On February 16, members of the Brown community will begin using Shibboleth logins for Google services, instead of logging in with your email address and a Google-specific password. This gives us all better security, as Shibboleth logins generally require DUO two-step authentication, so even if your password is compromised, the second step will protect you from hackers. With this conversion of Google to Shibboleth, we also get an additional advantage - you now only need to remember one password, not two!
How will it work?
Currently, when you log in to a Google-based service, you enter your email address and press “Next”, then are prompted on a second screen for your Google password. Once Shibboleth for Google is in place, instead of being prompted by Google, you’ll be taken to Brown’s Shibboleth screen, and you’ll enter your Brown Username (e.g., “jcarberr”) and your Brown password. If you’ve recently logged into a Brown Shibboleth-based service, you may not even be prompted, and go straight to your Brown Gmail mailbox!
Google logins via Shibboleth will still be valid for two weeks, as they currently are, so you won’t need to enter your password more often - you’ll just do it a little differently.
Most members of the Brown community use their Brown password on a daily basis, but for some folks such as clinical or emeritus faculty, the Shibboleth login screen and two-step DUO authentication are not regular activities.
If you do not have DUO set up yet, please see our KB article. You can test the setup before the Google conversion by visiting Workday for faculty/staff or Canvas for students. If you can successfully log in and DUO at those pages, you can feel confident that you will be able to authenticate at the changeover.
If you have an @alumni.brown.edu email address, those accounts are not being changed at this time - these will continue to use Google passwords.
What login services might be affected?
The Shibboleth authentication will work successfully on web-based authentication directly to Google, services that rely on “login with Google” prompts, and most modern mobile applications.
The login may fail with some older services that can’t use the modern “OAuth” protocol, such as iPhones running operating systems older than iOS 6, Android 4, and apps using older mail protocols such as POP. Nearly all modern applications can use OAuth. If you have a system or service that cannot, please contact your IT Support Consultant or the IT Service Center, and we may set your account with a separate Google 2-factor authentication.
Separate communications will be sent to owners of shared mailboxes for which passwords are shared - there are a small number of these in use across the campus.
When will the transition occur?
We will make the change on the morning of Wednesday, February 16.
What about shared accounts?
If you read your email from within the Google interface, you can still send and receive messages "as" the other account, and will not need to directly log in or use a two-step authentication.
If you and your department have or need a shared password for the account, two-step authentication will be required for the account, starting on March 3. OIT's Computing Accounts and Passwords office is reaching out to account owners to fill out a form for confirming password use, and setting up the two-step login.
To protect Brown's data, we intend for all Brown accounts (except for alumni) to be using Shibboleth or another 2-factor solution by March 3.