Two-Step Verification
Two authenticators to keep you safe
At UNC, there are 2 ways to 2-Step. We know that having more than one way to verify your identity might seem confusing at first, but these two industry-standard tools are the most effective ways to protect your accounts.
Office 365 has 2-Step Verification built-in.
For all other 2-Step uses on campus, including VPN and online W-2s, we use Duo Security.
Get Started: Download the Duo and Microsoft authenticator apps to your phone
Whether you are setting up 2-Step for use with Office 365 or applications that use Duo, the easiest method for both is to use the available phone apps. Simply search “Duo Security” and “Microsoft Authenticator” in your app store to download these free apps.
Enroll in 2-Step for Office 365 (Heelmail)
To set up 2-Step for Microsoft Office 365, follow these easy steps:
- Visit onyen.unc.edu and click on “2-Step Verification for Office 365.”
- Follow the quick on-screen prompts to opt in to 2-Step Verification.
- Visit office.unc.edu to finish your 2-Step enrollment.
Enroll in Duo Security
Duo Security is used by all non-Office 365 applications on campus that require 2-Step for access. To get started, visit onyen.unc.edu and click on “2-Step Verification for Duo.” You’ll need your PID and mobile phone to complete registration. Pro tip: be ready to set up a preferred method and a back-up option. That way, if you lose your phone or leave it at home, you’ll have an alternate way to authenticate your accounts.
Top Tip: App passwords are essential for Office 365!
If you use an email app on your phone that is not the official Microsoft Outlook app, you will need to get an app password during step three of the enrollment process listed above. You need to enter this passcode in your email app just once to keep receiving your messages.
If you miss this during the enrollment process, visit the “Security & Privacy” section of your account settings. Then, click on “Additional security verification.” A tab for app passwords can be found there.
How 2-Step Verification works
When you activate 2-Step, you will be required to log in with both your password and an additional security measure, such as:
- a code delivered via text or mobile app
- a push (or pop-up) notification on your smartphone
- a voice call delivered to your office or cell phone
How sign-in changes
- STEP 1: Enter your password. Whenever you sign in to a 2-Step protected account, you’ll enter your username and password as usual.
- STEP 2: You’ll be asked for something else to confirm the access request. A code or notification will be sent to your phone via text, mobile app or a voice call.
- STEP 3: Enter the code, accept the push notification, or answer the voice call. This confirms “you’re you.” Report any unexpected pushes or voice calls to 919-962-HELP as these errant notifications may be a fraudulent attempt to bypass the protection offered by 2-Step.
2-Step provides an extra layer of security
Activating 2-Step Verification boosts protection of your account from hackers. We are all used to having one layer of security — our password — to protect our accounts. With 2-Step, if bad guys get through the password layer, they will still need your phone or other second verification methods to get into your account.
If you receive a verification request on your phone that you didn’t prompt, you’ll know that someone is trying to access your accounts. You will deny that request and then work with the ITS Service Desk to reset your password and secure your account.
Protecting the University is a team effort
On our campus and at universities across the country, phishing emails are very common. All it takes is one person to click on a bad link and unknowingly share their credentials for a domino effect of compromised accounts to quickly proliferate across campus. In November 2017, there were more than 5,000 reports of phishing emails! Most of these reports were emails coming from legitimate University email addresses that had been compromised. 2-Step Verification can help keep bad guys out, even if they get your username and password through a phishing attempt.
Your credentials are valuable to criminals
When bad guys steal your username and password, they have the ability to lock you out of your account, and then do any or all of the following:
- Pretend to be you and send unwanted or harmful emails to campus
- Go through — or even delete — all of your emails, contacts, files, etc.
- Use your work account to reset the passwords for any of your personal accounts that may use your UNC email as the username (banking, shopping, etc.)
2-Step keeps both you and the University safer by adding an extra layer of security to the sign-in process.
2-Step Verification
Services that require 2-Step:
- Required for all faculty, staff, and students in Office 365
- Student Financials in ConnectCarolina (Duo)
- Online W-2 access (Duo)
- Campus VPN (Duo)
- Multiple IT administrative applications (Duo)
- 1-Phish, 2-Step rule
- ConnectCarolina Administrative Users
- Multiple applications for Research Administration
- Qualtrics (Duo)