Two-Factor Authentication
Two-factor authentication provides a second level of security for your Ryerson account. In addition to your password, a time-limited code is required to log in. That way, even if someone steals your password, they may be prevented from hijacking your account when it’s protected by two-factor.
Codes are generated by devices you have with you. The device can be a mobile phone, a universal second factor (U2F) security key or a one-time verification (OTV) code generator.
Setting up for the first time
If this is the first time you’re enabling two-factor on your Ryerson account, visit our setting up two-factor authentication page for details related to mobile device, U2F security key and OTV code generator setup.
Getting the full effect
CCS recommends using two-factor for all applications. If you've already set up two-factor for required applications only, learn how you can enable two-factor for all applications.
Using and revoking two-factor
Once your device is set up, a two-factor authentication screen will prompt you for a verification code after you sign in with your Ryerson username and password.
The code is generated by the Google Authenticator app you’ve installed on your mobile device or from your assigned one-time verification code generator.
Note the option to select I trust this browser on this device. Don’t ask for codes for 30 days. Checking this box means you trust the browser on the device you’re using and the authenticator will only prompt you for a verification code once every 30 days.
Once your U2F key is set up, a two-factor authentication screen will prompt you to insert the key whenever you sign in with your Ryerson username and password. Note the U2F key will only work with a Chrome or Firefox browser.
To proceed, take the following steps:
- Insert the U2F key into a USB port on your computer.
- Once the key starts blinking, do one of the following, depending on the style of key you have:
- Touch the metal sensor plate on the surface of the key; or
- Touch the metal sensor prong on either side of the key; or
- Press the raised button on the surface or end of the key.
- When the screen shows you’ve logged in, you may remove the key.
If you’re ever without your key, you still have the option of entering a code by clicking the link, Log in with one-time verification code instead.
To revoke two-factor authentication use on your Android device, you’ll need to update your Ryerson account as well as your mobile device. Some of the reasons you might want to do this include:
- you no longer trust a device
- you clicked the trust option out of habit on a shared device and need to undo it
- your device is no longer in your possession either because it’s lost or you’ve lent it to someone else
Update your Ryerson account
- Log in to the my.ryerson portal with your username and password.
- Find the Self Service module and click Personal Account.
- Under the Security section, click Two-Factor Authentication.
- Under the Mobile Device heading, click the Revoke button next to the mobile device you'd like to remove.
Alternatively, you can quickly revoke all your trusted devices and browsers by clicking the Revoke all button near the top of the page.
Update Your Android Device
On your android device, open the Authenticator app.
Tap and hold on the verification code until you see menu options appear at the top of the screen.
Tap the garbage bin icon to remove the code and your account.
1. Next you’ll find a confirmation screen. Read the warning and if you’d like to proceed, tap the Remove Account option.
2. Close the app
To revoke two-factor authentication use on your iOS device, you’ll need to update your Ryerson account as well as your mobile device. Some of the reasons you might want to do this include:
- you no longer trust a device
- you clicked the trust option out of habit on a shared device and need to undo it
- your device is no longer in your possession either because it’s lost or you’ve lent it to someone else
Update your Ryerson account
- Log in to the my.ryerson portal with your username and password.
- Find the Self Service module and click Personal Account.
- Under the Security section, click Two-Factor Authentication.
- Under the Mobile Device heading, click the Revoke button next to the mobile device you'd like to remove.
Alternatively, you can quickly revoke all your trusted devices and browsers by clicking the Revoke all button near the top of the page.
Update Your iOS Device
On your iOS device, open the Authenticator app.
Tap the pencil icon in the top-right corner to edit.
In the Ryerson University tile, tap on the circle on the far-right of the screen to select it and then tap the Delete option that pops up at the bottom of your screen.
1. Next you’ll find a confirmation screen. Read the warning and if you’d like to proceed, tap the Remove Account option.
2. Close the app.
To revoke use of an OTV generator device, you’ll need to update your Ryerson account. Some of the reasons you might want to do this include:
- you no longer trust a device
- you clicked the trust option out of habit on a shared device and need to undo it
- your device is no longer in your possession either because it’s lost or you’ve lent it to someone else
Revoke an OTV generator device:
- Log in to the my.ryerson portal with your username and password.
- Find the Self Service module, click Personal Account.
- Under the Security section and click Two-Factor Authentication.
- Under the One-Time verification code generator heading, click Revoke button next to the generator listed.
Alternatively, you can quickly revoke all your trusted devices and browsers by clicking the Revoke all button near the top of the page.
To revoke use of a U2F security key, you’ll need to update your Ryerson account. Some of the reasons you might want to do this include:
- you no longer trust a device
- you clicked the trust option out of habit on a shared device and need to undo it
- your device is no longer in your possession either because it’s lost or you’ve lent it to someone else
Revoke a U2F security key:
- Log in to the my.ryerson portal with your username and password.
