Two-Factor Authentication (2FA)


About

Starting December 28, 2016, University employees in campus, hospital, and health sciences organizations are required to use two-factor authentication, or 2FA, when logging in to use certain online U applications and IT systems.

Two-factor authentication (2FA) provides an extra layer of security by requiring a user to log in with a username/password combo plus a second method of verifying the user's identity. The second method is something the user has physical access to, like a cell phone or tablet. This ensures that even if a hacker manages to obtain a user's login credentials, the information is useless without access to the user's secondary device.

Offshore vendors, e-prescribers for controlled substances, and those already using RSA are required to use RSA SecurID for 2FA. All other current employees are required to use Duo Security.

“The implementation of two-factor authentication is a significant step to making sure we protect all employees’ sensitive personal and financial information. In today’s world, we cannot be too careful.”

- Chief Human Resource Officer Jeff Herring

“The evolution of the cyber threat landscape has made passwords in and of themselves a rather poor way to protect information. Two-factor authentication is critical to protecting the vast amounts of sensitive information stored by the university, and it is quickly becoming the norm for any operation that takes information security seriously.”

- Chief Information Officer Stephen Hess

"In this era of frequent data breaches, exposure of our personal information on social media and easy access to powerful computing resources, passwords alone are no longer adequate. Two-factor authentication is essential to securing our identities.”

- Interim Chief Information Security Officer Corey Roach


Why

According to the FBI and U.S. Department of Homeland Security, higher education and healthcare institutions are increasingly becoming a target for cyber criminals. Two-factor authentication decreases the chances of a security attack because the hacker cannot access data with your login credentials alone. 2FA is used by multiple large universities and corporations to provide additional assurance that data is only accessed by authorized users. 

The U’s Information Security Office (ISO) is making a number of changes to the University's IT environment that will further strengthen network security. Driven by University of Utah Information Security Policy 4-004, one of these changes, with enforcement on December 28, 2016, is Two-Factor Authentication (2FA) for users accessing the following applications and services:

  • Central Authentication Service (CAS)-authenticated applications, such as Box, CIS, and Canvas
  • Citrix Application Portal (remote use only) 
  • VPN
  • High-risk servers


Scope

The 2FA requirement involves two main considerations: what your U employee role is, and which IT services require 2FA.

Your University Role

The University is currently using two different 2FA solutions: RSA SecurID and Duo Security.

You should enroll with RSA SecurID if:

  • You are an offshore vendor
  • You are a provider authorized for e-prescribing controlled substances
  • You access Clinical servers
  • RSA SecurID FAQs

You should enroll with Duo if:

  • You are a current employee, and
  • You are not already enrolled with RSA SecurID
  • Duo 2FA FAQs

Note: If you are already enrolled with either Duo or RSA, you will continue to use that service for 2FA.

Services Requiring 2FA (partial list)

CAS-Web services

Remote Citrix access (read more)

VPN access (read more)

Clinical and main campus server access

  • Contact your local IT director/manager for more information


Get started

 

RSA SecurID

Required for:

  • Providers using e-prescribe for controlled substances
  • Offshore vendors
  • Clinical server administrators
  • Anyone already enrolled with RSA
RSA SecurID FAQs

Two-factor authentication using RSA will be required in the near future when accessing CAS-authenticated applications, Citrix Application Portal, high-risk servers, and VPN.

All others will enroll with Duo Security 2FA.

ENROLL IN RSA

Duo Security

Required for:

  • All other current employees, including student employees
Duo 2FA FAQs

Two-factor authentication using Duo is required starting December 28, 2016 for CAS-authenticated applications, Citrix Application Portal, high-risk servers, and VPN. All current employees who are not already enrolled with RSA SecurID will enroll with 2FA via Duo Security.

Please do not use more than one 2FA method. If you already have RSA, there is no need to enroll with Duo as well (and vice versa).

ENROLL IN DUO

For more information, visit these articles:


Training

How to register a device with Duo

  How to log in to Duo

   

Visit this page for RSA training and tutorials.


FAQ

This is a general FAQ for 2FA. For more specific questions, visit the Duo FAQ and RSA FAQ pages.

All current employees, including student employees, are required to use 2FA. Students who aren’t employees, and University affiliates, are optional.

Two-factor authentication decreases the chances of a security attack because the hacker cannot access data with your login credentials alone. Higher education and healthcare institutions are increasingly becoming a target for cyber criminals. Traditional passwords alone are insufficient protection. 

2FA is used by multiple large universities and corporations to provide additional assurance that data is only accessed by authorized users. Enforcing 2FA across the organization will strengthen our network security and protect your identity and the systems you access from being compromised.

The University currently uses two different 2FA solutions: RSA SecurID and Duo Security. Both services will be used for the foreseeable future.

You should enroll with RSA SecurID if:

  • You are an offshore vendor
  • You are a provider authorized for e-prescribing controlled substances
  • You are a clinical server administrator

You should enroll with Duo if:

  • You are a current employee, and
  • You are not already enrolled with RSA SecurID

Note: If you are already enrolled with either Duo or RSA, you will continue to use that service for 2FA. 

A clinical server is a physical or virtual computer designed to provide application support for our users. Generally speaking, clinical server access is a connection to a back-end infrastructure by people who support these applications, not by those who use them.

