2-Factor Authentication Frequently Asked Questions

Two-factor authentication (2FA)

The following are the most commonly asked questions about 2FA:

• 2FA explained
• Google Authenticator
• Using the Google Authenticator
• Authy Application
• Help and support

2FA explained

• What is two-Factor Authentication (2FA)? (Updated March 25, 2021)

  Two-factor Authentication (2FA), sometimes referred to as multi-factor authentication, requires the user to provide two or more verification factors to gain access to a resource such as an application, online account or VPN. Instead of requiring only a username and password, 2FA requires one or more additional verification factors, which decreases the likelihood of a successful cyber attack.

  Watch a two-minute video that explains 2FA.

• Why is 2FA important?

  The use of 2FA will enhance Binghamton University's information security by requiring users to identify themselves by more than a username and password. While important, usernames and passwords are vulnerable to attacks by third parties that utilize programs to generate usernames and passwords to try to gain access to a user’s devices. Using a 2FA factor like a thumbprint or physical hardware key means increased confidence that the University’s data will stay safe from cyber criminals.

• Why do I have to do this? It seems like a pain. (New March 25, 2021)  

  It is much easier to just put in a password. However, passwords are extremely vulnerable. You can make a very strong and secure password, but hackers and bad actors are coming up with new ways every day to access your data and private information. Passwords are not enough to protect your information and Binghamton University systems.

• How does 2FA work?

  2FA requires additional verification information (factors). One of the most common that users encounter are one-time passwords (OTP) — those 4-8 digit codes that you often receive via email, SMS or some sort of mobile app and that are for one use only. With OTPs, a new code is generated periodically or each time an authentication request is submitted. The code is generated based upon a seed value that is assigned to the user when they first register and some other factor that could simply be a counter that is incremented or a time value.

• What are the three main types of 2FA authentication methods?

  Most 2FA methodologies are based on one of three types of additional information:

  • Things you know (knowledge), such as a password or PIN
  • Things you have (possession), such as a badge or smartphone
  • Things you are (inherence), such as biometrics like fingerprints or voice recognition
• What are some examples of 2FA?

  Examples of 2FA include using a combination of these elements to authenticate:

  Knowledge

  • Answers to personal security questions
  • Password
  • OTPs (This can be both knowledge and possession: You know the
  • OTP and you have to have something in your possession to get it, such as your phone.)

  Possession

  • OTPs generated by smartphone apps
  • OTPs sent via text or email
  • Access badges, USB devices, Smart Cards or fobs, or security keys
  • Software tokens and certificates

  Inherence

  • Fingerprints, facial recognition, voice, retina or iris scanning or other biometrics
  • Behavioral analysis
• Do I use the same One-Time Passcode/six-digit code for Single Sign On (CAS) 2FA as for using the VPN? (Updated July 8, 2021)

  Yes. Effective July 13, 2021, the same One-Time Passcode/six-digit code is used for both CAS and Pulse Secure VPN.

• Why am I prompted to log into SSO/CAS multiple times per day? (New March 25, 2021)

  There are several potential reasons for this browser behavior. Below are some steps that you can try to reduce the frequency of login/OTP prompts:

  • Do not use an “incognito” or “private” browser session. These sessions will not remember the SSO/CAS login across multiple applications, causing you to have to log in for each session.
  • When logging into SSO/CAS, select “Remember Me” and the browser will remember your SSO/CAS session for approximately eight hours and allow you to access multiple applications within the same browser. 
  • Do not select “log-out” of any individual application as this will end your SSO/CAS session for all of the applications. 
• How do I know that I have successfully linked my Binghamton University SSO/CAS account? (Updated July 8, 2021)

  When your Binghamton University SSO account is successfully linked, you will see a rolling 6-digit number (passcode) on the Google Authenticator application. In addition, you will see the Binghamton University system that you are accessing with the assistance of Google Authenticator. When signing on to other application(s), they will also be identified in the Google Authenticator passcode screen.  

• Do I need to install the authenticator app on every device I use? (New March 24, 2021)

  No. If you install the authenticator app on your smartphone and you have your smartphone with you most of the time, you can easily get the second factor code from your phone no matter what device you use to log into CAS. 

  If you don't have a smartphone, then you need to consider how you are going to get the second factor code when you need to log into CAS. If you only log in at work, set up the browser plugin or app on that computer then add the email option as a backup. If you find that you are logging in more often at home, you can install the authenticator and link it to CAS-2FA  on additional devices at any time. ITS recommends that you have a backup option, such as email, no matter which authenticator option you select.

• What if I don't want to use my personal phone? (New March 25, 2021)

  There are several options that do not require a phone. You can set up the Authenticator Browser Extension on your primary computer. Instructions for installing and configuring the Authenticator Browser Extension are available at https://binghamton.edu/its/two-fa/authenticator.html

  Once you add a 2FA token to your account, you can also add an email address as a back-up method if you are away from your primary computer.

• What if I'm in class and forgot my phone for my OTP (One-Time Passcode)? (Updated March 25, 2021)

  Information Technology Services strongly recommends having a back-up method to get your OTP because the Help Desk is not be able to override or disable 2FA. 

  After setting up your initial 2FA token, you can add an email account as a back-up or create a list of OTPs that can be printed.

  If you do not have access to your authenticator app, you can go to https://password.binghamton.edu/forgot_otp at any time to create a new 2FA token or to print OTPs. 