- Find the Self Service module, click Personal Account.
- Under the Security section and click Two-Factor Authentication.
- Under the U2F security keys heading, click the Revoke button next to the key you'd like to remove.
If you don’t have a supported mobile device, check with your department for approval purchasing a universal second factor (U2F) security key or a one-time verification (OTV) code generator.
U2F security keys can be purchased for use with Google Chrome or Firefox browsers. The least expensive model is likely the HyperFIDO Mini which normally retails for about $10.
Similarly, a small one-time verification (OTV) code generator device can be used instead of your phone. They’re available from Computing and Communications Services (CCS) for $30 and can be requested using the One-Time Verification (OTV) Code Generator Request Form on the CCS website.
On mobile devices
Open the Google Authenticator app that you installed on your mobile device to use the one-time verification code it displays.
With U2F security keys
Insert the U2F key into a USB port on your computer. Once the key starts blinking, do one of the following, depending on the style of key you have:
- Touch the metal sensor plate on the surface of the key; or
- Touch the metal sensor prong on either side of the key; or
- Press the raised button on the surface or end of the key.
On one-time verification code generators
Turn on the device and use the one-time verification code it displays. The device will turn itself off once the code expires.
Yes. Check out our listing of apps that require two-factor authentication to log in.
If you’re using a computer you control (as opposed to someone else’s computer or a shared machine), you can tell the authentication service to not ask again for 30 days. Look for and select the I trust this browser on this device check box after entering your one-time verification code.
This feature uses a cookie to remember your device. The cookie itself doesn’t contain any information about you or the device you’re using. Instead, it verifies that you’re using a device you previously registered.
Remember to only use this feature for browsers on devices that are not shared with other people such as a personal workstation, laptop or mobile device.
Adding trusted browsers
You can add your browser to the trusted list by selecting "I trust this browser on this device. Don't ask for codes again" after entering your verification code.
Removing trusted browsers from your list
To remove devices from your set of trusted devices:
- Delete all browser cookies from your device, or
- Log into my.ryerson.ca. Select Self Service > Personal Account > Security > Two-Factor Authentication > Revoke all Trusted Devices.
If you’re prompted to enter a verification code despite having selected “I trust this browser on this device. Don’t ask for codes again”, try the following solutions:
Make sure cookies are enabled on your browser.
The “trust this browser” option will not work if your browser doesn’t have cookies enabled, is set to delete cookies after a certain period of time or is set to delete cookies every time you quit the browser.
Designate different browsers and devices as “trusted” browsers/devices one-by-one.
If you use different browsers or devices, each one needs to be designated as a trusted browser or device the first time you sign in on it. For example, trusting Chrome on your desktop does not automatically mean Chrome is trusted on your laptop or mobile device - you must select I trust this browser on this device. Don’t ask for codes again. for Chrome on every device you sign in from.
Check if you’re browsing in incognito or privacy mode.
Incognito or private browsing windows can't access existing cookies from other browser sessions on your device, so it won’t know if you’ve previously designated the browser as trusted. If you want to use the “trust this browser” option, sign into CAS using a regular browsing window.
Before replacing any mobile device you’re using for two-factor, you should generate two-factor backup codes. Otherwise, you may be locked out of your account during the transition to your new device. Here’s how:
- Using your computer, log in to the my.ryerson portal with your username and password.
- Find the Self Service module under the my.ryerson tab and click Personal Account.
- Under the Security section, click Two-Factor Authentication.
- Click Generate New Backup Codes.
Next, you’ll need to revoke two-factor authentication from your old device:
- Using your computer, log in to the my.ryerson portal with your username and password.
- Find the Self Service module under the my.ryerson tab and click Personal Account.
- Under the Security section, click Two-Factor Authentication.
- Under Two-Factor authentication is set up for: click Revoke next to the Mobile Device listing.
- At the bottom of the page, you’ll find a listing of all your trusted browsers and devices. If your old device is listed, click the Revoke all trusted devices link.
Now you’re ready to set up your new device by installing Google Authenticator onto your new phone. Follow the steps for Android or iOS devices, including the steps for Part two: Add two-factor to your Ryerson account.
Once setup is complete, we recommend securely erasing or wiping your old device before disposing of it. For help doing this, contact your mobile device carrier or manufacturer.
Ryerson’s two-factor authentication system does not use text messaging, mobile data or wifi when you access the authenticator app. You’ll just need to set up the authenticator app and you’re good to go.
In your two-factor authentication settings, you can opt to generate one-time-use backup codes that can be kept as a recovery option if you cannot access your mobile device. We recommend printing and and keeping a copy in your wallet.
Some email clients support two-factor with IMAP. Check your email software to see if OAuth 2.0 is an option in your software’s IMAP configuration. If it isn’t, then use an application-specific password, which is more secure than your regular password - we call it a Google token. For help setting this up, see our page on how to Get a Google Token.