PROTECTING U WITH TWO-FACTOR ID

Note: The 2FA enrollment deadline has been extended to Dec. 28, 2016.

By Jesse Drake, communications specialist for UIT Strategic Communication

Higher education and health care institutions have long been a stomping ground for malicious hackers. The University of Utah is a frequent target of phishing attempts and cyber threats intent on harvesting credentials.

To improve the U’s security posture and further safeguard digital identities, beginning Nov. 21, 2016, university employees in campus, hospital and health sciences organizations will be required to use two-factor authentication, or 2FA, when logging in to use certain online U applications and IT systems.

“The implementation of two-factor authentication is a significant step to making sure we protect all employees’ sensitive personal and financial information,” said Chief Human Resource Officer Jeff Herring. “In today’s world, we cannot be too careful.”

On Nov. 21, the following online applications and systems will require 2FA:

  • Online apps requiring Central Authentication Service (CAS) for log-in, i.e. Box, CIS and Canvas
  • Campus or clinical systems accessed via virtual private network (VPN)
  • The Citrix Netscaler Gateway
  • High-risk servers in campus and clinical environments

“The evolution of the cyber threat landscape has made passwords in and of themselves a rather poor way to protect information,” said Chief Information Officer Stephen Hess. “Two-factor authentication is critical to protecting the vast amounts of sensitive information stored by the university, and it is quickly becoming the norm for any operation that takes information security seriously.”

Why 2FA?
Your password needs a partner. The university currently requires only single-factor authentication (username and password). Strong passwords are essential, but they aren’t enough.

“In this era of frequent data breaches, exposure of our personal information on social media and easy access to powerful computing resources, passwords alone are no longer adequate,” said Corey Roach, interim chief information security officer. “Two-factor authentication is essential to securing our identities.”

With 2FA, access to your account requires two forms of identification: something you know, such as your password, and something you have, like a cell phone or tablet.

2fa-graphic

With the mobile app, after the user enters a uNID and password, a confirmation is “pushed” to a smartphone or tablet. The user simply approves or denies the prompt.

Used by many major universities and corporations, 2FA makes it more difficult for an unauthorized person to access your information or impersonate you. This layered defense means that even if a remote attacker obtains your login credentials, the information is useless without access to your secondary device.

Which 2FA service do I use?

All current university employees, including student employees, not already using 2FA will be required to use Duo Security. Offshore vendors, e-prescribers and any employee already using RSA SecurID will continue to use RSA for 2FA.

How do I enroll?

To ensure a seamless transition and avoid disruptions logging into online systems and services, university employees must enroll in Duo or enroll in RSA prior to Nov. 21, 2016.

Once enrolled, you will be helping to protect university systems and restricted information.

For more information, including training, tutorials and FAQs specific to Duo and RSA, visit it.utah.edu/2fa.

Questions? Call the UIT Help Desk at 801-581-4000, option 1.