Duo Multi-factor Authentication

Tags Duo MFA

Overview

The college uses the Duo service for mufti-factor authentication (MFA) for many college systems.  This provides a level of protection for users enrolled in Duo for these systems that goes beyond a simple user name and password.

With Duo enabled for a user and a service, you need both:

  • something you know (your user name & password)
  • and something you have (either your smart phone with the Duo Mobile application installed, or a small key chain token)

With this in place on your New Paltz account, even if someone were to have your password, they would not be able to access a Duo protected system.  This is a protection which we believe is one of the most effective protections that can be implemented on our systems to safeguard our systems, as well as our student, faculty, staff, and alumni data.

New Paltz ITS is in the process of rolling out the Duo system for certain departments and for certain applications.  We plan to greatly expand the usage of Duo MFA in 2019.

Below is a brief guide on how the application is used.


Using Duo

When a user that is enrolled in the Duo service logs into a Duo protected system, they will see a screen like the following:

Screenshot of Duo Authentication screen

  • The "Send me a Push" button should be used if you use the Duo Mobile app.
  • If you only have the Duo token (and not the smart phone app) then click Enter a Passcode.

 

Duo Mobile App

The Duo Mobile app is New Paltz's recommended option for Duo.  It can be used on your iPhone or Android smart phone.  The app is free, takes only a small amount of space to install, and uses virtually no data (per month it uses a minuscule fraction of the amount of data of loading a single website) so you don't have to worry about your data plan.  

Setting up the Duo Mobile app is quick and easy.  ITS staff will ask for your cell number so we can enroll you.  You'll get two text messages - one with a link to download the application, and one with a link to activate the app (once it is downloaded).  

Once you log with your username & password in to a Duo protected application, click the Send me a push button on the site you're accessing.  You'll get a push alert on your smart phone which you can click on to bring up the Duo approve/deny screen:

Duo Mobile Screenshot

If you were trying to log in to a Duo protected service, you would click Approve.
If you were NOT trying to log in to a Duo protected service, you can click Deny (and then report the attempt by clicking "It was fraudulent").  This will notify ITS staff at New Paltz.

 

Duo Token

The Duo hardware token is a small device with a ring to keep on your key chain.  It has a single button which, when pressed, has a six digit number come up on it.  After entering your user name & password to access a Duo protected service, click the Enter a Passcode button.  Then, press the green button on your Duo token and enter the six digit code from the token into the Duo page on your web browser.

 

Why Duo and MFA?

Why is New Paltz using Multi-factor authentication you may ask.  The reason is that phishing (and other forms of account compromise) has continued to be a significant problem both at New Paltz and at organizations worldwide.  Although the vast majority of these phishing messages are being blocked or marked as spam here at New Paltz (and many of our faculty and staff are fantastic about reporting these messages) some do get through.  At this point, the training and simulations are not a sufficient defense on their own.  We need to protect accounts with more than just a username and password.

This is why we are expanding the usage of the Duo MFA (Multi-factor Authentication) system, which is currently in-place for a number of users with the most sensitive data/system access.  We will be expanding both the departments and users included in this program, as well as the systems which are protected by it.

New Paltz has chosen Duo specifically as our MFA provider for its affordability, ease of use, and compatibility with the systems that we use here.

 

What is MFA?

Multi-factor Authentication systems are those that require at least two of the following factors (only the first two being used by New Paltz).

  • Something you know (such as usernames and passwords)
  • Something you have (such as an app on a smartphone, or a small key chain token) which is tied to your account
  • Something you are (biometrics such as fingerprints - don't worry - we have no intention of using biometrics at New Paltz)

An account protected by MFA cannot be accessed by one of those factors alone.  Were someone to get my password - but not have my smartphone, they would be unable to access accounts protected with MFA.  Vice-versa, if someone had my phone but not my password, they would also be unable to access accounts protected with MFA.

MFA is increasingly used to protect data on systems such as financial/banking accounts, email, social media, or other systems which are at high risk for compromise for criminals.  New Paltz has implemented, and is expanding the usage of, MFA to better protect the sensitive data, systems, and accounts that our faculty and staff are entrusted with.

Details

Article ID: 59857
Created
Wed 8/8/18 12:58 PM
Modified
Mon 12/10/18 10:22 AM