• I lost my phone (or have a new phone). What do I do? (New March 25, 2021)  

  If you lost your phone or lost access to your authenticator app, you can go to https://password.binghamton.edu/forgot_otp at any time to create a new 2FA token or to print One Time Passwords. 

  If you have a new phone and still have your old phone:

  • Open Google Authenticator on your older phone
  • Tap on the three dots on the top right of the screen and select “Transfer Accounts”
  • Select “Export Accounts.” You may be asked to verify your identity via a fingerprint, password, or other method.
  • Select which accounts you want to export. Tap “Next.”
  • A QR code will appear.
  • Go to your new phone. Follow the instructions above, but select “Import accounts.”
  • Select “Scan QR Code”
  • Scan the QR Code on your old phone with your new phone.
  • Your accounts have been transferred to your new phone. 

  If you no longer have your old phone, you can go to https://password.binghamton.edu/forgot_otp to manage and create a new 2FA token for your new phone. 

Google Authenticator

Binghamton has already implemented Google Authenticator for the 2FA for the Pulse Secure VPN, and is using Google Authenticator to implement 2FA for other systems. (See information on Authy below for an alternate authentication system.)

• How will Binghamton University implement 2FA?

  Binghamton has already implemented Google Authenticator for the 2FA for the Pulse Secure VPN, and also expects to utilize Google Authenticator to implement 2FA for other systems.

• What is Google Authenticator? 

  Google Authenticator is a free app that you can download to your Apple or Android device that generates a passcode to be used when logging in to applications that require additional levels of security.

• If I am prompted to use 2FA at one of the University’s applications, will I be prompted to use it for all of the University applications I use?

  No. Each application and Relying Party (RP) site decides which (if any) 2FA method/s are required for access. Some Binghamton University applications will require 2FA, while others will not. 

• What if I don’t want to use my personal phone for work reasons?

  The Google Authenticator App is a free app and does not use data packages or cell phone minutes. If you still have reservations about using your personal device, speak with your supervisor for possible alternatives to using your personal cell phone.

• I lost/have a new phone or device. What do I do? 

  You can set up Google Authenticator on a new (or other) device or phone and re-link to your Binghamton University Single Sign-On account. Step-by-step instructions will be available on the Information Technology Services website in the near future.

• Do I have to pay to download the application?

  No. The app is available for free for Apple and Android devices.

• Before downloading the app, I am asked to enter my credit card information. Do I need to do that?

  No. In both Apple and Android devices you will have the option to skip this step. 

• How will Binghamton University implement 2FA?

  Binghamton has already implemented Google Authenticator for the 2FA for the Pulse Secure VPN, and also expects to utilize Google Authenticator to implement 2FA for other systems.

• Will the app consume my data or cell phone minutes? 

  The initial download of the application might consume some of your data if you are not using Wi-Fi. However, once downloaded and linked to your Binghamton University Single Sign-On (SSO) account, the application works without using data or cell phone minutes.

• How do I download and link my Binghamton University SSO account?

  For detailed instructions using Apple and Android devices, visit the 2FA webpage is under development and will be launched before the 2FA implementation.

• How do I know that I have successfully linked my Binghamton University SSO account? (Updated July 8, 2021)

  When your Binghamton University SSO account is successfully linked, you will see a rolling 6-digit number (passcode) on the Google Authenticator application. In addition, you will see the Binghamton University system that you are accessing with the assistance of Google Authenticator. When signing on to other application(s), they will also be identified in the Google Authenticator passcode screen.  

Using the Google Authenticator

• How many tries do I have to login with my Google Authenticator passcode before the application logs me out?

  After three wrong passcode tries, the application will require the user to login with username and password again.

• I typed in my passcode and before I could proceed to the next step, the code changed Am I required to type in the new passcode?

  You do not need to re-type the new code. The application will accept the previously entered code as valid authentication of the user.

• Why aren’t my Google Authenticator passcodes working?

  If you have multiple accounts linked in your Google Authenticator App, be sure the passcode you are entering is for your Binghamton University account. If that doesn’t work, try deleting the account on the app and re-linking your account. The steps to re-link to your Binghamton University SSO account are specified in the detailed training materials available on the 2-Factor Authentication webpage that is being developed prior to the 2FA implementation. Another issue could be that the Google Authenticator App's time may not be synced correctly. Check out this Google help article for steps to fix this issue.

Authy Authenticator

• Where do I get Authy?

  Download the Authy application to your device(s).

• Do I need to pay for Authy?

  No. Authy is a completely free application.

• What if Authy gets hacked?

  Your password is never sent to Authy, which means that even if someone were to hack Authy, they still couldn't get your two-factor authentication one-time passwords (the 4-8 digit codes). Authy is simply another barrier between you and hackers. 

• Why does Authy need a phone number?

  By providing your phone number to Authy Support, we can go through a set of security processes to re-enable your ability to install Authy. Providing Authy with a phone number also allows you to recover your password in case you happen to forget it. 

• Can I set up Authy to use on both my mobile phone and my computer?

  Yes. You can do separate authentications for multiple devices as you see fit. 

• How can I recover my Authy account?

  You can reset your Authy account on the Authy website. 

Help and support

• Who do I contact for additional help and support?   

  For general questions, you can contact the Help Desk at 607-777-6420 or helpdesk@binghamton.edu.