On the security horizon: Wider use of ‘two-factor’ logins for campus services

phone

Services that require a high level of security often use two-factor authentication—a process that requires you to enter your password plus a second piece of information before you can log in.

You probably use two-factor now when you visit your financial or health-care websites. You might also see it more frequently on campus websites and services over the next year or two.

At UC Davis, about 1,000 people who formerly used Safeword as a second factor to access the Banner student information system recently moved to a different product, Duo Security. They joined about 300 other system administrators who started using Duo for other services.  

Here’s why this matters

And here’s why the change might interest non-technologists: The campus has made it possible for Duo to work with CAS, the Central Authentication Service. Most UC Davis websites and services use CAS as part of their logins—so if the managers of those services and sites start using Duo as well, then two-factor authentication could show up on services that currently let you in with only a login ID and Kerberos passphrase.

This change would apply to services used by faculty and staff. At this time, the campus Duo licensing does not include use by students.

There is no guarantee that additional CAS-protected campus services will add two-factor authentication, but the practice is common, helps protect privacy, and improves security for both the individual and UC Davis. The odds are good that many services will at least consider adding it.

Two factors = much harder to break in

Duo verifies your identity by requiring a second “factor” before it lets you log in to an application or website. Typically, Duo generates and delivers a temporary, second password to individual users.

You can have the second password sent to you via a free mobile app (see photo) that you install on your smartphone. The mobile app will enter the second password for you, or you can enter it yourself. You can also use Duo via a “hard token,” which resembles a fob, and costs $30. Text and phone delivery options exist, but they also incur a cost for the campus and so their use is discouraged.

In exchange for the slightly longer login, you get much better security. To break in to your account, an attacker would need your passphrase as well as the physical device you use with Duo. If one factor is compromised, the other will still protect you.

The central campus does not now require services to adopt two-factor authentication (also known as multi-factor), but it wants to have a good, standard tool available. The campus purchased Duo because the tool can be used in different ways, and because it works well. Many other universities already use it.

How to register

The first campus services to integrate with Duo, nearly a year ago, were the UNIX and Windows Bastion hosts, which technologists use for administrative access to servers they manage. They had been using Safeword. That move to Duo involved about 300 people.

The next service to integrate with Duo was administrative access to Banner. That happened over the summer. Students do not need to use Duo to access services they use.

If you end up using a service that requires Duo, you can register for access via the Computing Accounts website. The campus Knowledge Base has instructions. To enroll or change a hard token, contact the IT Express Service Desk. (You can also use Computing Accounts to update your use of Duo on any mobile device.)

The UC Davis Health System is also launching Duo for some hospital services. Health System users who need assistance with CAS authentication or Shibboleth and Duo should contact IT Express.

Services should notify users

Any campus services that use CAS and add Duo to their logins will need to communicate the change to their customers, plus provide instructions.

The Duo implementation project is co-sponsored by Student Affairs and Information & Educational Technology. Read more about Duo in the IT Service Catalog, or for more information, contact Duo Implementation Project Manager Joyce Johnstone at jmjohnstone@ucdavis.edu.