2-Factor Authentication Frequently Asked Questions

Two-factor authentication (2FA)

The following are the most commonly asked questions about 2FA:

2FA explained

  • What is two-Factor Authentication (2FA)? (Updated March 25, 2021)

    Two-factor Authentication (2FA), sometimes referred to as multi-factor authentication, requires the user to provide two or more verification factors to gain access to a resource such as an application, online account or VPN. Instead of requiring only a username and password, 2FA requires one or more additional verification factors, which decreases the likelihood of a successful cyber attack.

    Watch a two-minute video that explains 2FA.

  • Why is 2FA important?

    The use of 2FA will enhance Binghamton University's information security by requiring users to identify themselves by more than a username and password. While important, usernames and passwords are vulnerable to attacks by third parties that utilize programs to generate usernames and passwords to try to gain access to a user’s devices. Using a 2FA factor like a thumbprint or physical hardware key means increased confidence that the University’s data will stay safe from cyber criminals.

  • Why do I have to do this? It seems like a pain. (New March 25, 2021)  

    It is much easier to just put in a password. However, passwords are extremely vulnerable. You can make a very strong and secure password, but hackers and bad actors are coming up with new ways every day to access your data and private information. Passwords are not enough to protect your information and Binghamton University systems.

  • How does 2FA work?

    2FA requires additional verification information (factors). One of the most common that users encounter are one-time passwords (OTP) — those 4-8 digit codes that you often receive via email, SMS or some sort of mobile app and that are for one use only. With OTPs, a new code is generated periodically or each time an authentication request is submitted. The code is generated based upon a seed value that is assigned to the user when they first register and some other factor that could simply be a counter that is incremented or a time value.

  • What are the three main types of 2FA authentication methods?

    Most 2FA methodologies are based on one of three types of additional information:

    • Things you know (knowledge), such as a password or PIN
    • Things you have (possession), such as a badge or smartphone
    • Things you are (inherence), such as biometrics like fingerprints or voice recognition
  • What are some examples of 2FA?

    Examples of 2FA include using a combination of these elements to authenticate:

    Knowledge

    • Answers to personal security questions
    • Password
    • OTPs (This can be both knowledge and possession: You know the
    • OTP and you have to have something in your possession to get it, such as your phone.)

    Possession

    • OTPs generated by smartphone apps
    • OTPs sent via text or email
    • Access badges, USB devices, Smart Cards or fobs, or security keys
    • Software tokens and certificates

    Inherence

    • Fingerprints, facial recognition, voice, retina or iris scanning or other biometrics
    • Behavioral analysis
  • Do I use the same One-Time Passcode/six-digit code for Single Sign On (CAS) 2FA as for using the VPN? (Updated July 8, 2021)

    Yes. Effective July 13, 2021, the same One-Time Passcode/six-digit code is used for both CAS and Pulse Secure VPN.

  • Why am I prompted to log into SSO/CAS multiple times per day? (New March 25, 2021)

    There are several potential reasons for this browser behavior. Below are some steps that you can try to reduce the frequency of login/OTP prompts:

    • Do not use an “incognito” or “private” browser session. These sessions will not remember the SSO/CAS login across multiple applications, causing you to have to log in for each session.
    • When logging into SSO/CAS, select “Remember Me” and the browser will remember your SSO/CAS session for approximately eight hours and allow you to access multiple applications within the same browser. 
    • Do not select “log-out” of any individual application as this will end your SSO/CAS session for all of the applications. 
  • How do I know that I have successfully linked my Binghamton University SSO/CAS account? (Updated July 8, 2021)

    When your Binghamton University SSO account is successfully linked, you will see a rolling 6-digit number (passcode) on the Google Authenticator application. In addition, you will see the Binghamton University system that you are accessing with the assistance of Google Authenticator. When signing on to other application(s), they will also be identified in the Google Authenticator passcode screen.  

  • Do I need to install the authenticator app on every device I use? (New March 24, 2021)

    No. If you install the authenticator app on your smartphone and you have your smartphone with you most of the time, you can easily get the second factor code from your phone no matter what device you use to log into CAS. 

    If you don't have a smartphone, then you need to consider how you are going to get the second factor code when you need to log into CAS. If you only log in at work, set up the browser plugin or app on that computer then add the email option as a backup. If you find that you are logging in more often at home, you can install the authenticator and link it to CAS-2FA  on additional devices at any time. ITS recommends that you have a backup option, such as email, no matter which authenticator option you select.

  • What if I don't want to use my personal phone? (New March 25, 2021)

    There are several options that do not require a phone. You can set up the Authenticator Browser Extension on your primary computer. Instructions for installing and configuring the Authenticator Browser Extension are available at https://binghamton.edu/its/two-fa/authenticator.html

    Once you add a 2FA token to your account, you can also add an email address as a back-up method if you are away from your primary computer.

  • What if I'm in class and forgot my phone for my OTP (One-Time Passcode)? (Updated March 25, 2021)

    Information Technology Services strongly recommends having a back-up method to get your OTP because the Help Desk is not be able to override or disable 2FA. 

    After setting up your initial 2FA token, you can add an email account as a back-up or create a list of OTPs that can be printed.

    If you do not have access to your authenticator app, you can go to https://password.binghamton.edu/forgot_otp at any time to create a new 2FA token or to print OTPs. 

  • I lost my phone (or have a new phone). What do I do? (New March 25, 2021)  

    If you lost your phone or lost access to your authenticator app, you can go to https://password.binghamton.edu/forgot_otp at any time to create a new 2FA token or to print One Time Passwords. 

    If you have a new phone and still have your old phone:

    • Open Google Authenticator on your older phone
    • Tap on the three dots on the top right of the screen and select “Transfer Accounts”
    • Select “Export Accounts.” You may be asked to verify your identity via a fingerprint, password, or other method.
    • Select which accounts you want to export. Tap “Next.”
    • A QR code will appear.
    • Go to your new phone. Follow the instructions above, but select “Import accounts.”
    • Select “Scan QR Code”
    • Scan the QR Code on your old phone with your new phone.
    • Your accounts have been transferred to your new phone. 

    If you no longer have your old phone, you can go to https://password.binghamton.edu/forgot_otp to manage and create a new 2FA token for your new phone. 

Google Authenticator

Binghamton has already implemented Google Authenticator for the 2FA for the Pulse Secure VPN, and is using Google Authenticator to implement 2FA for other systems. (See information on Authy below for an alternate authentication system.)

Using the Google Authenticator

Authy Authenticator

Help and support