Two-Step Verification



Harvard uses DUO Security to provide two-step verification on HarvardKey.
Two-step verification is required to access HarvardKey-protected resources and applications, and to connect to the network using Harvard's Virtual Private Network (VPN) service.

Get help with two-step

» See more help guides for two-step «

Copy and paste this code to your website.
Copy and paste this code to your website.

Two-step verification is an extra layer of security designed to ensure that you're the only person who can access your Harvard account, even if your password is stolen. Verify your identity with a device in your possession, commonly a mobile phone, as part of your HarvardKey login.

Accessing HarvardKey-protected resources and applications will work a little differently with two-step verification.

Step 1: Log in to HarvardKey with your username and password

Step 2: Verify the log in with a device in your possession. You can authenticate with a mobile app or a landline.


  • Authenticate using the Duo Mobile app passcode generator in areas with weak or unavailable cellular service, or for VPN access.
  • Verify every time or just once a month with "Remember me for 30 days"

Popular FAQs

  • Why is Harvard requiring the use of two-step verification?
    Harvard is a high priority target for hackers, including foreign nation state-sponsored entities who attempt to access University systems with ever-increasing sophistication and frequency. Two-step verification is designed to provide an extra level of security, and to make it more difficult for an impersonator to use Harvard credentials to access our systems. This step will greatly enhance our information security, and help to protect direct deposit information, research data, and intellectual property, as well as faculty, staff, and student personal information.
  • What is two-step verification?
    Two-step verification adds an extra layer of security to your Harvard account. You sign in with something you know (your HarvardKey password) and use something you have (commonly a mobile phone) to verify your identity. This way, cybercriminals cannot access your Harvard account, even if they have your password. HarvardKey has partnered with Duo Security to provide this service.
  • What devices can I use? What if I don’t have a smartphone, or don’t wish to use my personal device?
    While a smartphone with the Duo Security mobile app installed is highly recommended for ease of use, you can use a variety of devices and authentication methods to meet your needs. Use of a personal device is not required.
  • What happens if I don’t have access to my primary device? What if I forget or lose my mobile phone?
    If you add a second device (strongly recommended) when setting up your two-step verification account, you may use that second device to authenticate. Additionally, the HUIT Service Desk has the ability to provide a one-time bypass code over the phone (additional information will be required to verify your identity). Call the service desk at 617-495-7777 to speak to a support services specialist.
  • What if I travel often or work overseas?
    Anyone who travels or works internationally and needs to log in to HarvardKey-protected resources can set their two-step verification method to “Duo passcode.” You can use Duo Mobile Passcode to generate your authentication code without an Internet or cellular connection. If you don't have a smartphone or tablet, hardware tokens that generate codes are available.