Multifactor Authentication

Multifactor Authentication via Shibboleth IdP

University of Alaska, OIT provides system wide capability for Multifactor authentication for Shibboleth brokered services.  Additional information regarding the benefits and uses of multifactor authentication can be found at Multifactor Benefits and Uses.

Shibboleth IdP Two-Factor Authentication

Two-factor authentication requires users to provide a "second factor" in addition to the correct password to authenticate and gain access to resources. If your password is "something you know", the second factor can be described as "something you have" such as your working telephone or smartphone. The Shibboleth UA Identity Provider has been extended to allow use of two-factor authentication using Duo Security. When two-factor authentication is invoked (as described below) you will first provide your identifier and UA Password just as you usually do for most applications.

You can opt in to use of 2 factor authentication via Shibboleth brokered services by sending email to helpdesk@alaska.edu or ua-iam-dept@alaska.edu.

What Is the User Experience for UA Shibboleth 2 Factor Authentication?

Once your identity is flagged for 2 factor authentication, your first access of one of the relying services triggers a login screen requesting your UA Username and UA Password (Figure 1A). If this is your first login via 2-factor authentication, a one-time registration process records a user's phone number and preferred means of providing the second factor.

2FA login screens (Figs 1A, 1B, 1C)

Your UA Username and UA Password are verified against UA’s directory service (never exposed to the service itself). Once verified, you will be prompted to provide a second factor (Figure 1B). Assuming you use the recommended option “Send Me a Push”, you will need to accept the request pushed to the Duo app on your smart phone (Figure 1C).

When you access other relying services during the day from the same browser on the same computer, you will not be prompted to authenticate again. If you access any of the relying services in a different browser (use a different web browser on the same computer, or use a different computer) you will need to re-authenticate because the new browser does not have the information that you have authenticated.

Can More than One Device be Configured for Authentication?

 A single user may have multiple registered second factors; for example, you might have a smartphone that uses the Duo Security app and a land line on which you can receive a voice call providing a one-time code.