Google Two-Step Verification: Mandatory
What does this mean?
It means, when signing into email or Google Drive, you need to verify the person signing in is actually you using one or more of the available verification options.
Why do I have to do this?
Higher Ed has become a major target for phishing and extortion, with some institutions paying millions to unlock their hijacked data-systems. Willamette University is required to take these preventive measures to help keep our entire community secure in a world of ever-increasing threats.
Is this the same as Duo? I already have Duo, do I need this?
This is similar to Duo but it is specifically for all things Google. DUO does not cover Google applications, email, drives, or apps. You NEED to set this up in order to have access.
Do I need to use a Smartphone?
No, you don’t, and there are two options which bypass the need for a cell phone or smartphone entirely, but neither are as simple as using the smartphone you probably already use hundreds of times a day.
Do I have to give Google my personal phone number?
Although you will need to provide a phone number for the initial setup, this can be any phone to which you have access. Providing your office or home land-line phone number will suffice as it is only needed for the initial setup process. If you don’t have a cell phone, you will NEED to print\write down codes as outlined in one of the options below.
Will I have to use this every single time I sign into my email or Google Drive?
Choose to remember any personal or office device as a trusted one and it will not ask for verification each time, but it will occasionally ask in the future. If using a lab computer or teaching station on a regular basis, remember it as a trusted device to avoid disruption.
What if I use a mail client app like MacMail or Thunderbird?
WITS recommends against using local mail clients as they can consume significant hard drive space with minimal benefit and configuration of these can be nightmarish. Thunderbird, the Mail App for macOS and iOS, Outlook, and others may be configured to open a two-factor window, but this setup can be a bit tricky. Watch for links toward the end of this documentation to help with setup of a client application. WITS may not be able to support this on some apps or devices.
New Users
New users have a one-week grace period to adopt Google 2-Step Verification before account access is blocked. If you're a new user, set it up, post-haste!
If you have not enrolled in 2-Step Verification during the account creation grace period, you will no longer be able to access your email or Google Drive.
You’ll need to contact the WITS Help Desk at 503-370-6767 (x6767 from a campus phone) or email wits@willamette.edu from a personal email account to temporarily bypass 2-Step Verification long enough to enroll using the steps above.
Setting up Google 2-Step Verification
(1) Open and sign in to your Willamette Gmail account in a web browser: wumail.willamette.edu
(2) In the extreme upper right corner of the window, click on your Account Icon/Image and then Click Manage your Google Account
(3) In the list of categories on the far-left of your Google Account window, Click Security
(4) Under the How you sign in to Google category, click 2-Step Verification
(5) Sign in again, then provide a phone number for a nearby phone for a one-time confirmation message or call. If using an office or landline phone, Select Phone Call. Either option will work on a smartphone. Enter the code you are given, then Click Next
(6) Now, Click Turn On to activate two-factor authentication
Selecting from the List of 2-Step Options
You’ve made it this far! Now, there are options to choose from.
The Push Method or Call my Phone Method (Default)
Most smartphone users will be fine getting a push notification to their device (usually a text message) used in the previous step. If that works for you, run with it. You’re all set. It may ask to open another phone app (YouTube, for example) and a prompt will ask to confirm the login attempt.
If using a standard landline phone, select the “Call my phone number” option. But if away from that phone, it’s a problem. Use the next option as a backup plan in such a scenario.
The Backup Codes Method (No Phone Required)
This provides a list of 10 unique numeric codes you can enter as verification, no technology required. Each code may be used only once, so be sure to Remember This Device when signing in or they’ll run out quickly. They may be printed out on paper, written down by hand, or tattooed one per finger (not WITS-recommended).
The Google Authenticator App
This works much like Duo, which is also used at WU. Instead of getting calls or text messages, use codes already on your device, even when it’s offline or in a dead-zone. Install the app on a smartphone or tablet and it will provide codes which may be entered for 2-step verification. Just open the app, enter the code provided when prompted, and that’s all there is to it.
The Security Key Options (Not Recommended)
- Use a smartphone or tablet as a security key verified using bluetooth technology and proximity. Both devices being used must have bluetooth turned on and they must be near one another. This can be problematic for a number of reasons and most desktop computers lack bluetooth altogether. Use at your own risk, WITS will not be able to troubleshoot issues which may arise. Instructions can be found here: https://support.google.com/accounts/answer/9289445
- Use a physical “key” to verify your identity. This requires you, the user, to purchase a USB key for around $30. Willamette University will not provide these. Choose either USB-A or USB-C style and it will only work on devices with USB ports (most phones and tablets will be excluded). Go with a USB-C key, it’ll need an adapter to use it on older computers with only USB-A…choose a USB-A key and come across a device with only USB-C, it’ll need a different adapter. That means carrying around two different items at all times, the key and an adapter, which seems like a terrible idea. https://store.google.com/us/product/titan_security_key?hl=en-US
Setting Up Mail Clients (So '90s)
If your mail client gives you the option to set up a Google Account, do that. It's the easiest.
The second easy way to set up 2-Step Verification for mail clients is to "allow less safe applications" and create an app password:
https://support.google.com/accounts/answer/185833?hl=en
There are other methods, like setting up OAuth2 Security, but every mail app is different. It's easier to install the Google Mail app on your phone/tablet and just use that rather than use and configure a clunky mail client.