protect direct deposit information, research data, and intellectual property, as well as faculty, staff, and student personal information.
- What is two-step verification?
Two-step verification adds an extra layer of security to your Harvard account. You sign in with something you know (your HarvardKey password) and use something you have (commonly a mobile phone) to verify your identity. This way, cybercriminals cannot access your Harvard account, even if they have your password. HarvardKey has partnered with Duo Security to provide this service.
- What devices can I use? What if I don’t have a smartphone, or don’t wish to use my personal device?
While a smartphone with the Duo Security mobile app installed is highly recommended for ease of use, you can use a variety of devices and authentication methods to meet your needs. Use of a personal device is not required.
- What happens if I don’t have access to my primary device? What if I forget or lose my mobile phone?
If you add a second device (strongly recommended) when setting up your two-step verification account, you may use that second device to authenticate. Additionally, the HUIT Service Desk has the ability to provide a one-time bypass code over the phone (additional information will be required to verify your identity). Call the service desk at 617-495-7777 to speak to a support services specialist.
- What if I travel often or work overseas?
Anyone who travels or works internationally and needs to log in to HarvardKey-protected resources can set their two-step verification method to “Duo passcode.” You can use Duo Mobile Passcode to generate your authentication code without an Internet or cellular connection. If you don't have a smartphone or tablet, hardware tokens that generate codes are available.