One of the benefits of being a Luther student or employee is that you get a Norse Apps account, which includes email, cloud storage, a productivity suite, calendar, and many other services crucial to your college work. Norse Apps is so central that it needs to be well protected — for your benefit and for the community at large. Aside from a good password, you’ll also need to turn on Google 2-Step Verification.

2-Step Verification is a required extra layer of security on all Luther email accounts. All Luther email accounts must have Google 2-Step Verification enabled. 2-Step Verification protects your account by requiring more than just your password to sign in to your account. We recommend that you turn this on the first time you sign in. After your first login you have a two week grace period to set up 2-Step Verification on your email account. If you don’t enable 2-Step Verification in time, your account will be suspended and you will need to contact the Technology Help Desk.

Note: Accounts can only be re-enabled during standard business hours (8-5 Monday-Friday CST).

If you’re still within two weeks of your first sign-in, you can turn on 2-Step Verification by choosing “Enroll” on the sign-up prompt immediately after login. Alternately, go straight to your 2-Step Verification settings.

During the enrollment process you’ll associate a phone with your account. You can find detailed instructions on Google’s support page. You can still use 2-Step Verification if you don’t have a phone—see below for more detail.

After enrolling, you’ll see a screen where you can set up additional verification methods. We recommend that you turn on as many methods as possible. At a minimum, you should print out a set of backup codes and set up a second form of authentication, preferably one that doesn’t rely on the same device. If you ever get locked out of your account, the Technology Help Desk can get you back in.

Common questions

2-Step Verification (a.k.a. Two-factor authentication) is new to many people and adds some complexity to our digital lives—it’s ok to have questions. Here are the ones we get asked most often. Another great resource is Google’s Common issues with 2-Step Verification page. If your question still isn’t answered or you want to talk to a person, contact the Technology Help Desk.

Can you explain Google 2-Step Verification in more detail?

Google 2-Step Verification is an extra layer of security for your Norse Apps account. It greatly reduces the likelihood that your account is compromised by a simple data breach or phishing attack. Specifically, 2-Step Verification is designed to stop a hacker who obtained your password by also requiring a thing that only you have, like your phone. In practice,  you’ll occasionally be prompted to verify your identity with a method you’ve already chosen, like typing a one-time code sent to your phone. You’ll be prompted every 30 days on your own devices and every time you use a new device, such as a Luther lab computer. You get to choose how you’d like to verify your identity.

What second step methods are available?

There are many different 2-Step Verification methods available and you should choose at least two. Most people use their cell phone as their primary method, either by receiving a text, a phone call, or using an app. Everyone should also set up a method that doesn’t depend on their cell phone, like backup-codes, a USB security key, calls to a landline, or an authentication app on another device. Many of those secondary methods also work well for travelers and people without United States phone numbers or poor reception. Here’s a breakdown of the pros and cons for each method:

• Text message: The most common method and available at initial setup. Still works if you change phones but keep your number. May fail if traveling abroad.
• Phone call: Great for office phones and people without cell phones or poor cell reception. Landlines are also good secondary methods in the event that you can’t use any of the other cell-dependent methods.
• Printed backup codes: All users should set up this option. Great when all other methods fail. Not designed to be the primary or only authentication method.
• Authentication app: More secure than text. Available without wifi or cell signal. Great for travelers. Apps like Authy allow computers to generate codes, not just mobile devices. Not available at initial setup and breaks if device is wiped or replaced.
• Google prompt: Available at initial setup. Easy to set up and use. Doesn’t need cell signal. Breaks if password reset.
• USB Token: Most secure option. Not phone dependent. Requires additional purchase.

Do I need a phone?

No. You can use a USB token, printed backup codes, or an authenticator app for computer, tablet, etc. You can set up 2-Step Verification from any mobile device or any phone line, including land lines. For faculty and staff without access to a mobile device, start with your office phone.

What happens if I get locked out?

Contact the Technology Help Desk.

Why does my authentication method fail when I change my password?

The Google Prompt option will fail when you change your password because it delivers codes through Google apps to which you're signed in—When you change your password, you get signed out of all your Google apps, so codes aren't delivered. This is the only authentication with that problem, so simply having any other backup option will help you avoid this situation.

I'll be traveling abroad. What do I need to do?

There are numerous options for 2-Step Verification usage overseas. Options include: Authenticator App on a computer, tablet, or phone; USB security keys; landline or local cellphone in the country in which you'll be residing; and backup codes. 

Do I need 2-Step Verification when I use Lab/Classroom/Podium computers?

Yes and no. When logging on to a lab, classroom, or podium computer you do not need a verification code. However, if you want to use Norse Apps (email, docs, etc) from a lab, classroom, or podium computer then, yes, you will need a verification code. Since lab, classroom, and podium computers are public computers and do not by design remember who you are, you will need a code each time you access your Norse Apps from one of these computers.

How do I set up 2-Step Verification for shared accounts such as student organization accounts or departmental accounts?

Option1: Have one person in the group be the keeper of the two factor credentials for the shared account and maintain who can access it.  That person would set up the other people who are allowed to check the shared account as email delegates (Settings > Accounts and Import > Grant Access to Another Account).  Then they could access the shared account from a menu within their own account and wouldn't have to authenticate to the shared account separately. Note there is a limit of 25 delegates for an account.

Option 2: Enable Google 2-Step Verification as you would with a regular account, ensuring everyone that needs to use the shared email account has a method of getting the verification codes. Set up the verification with the office phone and/or cell phone of everyone that checks the shared account.

Option 3: Some departments are choosing a hybrid approach, using Option 1 for staff and Option 2 for their student workers.