How organizations can opt in early to use 2FA on the web

Last updated: July 8, 2020

As part of the initiative to expand the use of 2FA on the web, organizations can protect their users, systems, and data by opting in to use 2FA as an organization, before required use is phased in for employees, students, and other populations.

Note: some organizations already require 2FA for access to sensitive data on the systems they own. If you want to apply 2FA to a specific system, and not to all the members of your organization, refer to add 2FA to your IT system.

Prerequisites

Organizations, teams, and programs can better protect their resources by having their members always use 2FA. To be successful, all their members must be eligible to use Duo, and the organization should be willing to continue to use 2FA during the transition to required use.

Instructions

  1. StepsActions
  2. Use the Groups service to find or create a group that represents your members. Many organizations, teams, and programs already have groups they use to implement access policies for collaboration, communication, and sharing. If you need help finding or creating a group that accurately represents your members, contact us.
  3. Confirm all the members of your group are eligible to use Duo. Current Duo eligibility is described in the 2FA FAQ, and eligibility can be requested and approved on a case-by-case basis.
  4. Submit a request to help@uw.edu to opt in your organization. Please include the following information in your request:
    1. name of your organization, team, or program
    2. unique identifier for your group (e.g. uw_zschool_all)
    3. general composition of your group (e.g. mostly employees, mostly students, mix of both, other researchers and collaborators)
    4. your planned opt-in date (to require 2FA for your members)
    5. your planned way to communicate with members about 2FA
  5. UW-IT will review your request for completeness and reasonableness. It should be clear to UW-IT that you have delegated authority to make information security decisions for your organization. Also, your planned opt-in date should be early; that is, it should be before use is generally required for specific populations.
  6. Identify any members of your organization for whom 2FA creates an operational risk to your organization. For example, in some rare cases, IT staff might use their personal UW NetID to automate or run system tasks that take a very long time, and they may not be present when these tasks require them to sign in with 2FA. UW-IT may be able to help you explore ways to handle these cases, so that the rest of your organization doesn’t have to wait to opt in.
  7. Manage the change within your organization, including communications with your members. For example, you can use an email template provided by UW-IT to let your organization know why you plan for them to use 2FA, when you plan to opt them in organizationally, and how they can ensure they’re ready. You can also encourage individual adoption ahead of time, and promote current best practices that will help your organization use 2FA more effectively.
  8. On your planned opt-in date, coordinate with UW-IT to confirm your organization has been opted in. UW-IT will use your original request to coordinate with you, resolving the request upon completion. If unanticipated operational issues arise, you can work with UW-IT to identify and implement workarounds.
  9. Thank the members of your organization for doing their part to protect personal and institutional data, and encourage them to share constructive feedback with UW-IT. Feedback from your organization can help improve