Skip to main content

2-Step Verification is stronger security for your UNC accounts

Two authenticators to keep you safe

At UNC-Chapel Hill, there are 2 ways to 2-Step. 2-Step Verification helps protect your accounts and the University’s data.

Microsoft Authenticator app logoMicrosoft 365 (previously known as Office 365) has 2-Step Verification built-in. Some other services also use M365 to authenticate.

Duo Security LogoFor other 2-Step uses on campus, including VPN and ConnectCarolina, the University uses Duo Security.

Enroll in Microsoft MFA

To set up 2-Step for Microsoft 365 (MFA):

  1. Go to UNC’s Microsoft login page
  2. Log in using and your password
  3. If this is your first time logging in, you’ll be prompted to set up MFA with your phone number or by downloading the Microsoft Authenticator app (recommended)

Note: Microsoft does not support YubiKey; you must use a phone number or the app on a smartphone or tablet.

Visit 2-Step for Microsoft documentation

New phone? Reset Microsoft MFA using Duo.

Enroll in Duo Security

To get started with Duo:

  1. Visit Onyen Services and click the “2-Step Verification for Duo” tile
  2. Sign in and verify your identity
  3. Choose a device (phone, tablet, YubiKey, landline or Touch ID) to register

Pro tip: Set up a backup option. That way, if your primary isn’t available, you’ll still be able to authenticate.

Visit Duo documentation

New phone? Reactivate your device.


Services that require 2-Step

  • All Microsoft 365 (formerly known as Office 365) apps
  • ConnectCarolina (Duo)
    • All students (current and former)
    • Administrative users
    • Online W-2 access
  • 1-Phish, 2-Step rule
  • Multiple applications for IT and research administration
  • Qualtrics (Duo)
  • One Card GET mobile app (Duo)
  • Campus VPN (Duo)
  • Self-Service ( (Duo)


How 2-Step Verification works

With 2-Step, you will be required to verify your identity in two ways: with your password and with an additional method you set up. After you set up both services, your logins will follow this pattern:

  1. Enter your password. Whenever you sign in to a 2-Step protected account, you’ll enter your username and password as usual.
  2. Confirm the login. Depending on what you’ve set up, this may be entering a code texted to you, approving a push notification on your phone by tapping “yes,” inserting a YubiKey or matching a number on an app to a number on your screen. This confirms “you’re you.”

Report any unexpected pushes or voice calls as these notifications may be someone trying to get in to your account. Deny the request and report suspicious behavior by calling 919-962-HELP (4357) or by using the Help Portal.


Why UNC requires 2-Step Verification

Activating 2-Step Verification boosts protection of your account from hackers.

With 2-Step, if bad actors get through the password layer, they will still need your phone or other second verification methods to get into your account.

Your credentials are valuable to criminals

When bad actors steal your username and password, they have the ability to lock you out of your account, and then do any or all of the following:

  • Pretend to be you and send unwanted or harmful emails to campus
  • Go through — or even delete — all of your emails, contacts, files, etc.
  • Access or download personal data that could be used to steal your identity
  • Use your UNC email account to reset the passwords for any of your personal accounts that are linked to your University email address (banking, shopping, etc.)
  • Trick others into providing their password or paying for something like gift cards
  • Steal University data, including financial information, health data, person information or research