Purchase Guidelines - MFA Security Keys and Tokens

Below is information on the differences and use cases for MFA security tokens and security keys, along with formal guidance, if the need exists, on what devices should or should not be purchased.

Virtually all UA employees already own a smartphone and the installation of the Duo Mobile app on a smartphone is the recommended method for handling MFA at UA.  A “push” from the Duo app is the most convenient and fastest way of authenticating.  Although the UA community is strongly encouraged to leverage their smartphone devices as the primary device for their MFA activities, this may not always be possible or practical.  When a smartphone or landline device is not usable, the use of security tokens or security keys (in situations where a higher level of identity assurance is needed) may be appropriate or even required for contract compliance.

Overview and Usage Considerations

Security tokens and security keys can be thought of interchangeably from a general functionality perspective – both provide a factor to use in situations requiring MFA, but they differ rather significantly in how they do so.  

Security tokens are small “key fob”-size devices that have an LCD screen and display a rotating number when a button is pressed called a PIN.  When authenticating using a security token, the user will be prompted to enter the PIN displayed on the token’s screen. Security tokens are considerably less expensive than security keys.

Security keys have no screen and either plug into a computer’s USB port or may function wirelessly using NFC or other protocols. Security keys cost more than tokens, but provide a higher level of identity assurance and can be more convenient to use.  This convenience, along with the fact that they often plug into a port on a computer, requires extra diligence to ensure they are kept in positive control of the owner/assigned user at all times (e.g. when stepping away for a meeting, when leaving for the day, etc.).  Security keys may not be usable in environments where physical access to computers is limited or where USB ports are disabled or otherwise restricted.

Security Tokens

Security tokens are provided by the University where a specific need exists – researchers in environments that are not conducive to high bandwidth or where smartphones or telephones are not permitted (sensitive research facilities, testing centers, etc.).  The tokens cost approximately $11 each and replacements must be paid for by the department or business unit.  They are the property of the UA System and must be returned upon separation of employment or surrendered upon request by the CITO, CISO, MAU CIO, or their designee.  IMPORTANT:  Security tokens not purchased by OIT cannot be integrated into the UA system and will not be usable for MFA purposes.

Security Keys

Like security tokens, there are a number of manufacturers who produce security keys.  Unlike security tokens, keys can be purchased and enrolled directly by a user or department without the intervention of OIT.  Due to their cost, the UA System is not directly purchasing or distributing security keys except in extremely limited circumstances.

When purchasing a security key, the major considerations revolve around what devices it will be used with (USB A, USB C, Apple Lightning, or wireless via NFC), the physical space to plug/unplug the device, and whether you need a high level of identity assurance.  In all cases, you should only purchase a security key that is compatible with UA’s MFA service - Duo Security (details here: https://help.duo.com/s/article/2253?language=en_US).  Note that Duo Security is deprecating support for U2F keys and they should not be purchased unless they are also WebAuthn compatible.  It is strongly recommended that you purchase a device listed as capable of AAL2 or greater according to the National Security Agency’s “Selecting Secure Multi-factor Authentication Solutions” guide, last updated September 22, 2020 as of this writing.

Requirements around information security and data governance are evolving.  Expect in the coming years to be required to provide strict identity assurance around those individuals with access to Controlled Unclassified Information (CUI), including research faculty and staff and those with access to other Federal Government-supplied data – likely including Financial Aid, Business Offices, Admissions, and Registrar staff, among others.

Questions?

If you have questions or concerns about the information above, or general questions about the Multi-Factor Authentication (MFA) rollout at the University of Alaska, please email ua-oit-security@alaska.edu.  For assistance with enrolling in MFA or adding or modifying a device associated with your account, submit an MFA help request or contact the OIT Service Desk.