Note: Some of the information in this article is outdated. For current 2FA information please visit it.utah.edu/2fa.
By Jesse Drake
University students, staff and faculty can now opt in to use Duo two-factor authentication (2FA). This extra layer of security helps protect users by ensuring they can safely sign in to applications or websites that run behind the University’s Central Authentication Service (CAS), including Campus Information Services (CIS), Box and Canvas.
Prior to this change, the Identity and Access Management (IAM) team, a division within the Information Security Office (ISO), had to manually enable 2FA service. A successful pilot phase began last September to test and refine the service before launching it University-wide — part of a broader effort to enhance information security at the U.
“We either had to work with departments directly to get their users enrolled, or we had to rely on interested folks reaching out to us directly,” said Rachael Sheedy, IAM senior business analyst. “So we are pretty excited to provide the option for people to self-elect to participate in 2FA.”
Two-factor identification means authenticating your identity via two separate methods, one of which isn’t your password. The second form is something you have physical access to, like a cell phone or tablet. Even if a hacker obtains your login credentials, the information is useless without access to the secondary device.
“Passwords are really difficult to manage, especially when you consider all of the systems we need regular access to. Requiring them to be unique and complex makes them even harder to manage,” Sheedy said. “Two-factor authentication is critical protection against a brute force attack, which is an automated software method of hacking passwords or PINs.”
“Passwords alone have proven time and again to be vulnerable and insufficient.”
With self-service enabled, users can enroll a new mobile phone, tablet, or landline. They can also rename an existing phone or tablet, activate Duo Mobile, set a phone or tablet device as the default for Duo Push and phone call, or remove an existing device.
To enroll and manage a device, sign in to the Duo self-service app with your unid and CIS password.
A new user first logging in will see this pop-up screen:
Users already enrolled in 2FA for CIS will not see the pop-up screen.
The sooner you enroll your device(s), the better. The University will eventually require all employees to use 2FA.
Accessibility features for users with disabilities
Duo recently announced that its authentication and self-enrollment features are compatible with screen readers, such as NVDA and VoiceOver, on PCs and Macs. Additionally, Duo’s mobile app is accessible to voiceover functionality on Apple and Android devices. Duo has also made authentication and self-enrollment features accessible by keyboard for people with limited motor skills.
“For security to be effective, it must address the needs of every user,” Dug Song, CEO of Duo Security, said in a press release. “Accessibility has impact, and we're committed to making secure access easy for all.”
“It’s very exciting to see our University partners take the necessary steps to ensure the accessibility of their products,” added Barb Iannucci, content and usability manager in UIT’s University Support Services (USS) group. “Hopefully these steps are just the beginning of further enhancements that will continue to strengthen resources for all members of our University community.”
To learn more about Duo, please visit the vendor’s website, the University’s Duo Management Portal or one of the Duo-related articles in UIT’s Knowledge Base. Sheedy said that more supplementary material is in the works, including a how-to video led by U Chief Information Security Officer Dan Bowden and self-help training videos.
RSA SecurID, the two-factor platform already in use by U Hospitals and Clinics employees, also features a self-service console that allows users to log in and request an RSA token (phone, desktop app, or key fob). Once enrolled, users are encouraged to access Citrix remotely by using secure.med.utah.edu, where they will be challenged with 2FA, rather than auth.med.utah.edu.