Two-Step Verification for REDCap Login

UIC REDCap requires 2-Factor Authentication (2FA) as an additional step to verify your login credentials. There are three options for 2FA: Duo, MS/Google Authenticator, and email verification.

If you are currently using Duo authentication for UIC websites, you can use the same app for REDCap. Once your login is verified via Duo on your device, it will be remembered so that you don’t need to do 2FA for 7 days.

Non-UIC REDCap users need to use email verification first, and set up MS/Google Authenticator if they want to use the apps instead of email verification.

2FA is essential to web security because it’s an additional layer of security that can immediately neutralize the risks associated with compromised passwords. For example, if a password is phished, hacked, or even guessed, an intruder will not be granted access without approval from the second factor. Thus, a password alone is insufficient to access systems protected by 2FA. Additionally, an unanticipated 2FA authentication request can inform the account owner that their password is compromised so that they can immediately change their password. Finally, 2FA is a requirement of the CMMC and NIST 80-171 frameworks that enable researchers to engage in research projects with federal agencies and other partners that require high levels of information security assurance.

1. Download the DUO app to your mobile device

   • Internal Users: Faculty and Staff within the University of Illinois System should have already downloaded and registered with Duo Security as it is the preferred 2-Factor authentication method of the University.
   • External Users: Users outside the University System will not be able to use the DUO option as they are not and cannot be registered within the “NetID Center.”

2. Log into REDCap as usual and then select the “DUO” option on screen

3. Select the method you prefer: “Send Me a Push,” “Call Me,” or “Enter a Passcode”

   • Send Me a Push will send a push notification to the registered smartphone allowing you to approve or deny the request.
   • Call Me will initiate a phone call to your smart phone. Answer the call and press any key to authenticate.
   • Enter a Passcode can be used to generate passcodes even while offline.

To use two-step verification to log in to REDCap using Google Authenticator or Microsoft Authenticator mobile app for the first time, do the following:

1. Download the Google Authenticator or Microsoft Authenticator app to your mobile device Download the app by searching for ‘Google Authenticator’ or ‘Microsoft Authenticator’ in your mobile device’s app store (e.g., Apple App Store, Google Play Store).

2. Log into REDCap as usual and then select the “Email” option. (See Option 3 instructions in this document.)

3. Click on “Profile” on the upper right corner

4. Select “Set up Google Authenticator or Microsoft Authenticator for two-step login” under “Login-related options”

5. Instructions and a QR code will open on screen. Open the app, and scan the QR code on the screen.

6. Log out of REDCap to test the app.

7. Use the app when you log in to REDCap.

After you have scanned the QR code using the Google Authenticator or Microsoft Authenticator app, you can open the app at any time in the future to obtain your verification code for REDCap. The verification code is always changing, so it will be different each time you log in. NOTE: The app does not require an internet connection on your device in order to work.

1. Log into REDCap as usual and then select the “Email” option on screen.

2. An email will be sent to the email account connected with your REDCap user name.

3. Copy the verification code you receive via email—it expires in 2 minutes—and enter it into the blue box next to “Submit.”

4. Click on “Submit.”

• two_step_verification_for_red_cap_login.pdf