Accessibility statement

Bringing two-factor to your University Google/email account

Posted on 19 September 2021

In the past two years we’ve brought two-factor authentication (2FA) to University systems including the VPN, Virtual Desktop Service, SSH, Student Enquiry Screen and e:Vision. We are now working to add this protection to University Google/email accounts.

If you are a member of staff at the University, you will need to set up 2FA on your Google/email account by Tuesday 23 November.

While we say “two-factor authentication” (2FA), Google says “2-Step Verification” (2SV).

These terms are interchangeable and mean the same thing. You may also see some refer to it as “multi-factor authentication” (MFA).

At this time we’re only enforcing 2FA on your primary staff account, with a view to expand this to students, postgraduate researchers and other accounts (for example, non-personal accounts) in 2022.

Why we’re doing this

At the moment, 2FA is available on all University Google accounts, but it is not mandatory. If your account does not have 2FA switched on, anyone could log in to your account if they had your password - even if they’ve got hold of that information maliciously (for example, via a phishing attack).

If someone is able to log in to your University Google account they can access your:

  • Emails
  • Google Drive files
  • Saved browser passwords
  • Calendar information
  • Contact lists (including the full University directory)
  • Google Groups
  • Services that offer the “Sign in with Google” option - including Slack, Asana and Formstack.
  • And much more

This type of attack has already happened, so this simple additional step will have a big impact on everyone’s digital safety. Also when an attacker gains access to one University email account, they tend to also use it as an opportunity to target other University accounts (for example, by sending phishing emails).

Furthermore, it is now impossible for an organisation to obtain cyber insurance without enforcing 2FA. Therefore most, if not all, universities will be implementing 2FA (or will have already done so).

What will happen

There are two key dates to be aware of:

  • From Tuesday 19 October, staff will start seeing messages from Google warning you that 2FA will soon become mandatory.
  • Google 2FA will become mandatory for staff on Tuesday 23 November.

A note on Duo

A key point to be aware of is that we will not be using Duo 2FA to protect University Google accounts. This is because we don't want your access to Google to depend on any campus infrastructure. Google will keep working even if campus IT services are completely down.

We will continue to use Duo 2FA for other University services, such as the VPN, Virtual Desktop Services, SSH, Student Enquiry Screen and e:Vision.

However, the fundamental steps remain the same:

  1. You will log in to your account using your email address and password
  2. You will then use your device to authenticate your login (either by typing in a code received by text message/phone call, responding to an app notification, or using a hardware key).

And if you have any problems accessing your account, you will contact the IT Support team.

A prompt from Google inviting a user to set up 2FA.

What you need to do

If you have already enabled 2FA on your University Google account then there is nothing more you need to do.

If not, you can set up (“enrol”) your 2FA at any time from now until it becomes enforced.

The most convenient way is to use your mobile phone or tablet for this, as it’s a device you’re most likely to have with you when you’re logging in. However, your University extension number can also be used for the automated phone call option. We will also have hardware security keys available if you need one.

If you have not set up 2FA by Tuesday 23 November you will be prompted to do so when you next log in to your Google account. You will not be able to proceed until this has been completed.

Help and guidance

Updated October 2021

All our guidance is now available on our new Google 2FA web page:

This includes step-by step instructions for setting up 2FA on your Google account, logging in using Google 2FA and troubleshooting tips if you have any problems.

We will continue to add to this guidance as we identify any common issues. 

If you have any questions or concerns, please email itsupport@york.ac.uk.