WashU 2FA Two-Step Authentication

Device Options

Passwords are increasingly easy to compromise. They can often be stolen, guessed, hacked or phished – even without you knowing.

WashU 2FA—a two-factor (or two-step) authentication service provided by Duo, an industry leader in cyber security services—adds a second layer of security to your WUSTL Key account when accessing the many WashU systems, which contain sensitive personal information. By verifying your identity through the use of a second device, hackers and identity thieves are prevented from logging in these systems, even if they know your WUSTL Key ID and password and you’ll be alerted immediately if someone tries to log in using your credentials.

When must I use WashU 2FA
On October 31, 2016 WashU 2FA was required for accessing the first WashU 2FA integrated application, HRMS remotely, outside of the WashU network, and has been expanded to other systems since.

WashU 2FA Support & Questions
Please contact Systems & Procedures at 314- 933-3333.

WashU 2FA
WashU 2FA extends protection to most WUSTL Key enabled sites, allowing users to opt-in to two-factor authentication while logging into websites that don’t currently require  2FA authentication.

Below are a few examples of these supported sites:


-Office 365 Outlook Web App (email on the web)

-Blackboard (for students)


How It Works

Step 1.

Enrollment in WashU 2FA is simple. Visit https://connect.wustl.edu/2fa to access the enrollment wizard.

Step 2.

Under the Enrollment section – Check the box selecting Opt in to WashU 2FA

Choose when you want the protection applied: the default setting is Only when off campus – remote locations such as a business or residential internet connection.  However, you have the option to choose Always – from all sign-in locations, both on and off campus.

Be sure to Save Changes

Under the Information section click the button: Enroll in WashU 2FA to enroll your device in Duo.

Step 3.

Choose Your Device –Select the type of device you’d like to enroll and click Continue. We recommend using a smartphone for the best experience, but you can also enroll a landline telephone or iOS/Android tablets. Finally, follow the prompts based on the device you’ve chosen to enroll, and that’s it! You can enroll an unlimited number of devices.

When enrolling a smartphone, you have the option to also install the Duo Mobile app. Duo Mobile runs on your smartphone and helps you authenticate quickly and easily. Without it you’ll still be able to log in using a phone call or text message, but for the best experience we recommend that you use Duo Mobile. Follow the platform-specific instructions on the screen to install Duo Mobile.

After installing our app return to the enrollment window and click I have Duo Mobile installed. Once enrolled in Duo, you’ll log in to the WashU system as usual with your WUSTL Key ID and password. This is the first step of authentication. Next, you’ll verify your identity using the device you’ve enrolled with Duo. This is the second step of authentication. This will eliminate extra steps, taken in the past, to ensure better security.

Link to using cell phone/landline instructions: https://guide.duo.com/other-phones


Duo—an industry leader in easy-to-use, world-class security platforms—developed Duo 2FA, a two-factor authentication service that utilizes a secondary device such as a phone or tablet to confirm your identity when you access sensitive information, such as that contained in the university HRMS application. This service provides enhanced security and protects you in the event that someone manages to obtain your login credentials.

Two-factor authentication commonly works by asking for something you know (your password) in combination with something you have (your mobile phone) to confirm your identity across a variety of account activities–such as accessing your accounts from new devices, verifying transactions, or recovering your accounts.

Use of WashU 2FA is required: when accessing WUSTL Key Single Sign-on (SSO) from any non-trusted network (beginning Mid-April 2018) and when accessing the WashU CFU User VPN login portal from any network.

The WashU 2FA service is for current WashU employees and anyone (parents, university partners, vendors, visitors and/or contractors) who may access the services listed above.

No, enrollment for access to identified systems is mandatory.

Yes! You can enroll your mobile phone, your landline phone, and your tablet.

Yes. Open the Duo app on your smartphone or tablet and select the Duo key icon in the upper right-hand corner of the screen to generate a passcode. Generating passcodes does not send any kind of message or use data and you can generate passcodes even when you are not connected to a network. Using Duo to generate passcodes will not incur any data or text messaging costs.

Yes. In the Duo mobile app, simply click the key on the upper right-hand side of the screen or select the Generate Passcode button on Microsoft OS devices to generate a numeric passcode that you can use without a network connection. Alternatively, you can use the Duo text passcodes feature to generate a list of single-use passcodes that you can use if you won’t have access to your phone at all.

The second factor of authentication is separate and independent from your username and password. Duo never sees your password.

Yes. Duo accepts international phone numbers.

Duo 2FA devices cannot be registered to more than one person. If you are trying to add a device (such as a home phone) that is shared with someone else, and that device has already been registered to another person, you will receive an error message.

WashU 2FA Duo registrations are refreshed every 24 hours.

Lost or stolen mobile computing devices must be reported to the Privacy Office or the Information Security Office immediately. This shall occur before the user of the device cancels the service with the provider. You can review the Mobile Device Security Policy here. You must also log in to the WashU 2FA service and unenroll the device.

Please call the WashU IT Service Desk to verify information and have the old device removed.

While the app transfers from device to device, the configuration of each device is specific and will need to be reactivated on new devices.

In the DuoMobile App there is a key next to WashU2FA- clicking this key has a hidden bypass code. You can request to be texted codes (list of 10) prior to leaving cell service and they can be used in order. You can also call the WashU IT Service Desk and request a one-time use 24 hour expiring bypass code.

Mobile Push Mobile Passcode Phone Code SMS Text Message Temporary Passcode
Enroll a smartphone (recommended) X X X X  
Enroll a tablet X X      
Enroll a basic cell phone     X X  
Enroll a landline phone     X    
Call the WashU IT Service Desk (314) 933-3333         X