Benefits and Uses of Multifactor Authentication
The following answers questions users interested in multifactor authentication may have.
Why is UA deploying multifactor authentication? What is the benefit?
Second factor authentication mechanisms provide greater assurance of correctly identifying users and preventing abuses when someone’s username and password are compromised. Federal guidelines for agencies require 2 factor authentication in cases where a compromise could entail
- “moderate” inconvenience or
- distress or
- damage or
- financial loss or
- liability or
- if there is “any” risk of unauthorized release of sensitive information
Like most institutions, UA increasingly relies on web-based applications, which are primary targets for exploit. Many attacks (a Verizon summary of breaches states 95%) involve harvesting credentials from end user devices, then using them to log into web services. For example, CU Boulder potentially experienced a compromised emergency system during a police incident resulting in several false active-shooter reports. Boston University implemented 2 factor authentication after compromised passwords enabled employee payroll deposits to be diverted.
Are other Universities using multifactor authentication? Are they using DUO Security?
Yes and yes. Many institutions have adopted 2 factor authentication and require its use to access key institutional services. Some require use by all employees and at least one (Virginia Tech) requires use by both employees and students. Over 100 Universities have agreements with Duo; several of them have very large implementation with many thousands of users.
Which identities use Duo 2 factor authentication?
Participation at UA is being gradually deployed. Users that have an attribute in their UA Active Directory record indicating use of 2 factor authentication will automatically be presented with the auto-enrollment process (see Duo 2FA Enrollment Guide for UA DuoUAenroll) the next time they log in to any of the services that rely on our SAML (Shibboleth) SSO.; after that, they will be challenged for 2nd factor to authenticate. For now, users contact IAM and request 2 factor authentication. A service owner may require users to be enrolled in 2FA to access that service.
What services or which identities require Duo 2 factor authentication? DocuSign (electronic signatures), Amazon Web Services administrator access, and RAVE emergency communications are the first services at UA being configured to require 2 factor authentication. Other services may require 2 factor authentication if and when service owners determine it is appropriate. Users who have not enabled 2 factor authentication will not be able to access these services until they opt in to 2 factor authentication for their UA identity.
What if I do not have or decline to use my smartphone as 2nd factor?
You may enroll other types of devices either as backup or alternatives to a smartphone:
- a mobile phone that can accept SMS text messages;
- any telephone number to receive a call from Duo that will prompt for a response;
- a small USB token from YubiKey; or • receive a series of one time codes (via SMS text) you can copy and enter as needed.
The experience of many thousands of users suggests the smartphone app is almost always the most convenient and least obtrusive mechanism, but you are encouraged to enroll other devices in case your smartphone is unavailable.
How do I opt in to use Duo 2nd factor for logins using my ID?
If your authentication invokes two factor authentication (because a service requires it or because you are in the security group using two factor) and you have not previously used Duo Security with UA, you will be presented with a page to automatically enroll and designate your phone number to be used for second factor. Step-by-step directions are here:
Duo 2FA Enrollment Guide for UA DuoUAenroll