Once you enable 2FA, you will see an extra step after entering your username and password on the login screen. This step prompts you to authenticate on your default device using the default method you set up. You also have the option to authenticate using other devices or methods that you have previously set up. Watch this tutorial on how to log in to Duo. 

No. All applications in scope for 2FA have been configured to support both Duo and RSA, so there is no need to have both tokens. If you are enrolled with Duo, you will use Duo 2FA across all applications. If you are enrolled with RSA, you will use RSA 2FA across all applications. There are a few use cases for having both Duo and RSA tokens, such as IT support personnel.

If you have any questions about which service you qualify for (Duo vs. RSA), reach out to help desk support.

Tokens available for RSA users include a mobile app that works on smartphones and tablets, a desktop token, and a hardware token. You must qualify for RSA in order to obtain a hardware token (contact your help desk to place a request). Read more about RSA tokens.

Duo's mobile app works on smartphones, including Windows mobile devices, and tablets (e.g. iPad and Android tablets). This is the preferred method of authentication. You may also purchase a Duo hardware, or physical token, for $23 through the University Campus Store, as inventory permits. The Duo hard token will generate a series of unique letters or numbers, which you will enter into the passcode field on your device. Read more about DUO tokens. Central U administration will not reimburse employees for any cell phone charges or fund Duo hard tokens. Contact your department head for questions about possible compensation for your area. (Note: Yubikeys are not currently supported by the university.)

Users who would like to make the phonecall method or SMS method their secondary Duo token may open a help ticket and the request will be reviewed. The U’s policy is that the phone call method and SMS method cannot be used as the primary 2FA authentication method. This policy is in place due to the cost incurred by the U each time a phone call or SMS is used to authenticate. To activate the ability to use a phone call or SMS as a secondary method, users must contact the UIT Help Desk 801-581-4000 option 1 or helpdesk@utah.edu. There is no self-service way for users to add a landline.

Exceptions to this policy: In rare circumstances, an exception may be granted by U administration. Users who feel they must use a phone call or SMS as their primary method may submit an exception request by contacting the UIT Help Desk 801-581-4000 option 1 or helpdesk@utah.edu. The request must include a justification for the exception.

Exception requests will be reviewed by U administration. The review process may take several days, possibly weeks, depending on the request queue.

Central U administration does not reimburse employees for any cell phone charges associated with 2FA. Contact your department head for questions about possible reimbursement for your area.

Central U administration does not fund Duo hard tokens for individuals. Contact your department head for questions about possible compensation for your area.

All applications utilizing CAS-Web for authentication, which includes over 300 applications. The most common CAS-Web apps include Box, CIS, and Canvas.

No. Once you have logged in with your 2FA token, Box Sync will work as usual.

You will need RSA SecurID if:

  • You are an offshore vendor
  • You are a provider authorized for e-prescribing controlled substances
  • You are a clinical server administrator

If you have enrolled in RSA and do not fit the above critera, you can unenroll from RSA by visiting this page. Please note that if you have not already enrolled in Duo, you will be required to do so.

You will be required to use 2FA when logging in to Citrix remotely, but 2FA will not affect your access to any of the applications you already have access to through Citrix. 

2FA does not affect current application time-out settings. Instead, the frequency with which you'll be prompted to use 2FA to re-authenticate depends on a number of variables:

  • The system or application you're accessing
  • How you're accessing it (remotely or on-site)
  • Every time you open a new browser
  • Every time you log out and log back in
  • Inactivity timeout of the application or system
  • RSA tokens are funded through central Hospital administration. Therefore, upon termination, employees will return hard tokens to their local IT administrators.
  • Duo hard tokens are not centrally funded. If the token was purchased by the department, upon termination employees will return it to their local IT administrators. If the hard token was purchased with personal funds, the employee may keep it upon termination.

Yes. You will be required to use 2FA whenever accessing the Citrix portal remotely

When accessing Citrix remotely, you will be prompted for your network password and a 2FA passcode. Depending on which 2FA service you use, you must visit the following Citrix websites for access: access.med.utah.edu (DUO) or secure.med.utah.edu (RSA). Please visit Pulse for more information.​

Currently, Citrix is the only system/application that does not require 2FA on-site. All other applications using 2FA will require you to enter your 2FA token code whether you are on- or off-site.

Both main campus and clinical VPN access require 2FA as of 12/28/16. Main campus VPN information is available here. Clinical VPN information is available here.

Yes. With the Duo smartphone or tablet app, open the app and select the key icon to the right of the screen to generate a passcode. This process does not use data and does not incur any charges. The RSA mobile app does not use internet after the initial install.

You will need RSA SecurID if:

  • You are an offshore vendor
  • You are a provider authorized for e-prescribing controlled substances
  • You are a clinical server administrator

If you have enrolled in RSA and do not fit the above critera, you can unenroll from RSA by visiting this page. Please note that if you have not already enrolled in Duo, you will be required to do so.


Support

 


Campus Help Desk

801-581-4000, option 1

helpdesk@utah.edu

Knowledge Base


Hospital Help Desk

801-587-6000

helpdesk@hsc.utah.edu

Knowledge Base

 

Last Updated: 6/7/17