See below for Two-Step information for LSPs:
On November 14, 2023, Duo Universal Prompt replaced Penn’s custom solution for PennKey Two-Step Verification. PennKey was integrated directly with Duo for a seamless user experience. See below for more information.
Policy Changes Upon Rollout
- 30-day Two-Step registration timeframe for new PennKey recipients – Users must register for Two-Step Verification within 30 days of receiving PennKey setup information (after this they will require assistance from a PennKey admin and ID proofing).
- PennKey admins and help desks may have support scripts or documentation that needs to be updated (new PennKey welcome docs, etc.).
- Setup codes issued before November 14 will be subject to the 30-day rule and will expire 30 days from issue (e.g., if issued 45 days before – expired; if issued 29 days before – 1 day until expiration).
- Timeframe for trusted browser limit – 60 days with no rolling restart.
- Setup codes will no longer be sent via USPS – The PennKey Setup Code Service app to request setup codes by mail has been decommissioned.
PennKey Support Provider Training
The PennKey Support Application on the new Penn Community platform replaced the Two-Step Admin Console for PennKey support. Please note the following:
- The PennKey Support Application covers all needs of PennKey support providers, including tools to help with PennKey passwords and resets, SSPR support, and MFA support.
- New single role – “PennKey/authorization support” (instead of separate PennKey admins and Two-Step support providers).
- Before obtaining access to the PennKey Support Application, users must complete training and submit an Access Request Form approved by their supervisors (see the Penn Community Access Basics webpage for more info).
Login Options
See the Login Options page for options enabled for use at Penn. Only login options a user has previously enrolled will appear in the user’s “Other Options” menu within the Duo Mobile app.
Screen Changes to Note (click images to enlarge)
1. PennKey Login UI – The PennKey Login UI was refreshed and modernized; there were no functionality changes:
2. New Duo Universal Prompt UI – Penn's custom interface during PennKey WebLogin changed to the new Duo Universal Prompt UI:
3. Browser Trust screen – The Browser Trust screen changed upon rollout of Duo Universal Prompt:
4. PennO365 Two-Step – Changed from Duo Traditional to Duo Universal Prompt; device trust works across PennKey SSO and O365 logins.
Enhanced Client or Proxy (ECP)
- ECP is required for non-browser PennKey SSO as of November 14 as part of the Duo Universal Prompt rollout (see ECP project page for more info).
- This is for Penn software developers and maintainers of PennKey-enabled applications that rely on automated “screen-scrape”-style PennKey authentication.
Retired Legacy Two-Step Functions
The following legacy Two-Step functions were retired upon rollout of Duo Universal Prompt. See below for replacement information for retired functions:
Retired Function | Replaced By | Notes |
---|---|---|
“Generate Codes” (printed codes) |
Code generating function within Duo Mobile app or Duo fob |
If generating codes from within Duo Mobile app, users do not have to be online (no phone or internet service needed) |
User Dashboard (enroll, manage settings, trouble logging in) |
Duo Device Management Portal |
Use the Duo Device Management Portal to add, rename, or delete devices |
New Google Authenticator Registrations |
Duo Mobile app |
Existing Google Authenticator registrations continue to work but are not supported or recommended |
New SafeID fobs (no longer distributed on campus) |
Duo fobs and hardware security keys |
Existing SafeID fobs continue to work |
“Help a Friend” |
N/A |
Method no longer supported |
Two-Step Admin Console (PennKey Support Providers) |
New PennKey support application/Penn Community |
See the Penn Community Access Basics webpage for more information |
Users are encouraged to consult the Two-Step Verification FAQ and also the Two-Step Verification: Enrollment Instructions, which provides step-by-step instructions. Users can find their support providers via the Two-Step help page.
If a user is unable to log in, questions to ask include:
Has the user selected "Yes, this is my device" (browser trust)?
If the user selects "Yes, this is my device" during the Two-Step process, their browser will be trusted for 60 days. In addition, their Login Options depend on what they set up at the time they enrolled.
Did the user designate an additional device?
If so, they can use one of the Login Options they previously enabled.
If users require support beyond the self-support mechanisms, such support follows the standard LSP model. Local Support Providers provide first-tier support to users, giving assistance with enrollment and use as necessary as well as troubleshooting prior to escalation. If issues persist, LSPs can escalate to ISC Client Care. Client Care staff can troubleshoot further, escalating to the Two-Step developers and WebLogin team as necessary for fixes or change requests.
Common issues include:
- New or replacement phone
- Refer end user to the Two-Step Verification: Configuring a Replacement Phone page.
- Verification code not being accepted
- App: Ensure device is synched to the local time zone.
- Duo fob or Duo Mobile passcode: Enter three consecutive and correct passcodes from the HMAC-based one-time password (HOTP) hardware token or the Duo Mobile account in three successive authentication attempts within five minutes. The first two authentications will fail. However, the HOTP passcodes will resynchronize and the third authentication should succeed. For more information, see the Duo article on resynching HOTP passcodes for Duo Mobile or a hardware token.
- SafeID fob (previously issued only): A token can get "out of sync" if the button is pressed too many times in a row and the generated passcodes aren't used for login. In some cases, this can happen by accident if the token is stored next to other objects in a pocket, backpack, etc. Generate three passcodes in a row to attempt to resynchronize the token.
LSPs should be aware of other possible issues, such as:
- Users believing they're finished after installing the Duo Mobile app and not completing enrollment
- Users not knowing how to scan QR codes with the Duo Mobile app
- Users not understanding the concept of entering a second factor
- Users not having their App Store/Google Play password to install apps
- Users not knowing how to install apps on their mobile device
- Users not knowing how to manage notifications (iOS, Android) on the Duo Mobile app
In case of an issue that an LSP cannot resolve, the LSP should contact ISC Client Care. To help ensure the issue is resolved as quickly as possible, please include the user's PennName and troubleshooting steps already performed.
Prior to contacting Client Care, it is the LSP's responsibility to identity proof the user. See the ID Proofing Guidance for PennKey Administrators document for more information.
For user help contacts, see the Two-Step Verification help contacts page.
I have a user who recently acquired their PennKey. Why can’t they enroll in Two-Step immediately at https://upenn.edu/manage-twostep?
Two-Step enforcement through Duo takes some time. Some users who had been provisioned a PennKey and immediately claimed it and then tried to enroll in Two-Step may be ahead of this process. If they attempt to enroll before the Duo process has completed, they may see errors or be routed to a non-enrollment page. They should simply wait – their PennKey will work without Two-Step until the Duo process completes. Users will be prompted to enroll at their first PennKey SSO challenge after the Duo process completes.
In the Duo Device Management Portal, the user gets the message: "Page access not allowed. Your Duo account does not have access to this application. Please contact your IT help desk." What should the user do?
This is a timeout error message. Have the user exit and reload the Duo Device Management Portal page.
What's the process for enrolling a Duo fob?
Duo fobs must be added to the user's account by a PennKey/Authorization Support Provider before distribution. For more information, contact Client Care.
What happens when a user encounters a "403 forbidden" or "Stale request" error on a page requiring authentication?
Some web pages may have coding that cause these errors. As a workaround, the user should authenticate at another page such as the Duo Device Management Portal, and then return to the page where they encountered the error.