One Phish / 2-Step Standard

Authority: Vice Chancellor for Information Technology
History: First issued in 2015; Last updated May 15, 2017
Scope: All NC State Google accounts, including generics

In 2015, OIT implemented the One Phish / 2-Step rule to provide greater security for our users and to better protect our domain. This rule provides a mechanism for enforcing Google 2-Step verification on an account that has been either phished at least once or compromised (e.g., by password sharing).  

In 2016, NC State University mandated the enrollment in Two-Factor Authentication for all employees (including faculty, staff, student employees, no-pay employees, and retirees) by October 31, 2017. This includes using both Google 2-Step verification for G Suite accounts and Duo for services that use Shibboleth. For more information, see

Under current policy, students are strongly encouraged but not yet mandated to enroll in both of the university’s two-factor services. They should expect a similar policy to be in effect in 2018.

If an account is phished or otherwise compromised prior to the date when two-factor authentication enrollment is required, then the use of Google 2-Step will be enforced on that account.