Frequently asked questions for Department Leadership about the transition to Enhanced 2FA.  

Q:  Is someone eligible for a Yubikey provided by the Division of IT if they have a phone which supports Duo Mobile, but do not wish to use it?

A:  The specific use case will need to be examined.  Many users are provided VT issued equipment such as mobile phones, tablets, laptops, or other devices which are still capable of meeting the requirements of Enhanced 2FA. 

Q: Will we be able to replace Yubikeys if they are lost, stolen, or damaged?

A: No. Yubikeys provided by the Division of IT are provided only to assist with the transition to Enhanced 2FA. 

Q: Do the Yubikeys belong to the department or do they belong to the user? 

A: Yubikeys purchased with state funds belong to the university the same way any other tool is provided to employees to do their work.  Yubikeys should be returned to the department and reused upon employee departure.

Q: How are Yubikeys provided by the Division of IT distributed? 

A: Yubikeys will be distributed at the Torgersen Hall Bridge Software Service and User Experience and Engagement window.  Each Yubikey will be assigned to a specific user based on the use case.  Only one Yubikey will be issued per user, keys and may be picked up by that individual or their IT support.

Q: What if Yubikey won’t work for me?

A: There are many options available for multi-factor authentication including D-100 devices, WebAuthn authenticators, soft tokens, and the Duo Mobile application can be installed on mobile phones as well as tablets.  If departments require assistance resolving a specific use case please reach out to the IT Council with your concerns.

Q: Are students eligible for Yubikeys provided by the Division of IT?

A: You must be an employee of the University to be eligible to receive a Yubikey.  These devices are a one-time purchase designed to ease the transition to Enhanced 2FA and strengthen our overall security.


Q: What is critical or sensitive data?

A: You can see the Data Risk Classification matrix here: https://it.vt.edu/content/dam/it_vt_edu/policies/Virginia-Tech-Risk-Classifications.pdf

Accessing any high risk data, even including your own, can be considered critical or sensitive data.  If any of the data you have access to includes High Risk data it is likely that for the purposes of Enhanced 2FA you are accessing critical or sensitive data.

Q: How long do we plan to issue Yubikeys at no cost? Is it time-limited during this transition, or will these be long-standing/permanent service? If it is temporary, how long will it last?

A: The Division of IT has purchased a limited number of Yubikeys to assist with the transition to Enhanced 2FA. This is a temporary program which will last throughout the Enhanced 2FA project to assist with the transition. Moving forward Departments and users will need to be prepared to follow the best practices for 2FA found here: Best Practices for 2-Factor Authentication Usage at Virginia Tech

Q: How are Yubikeys reissued after the user has left the department?

A: Yubikeys may be reissued to a new user after a previous user has left the department.  Users can remove devices themselves.  IMCS also has a process for removing Yubikeys from a user in Duo so that they can be reissued without being attached to another user. The department must request to have it removed; they currently do this through an Incident in ServiceNow.

 Q: What about users that are not in Blacksburg or work remotely? 

 A: Yubikeys may be shipped to remote workers. If you require a Yubikey to be delivered to a user the department will need to provide the correct shipping address.  The device will be mailed by the University.