Add Two-Step Login to Your Online Service using CUWebLogin
For Administrators: If your service authenticates with CUWebLogin (CUWL), you can easily add Two-Step Login. Otherwise, you may be able to integrate two-factor authentication using a Duo Application.
This article applies to: Two-Step Login
Starting with version 2.3, CUWebAuth (CUWA) includes a CUWA2FARequire directive that triggers two-factor authentication, with the option to limit this to specified directories or groups of users. More information can be found on the Directive Reference page of the CUWA documentation and the release notes.
After a user completes the first step of logging in using the regular CUWebLogin page, a new page will open with the Two-Step Login authentication prompt. The "Remember me for 24 hours" option is enabled, so a user will only need to perform secondary authentication once within any 24-hour period for all services using CUWebLogin within that web browser.
Two-Step Login can also be added to a service that uses Shibboleth for federated authentication and, as with CUWebAuth, you can limit the requirement for the second step of logging to a defined set of users.
Configuring a Shibboleth-based service to use Two-Step Login requires server-side changes that can only be implemented by Identity Management staff. To take advantage of this capability, please email Identity Management. If you would like to require two-factor authentication for only a subset of your users, include the name of an AD group that includes the NetIDs of those people.