Rowan University 

Title: Two-Factor Authentication Policy
Subject: Information Resources and Technology
Policy No: CIO: 2018:01
Applies: University-Wide
Issuing Authority: President, and Senior Vice President for Information Resources and Chief Information Officer
Responsible Officer: Senior Vice President for Information Resources and Chief Information Officer
Adopted: XX/XX/2018
Last Revision: 07/02/2018


Two-factor authentication adds a second layer of security to Rowan Network accounts. This second form of authentication helps to prevent unauthorized access to an account even if the password is compromised. Rowan University currently uses a product called Duo for two-factor authentication.

Duo can provide a second form of authentication via a mobile device app, phone, or hardware token. The mobile device app is recommended. Rowan users must use at least one but are encouraged to have at least two registered methods of two-factor authentication in Duo so that they can always log in to a Rowan service even if one method is temporarily unavailable.

Using Duo for two-factor authentication is mandatory for all Rowan services protected by Duo.  Rowan services currently protected by Duo are outlined in Addendum A.


Under the direction of the Chief Information Officer, Rowan University management shall implement and ensure compliance with this policy.


This policy applies to all members of the Rowan community who use Rowan services protected by Duo two-factor authentication. This is currently primarily web-facing applications using CAS, such as Google Docs or VPN services.


  1. For the purposes of this document, members of the Rowan community are classified in one of two groups:
    1. Employees are defined as individuals that are active employees of the institution. This also includes sponsored employee-like affiliates such as members of the University community who may work for an external vendor or have a contract or other agreement with the University that requires them to access University systems.
    2. Students are defined as individuals enrolled in Rowan courses or degree programs. This also includes sponsored student-like affiliates such as Rowan Choice.
  2. Two-factor authentication adds a second layer of security to a Rowan Network Account. Some services and websites refer to this second layer of security as two-factor authentication, 2FA, two-step authentication, two-step verification, or login verification. This second form of authentication helps to prevent unauthorized users from accessing an account, even if the password is compromised.
  3. The Duo Mobile app is available for phones and cellular capable devices, both Apple and Android. It is available for free from the Apple App Store and Google Play Store. It allows the user to say “Yes” or “No” to any attempted login and thereby provides a second factor of authorization to services protected by two-factor authentication.
  4. A phone is a device capable of receiving phone calls or text messages. It allows the Duo system to contact a user by voice or text message in order to ask them to agree to any attempted login and thereby provides a second factor of authorization to services protected by two-factor authentication.
  5. A hardware token is a small device that can generate a passcode that can be used as a second factor of authorization to services protected by two-factor authentication.


  1. Employees
    1. Required:
      Rowan requires employees to use either the Duo Mobile app or a phone as a method of two-factor authentication. This can be supplemented by the use of a hardware token where necessary, see below.
    2. Optional:
      Rowan recommends that employees enroll a second device for two-factor authentication for use if their required method is unavailable. This second option may be the other of the two required options listed above, or may be a hardware token. Employees may purchase a hardware token from IRT (visit or departments may wish to purchase hardware tokens from IRT for employees who do not have access to a suitable phone as detailed in section V. A. a.
    3. Department supervisors should consult with IRT regarding purchasing hardware tokens for staff that may need them for access to applications that are required to perform their job. Applications that currently require Duo authentication are listed in Addendum A.
  2. Students
    1. Required:
      Rowan requires students to use a mobile phone, landline phone, or a hardware token as a primary method of two-factor authentication. Students who do not own a smart phone may request a hardware token from IRT. One will be provided for free. Replacements for lost or damaged student hardware tokens must be purchased from IRT. (visit
    2. Optional:
      Rowan recommends that students enroll a second device for two-factor authentication for use if their primary method is unavailable. This second option may be any of the three options listed above.
  3. Hardware Token Recycling or Disposal
    1. Tokens may be returned to any designated IRT office for recycling or disposal. No refunds (partial or full) will be issued for returned tokens.
  4. Training for the applications are listed in Addendum A
    1. Any training involving the applications currently listed listed in Addendum A will require the person attending the training to be enrolled in Duo.