UC Davis will improve campus cybersecurity by pursuing broader use of Duo

Starting this summer, you’ll see greater use of Duo multi-factor authentication at UC Davis. And as use grows, the damage caused by phishing will shrink.

Duo is a security app. It works by asking you for two “factors” when you sign in to an account protected by Duo: your usual password, plus a temporary code created by Duo, typically sent via the Duo app to your smartphone. (There are alternatives if you can’t use a smartphone—more below.)

Duo on smartphoneThe net effect: Even if scammers get your password, they can’t get into your account because they won’t have the second factor. This video shows how Duo works.

If you don’t use Duo yet, there’s a good chance you will, later this year or in 2019. For now, Duo works only with certain campus services, such as Office 365. Later this year it will be able to work with any service that uses the common UC Davis CAS login, greatly expanding Duo’s ability to protect the campus.

The campus has Duo licenses for all faculty, students and staff. Thousands of staff and faculty at UC Davis already use Duo on campus for one reason or another, and the goal is universal use. An effort to expand enrollment starts this summer with units and departments.

Talking to departments; UC Davis Health joined in May

In June, Information and Educational Technology (IET) began contacting campus departments to present the advantages of Duo and to offer help enrolling their faculty and/or staff. Some units in the Division of Social Sciences were the first to sign on, to protect their employees’ Office 365 accounts.

Enrollments for other units are in the works, and IET will continue to talk with departments this summer and fall.

Almost 18,000 faculty and staff at UC Davis are already enrolled in Duo, including all of UC Davis Health (since May), all of IET (since February), and hundreds of technologists and system administrators throughout the Davis campus. UCLA requires all of its faculty, staff and students to use Duo with their main campus accounts. UC Berkeley is close behind.

Among other improvements, wide use of Duo should sharply reduce the number of compromised accounts at UC Davis caused by phishing. Immediately after UC Davis Health adopted Duo in May, its number of compromised accounts plunged.

Duo doesn’t solve the problem of compromised accounts, because no one solution is adequate. But Duo is clearly helping.

For now, Office 365. Coming up, myucdavis and DavisMail

The Davis campus has been using Duo to protect certain applications, such as the Banner student information system (for administrative access) and Office 365. This summer, IET programmers will integrate Duo with CAS, the central authentication service for UC Davis, so that all campus services accessed by CAS could be protected by Duo. This includes such major apps as myucdavis, the Time Reporting System, and DavisMail.

Simply enabling Duo to work with CAS doesn’t mean you’ll suddenly need Duo to access services that use CAS. If CAS is enabled before you’re enrolled in Duo, you’ll still be able to access CAS without Duo—until you’re enrolled in Duo.

Enrolling in Duo

Any faculty or staff member can enroll in Duo now. IET is simplifying the process by adding an enrollment video adapted from the one used by UC Davis Health, plus improved instructions.

In the new process, individuals receive an email with a link that jump-starts the enrollment process for them. This would happen after units or departments, working with IET and their local tech support, contact their employees to let them know the Duo enrollment message is coming.

Most people who use Duo have the second factor sent electronically to their smartphones. They then click “accept” on the Duo prompt, and complete their sign-in.

If you don’t have or can’t use a smartphone, the main alternative is a hardware token, which receives the code. Tokens cost about $30 apiece. See the Knowledge Base for more information. The Knowledge Base also has self-enrollment instructions for Duo if you want to enroll before the rest of your unit or department.

Individuals might need to work with their department tech support or the IT Express Service Desk for special situations, such as overseas travel to countries where they wouldn’t normally use a smartphone or laptop.

During the current expansion phase, IET is working with departments’ tech support and IT Express to help people enroll in Duo, and to support their use of it. Read more at movetoduo.ucdavis.edu. If you have questions about the rollout, please contact movetoduo@ucdavis.edu.