Bulletin: Urgent Action Required – Two-Step Authentication for Oracle Financial System Users (Posted September 26, 2013)

All University faculty and staff received an update in August from Randy Livingston about the recent security breach at Stanford, and his description of the extra security steps that are necessary to protect critical information. It’s important to remember that these steps are essential not only to the security of Stanford as a whole, but also to individual staff.

In his email, he also mentioned that we would soon implement a “two-step authentication” process to access Stanford systems that have higher than normal levels of security, such as critical business or infrastructure systems. Data security goes beyond encrypting our hard drives and physically securing our laptops with cable locks, as we do now. It also involves protecting how our data is accessed. Up to now, we’ve done that through the SUNetID and password. Two-step authentication–which involves receiving a code from a source other than the computer you are using to access the system–provides us with an extra measure of data security.

Oracle Financials is scheduled to implement two-step authentication September 30th. If you haven't already done so, please take steps immediately to implement two-step authentication for system access and to further secure their login credentials.

Implementing Two-Step Authentication

Please follow the simple guidelines below to enable your two-step authentication.

1. Choose one of three options for your authentication method, by going to the IT Services Two-Step Authentication web page. The three options you should choose from are listed under the heading “Getting Started.”
   • The first option is SMS text messaging. This option requires you to have a mobile electronic device available when you sign on.  After you enter your SUNet ID and password on the website you want to access, a code is automatically sent to your device by text.  Entering the code in a prompt on the screen enables you to access the site.
   • The second option is a downloadable app called Google Authenticator (for iOS and Android devices) or Microsoft Authenticator (for Windows Phone 7, 7.5, 7.8, and 8.0). This option requires you to have a “smart” mobile electronic device with you when you sign on. After you enter your SUNet ID and password on the website you want to access, the app generates a code. Entering the code in a prompt on the screen enables you to access the site.
   • The third option allows the user to print a list of 20 codes on paper. Each unique code allows the user to access the site once by copying it in the prompt.  Once a code is used, it is no longer viable, and the 20th code is reserved for use in obtaining a new set of codes. Obviously, you must have the printout with you any time you are required to use two-step authentication.

   The third option is the least secure and not recommended, but we understand that the first two options may not be preferred by some staff. Users have the capability to change options at any time by going to the “Change Your Method” page.

2. After choosing an authentication method, copy and paste the appropriate link in your web browser (e.g., Internet Explorer, Firefox or Chrome) and follow the instructions provided.
   • For the SMS messaging option:  https://itservices.stanford.edu/service/webauth/twostep/text_message
   • For the Google app for iPhone, iPad or iPod Touch:  https://itservices.stanford.edu/service/webauth/twostep/ios
   • For the Google app for Android:  https://itservices.stanford.edu/service/webauth/twostep/android
   • For the printed paper list:  https://itservices.stanford.edu/service/webauth/twostep/printed_list

During the enrollment process, your “challenge level” will be automatically set to the second level. This level determines how often you will be asked to supply a code when authenticating with Stanford's servers. The second level requires two-step authentication when a device (such as a phone, tablet or computer) is new or has not been used recently to access the site. We recommend that you retain the setting for the second challenge level. Visit the Two-Step Challenge Level web page for more information.

Please establish your preferences for two-step authentication at your earliest opportunity. Providing the secondary authentication code may add a few minutes to your daily routine, but this is a necessary, required step to further secure our systems and personal information. If you have any questions, concerns or need help, please visit the Two-Step Authentication web page, or submit a HelpSU ticket.