Note: Some of the information in this article is outdated. For current 2FA information please visit it.utah.edu/2fa.
By Jesse Drake
The University is taking new steps to further secure the accounts and data of its employees by broadening the pilot phase of two-factor authentication (2FA) using Duo.
Joining original participants University Information Technology (UIT), Campus Human Resources and Utah Education Network (UEN) will be additional organizations reporting to Senior Chief Administrator and Chief Financial Officer John Nixon: Administrative Services, Facilities Management, Financial & Business Services, and Public Safety.
This is an interim measure; ultimately, all U employees will be transitioned to 2FA.
Two-factor identification refers to a second piece of information being required before accessing an account. The first form of data is something the user knows, like a username and password; the second is something that he or she has physical access to, like an application on a cell phone.
Duo offers four methods of authentication:
- A unique six-digit code is generated through a phone app (network connectivity is not required).
- The Duo server “pushes” a confirmation to a phone app. The user must then tap “approve” or “deny.”
- The Duo server texts a code to a user’s device via SMS.
- The Duo server calls a phone number (cellphone or landline). The user enters 1 to approve or 2 to deny.
Duo 2FA services are also available for applications or services that are not behind the University’s Central Authentication Service (CAS).
“Currently, [UIT’s Center for High Performance Computing] uses Duo two-factor identification for several of their applications and servers, and we’re trying to get the word out to other departments,” said Rachael Sheedy, senior business analyst for UIT’s Identity and Access Management group within the Information Security Office (ISO). If your organization would like to add 2FA to a server or app, Sheedy asks you to contact her at (801) 587-2592 or Rachael.Sheedy@utah.edu.
Kiston Finney, ISO security specialist, recommends using 2FA whenever possible.
“If any of your online service providers offer multifactor authentication, we encourage you to turn on that feature immediately,” Finney said.
Wayne Bradford, CHPC senior systems administrator and security expert, agrees.
“As we know, no company or organization is immune to security breaches, it’s a matter of when not if, so anything you can do to try to protect yourself, you should take advantage of,” Bradford said during a presentation at an IT Professionals Forum meeting on February 2, 2016.
According to Duo’s website, the Verizon 2015 Data Breach Investigations Report listed two-factor ID as one of the top strategies for mitigating cyber attacks, in which more than 95 percent of cases involved the harvesting of credentials from customer devices, then logging into web applications with them.
“Of course, Duo security is not a panacea or a cure-all – no silver bullet here – it’s just an added layer to your different levels of security,” Bradford said.
Learn more about Duo and its products.