RSA users who do not ePrescribe may start using Duo sooner
By Jesse Drake
In December 2016, the university started to require that employees use two-factor authentication (2FA) when accessing certain online applications and IT systems. 2FA provides an extra layer of security by requiring a user to log in with a username/password combo plus a second method of verifying the user's identity (e.g., cell phone or tablet).
Initially, the university launched two different 2FA solutions – Duo Security for campus employees, and RSA SecureID for hospital and health science organization employees, offshore vendors, providers authorized for ePrescribing controlled substances, and clinical server administrators. But on Wednesday, February 28, 2018, Duo will be the single method of 2FA for all university employees, including student employees. 2FA is highly encouraged but optional for university affiliates and students who are not employees. No action is required for campus employees already enrolled with Duo.
A unified platform is easier to maintain and makes good fiscal sense, said Chief Technology Officer Jim Livingston.
"Duo Security has a proven track record at the university," Livingston said. "Not only does this transition take advantage of our existing site license, Duo also satisfies all of our 2FA needs of the campus and hospital."
On 2/28, ePrescribe and CAS Web will be switched to Duo, with the end of February targeted for all system integrations. The exception to this will be the conversion for offshore vendors, whose transition date is to be determined.
RSA users affected by the change have been notified of the timeline below, and a notice published in Hardwired, the Information Technology Services (ITS) newsletter.
RSA to Duo timeline (links open in Pulse)
- University employees using RSA but who do not use ePrescribe may transition any time before 2/28 by downloading the Duo app and registering with Duo via ese.idm.utah.edu. Once that is done, users may submit a service request to have RSA removed. Employees hired between now and 2/28 should register with Duo.
Providers who ePrescribe Controlled Substances (EPCS) must register for Duo before 2/28, but should continue to use RSA for CAS Web and ePrescribe until that date, with the expection of using RSA to access Citrix via access.med.utah.edu
Clinical IT system administrators will continue to use RSA until their respective system has been migrated.
Offshore vendors will be the last group to transition to Duo. The migration plan is still to be determined.
A note about hard tokens (physical devices that generate 2FA codes): Because the university is unable to repurpose RSA tokens, and they will no longer be valid for U systems, users may discard them. While Duo offers a hardware token, the mobile app is the preferred authentication method, as it provides greater security and is less vulnerable to loss or misplacement.