- What is multi-factor authentication (MFA)?
MFA adds another layer of security to your UCA user account by utilizing a secondary device (your smartphone or hardware token) to prevent anyone but you from logging in to your account, combining something you know (your password) with something you have (your smartphone or token). Our partner for this project is Duo (duo.com), a leader in multi-factor security.
Many people may be familiar with MFA from your iCloud, Instagram, Snapchat or online banking accounts, as all of these utilize MFA as a part of the security aspect. An example would be logging into a UCA application that requires you to enter your credentials and then being required to enter a secondary authentication. This will be handled with a push notification, that would be accepted on your secondary device or the token process, which generates a code that the end user would have to enter.
- Why do I need MFA?
Defending against cyber security threats has become a major part of the overall security plans for universities across the country. It is becoming increasingly easier for your password to be compromised either through phishing attacks, illegitimate emails, or malicious software on your computer. Rather than just asking for a username and password, MFA requires one or more additional verification factors, which decreases the likelihood of a successful cyberattack.
Over the last three years, UCA IT initiated three separate planned phishing attempts and, on average, we saw a 15% click through rate. In a real world phishing attack, we would see a significant loss of credentials and potential negative impact to our systems.
- Can you explain the phishing schemes that had a 15% click-through rate? What does this mean exactly?
The information security team at UCA completes a yearly third party security review. As part of that process, we will orchestrate online and in-person phishing attempts. The results from the security review provide real world scenarios, which can result in new security initiatives.
- Was there a particular situation that prompted the use of MFA on campus? Is this a precaution or has there been an occurrence of “hacking” on campus?
According to the 2021 Data Breach Investigations Report, a security industry summary, phishing (password theft via email) was present in 36% of breaches, up from 25% the previous year. Due to this trend, we are working to reduce our risk exposure from credential theft and phishing. The rollout of MFA is not in response to any known attempt of unauthorized access to the universities data.
- Is Duo MFA required?
Yes, for specific services. Examples of such services include:
- Banner Admin
- Banner Self-Service
- Google Workspace
- Argos
- AppWorks
- Global Protect VPN
- Maxient
- Is this something that would apply to students or just faculty and staff?
MFA applies to Faculty, Staff, and Students at UCA.
- How does MFA work?
Smartphone
When accessing some University-related applications, you will be asked to perform a second authentication step by simply responding to a notification on your device (smartphones).
Hardware Token
If you choose to utilize a separate Hardware Token, you will need to open a Hardware Token Request ticket with the IT Help Desk (Duo Token Request ticket). Once your ticket has been resolved, you will be notified by the IT Help Desk that your hardware token is ready for pickup at the IT Help Desk. When using a hardware token for secondary authentication, you will enter the code displayed on your token.
- What is required to use Duo MFA?
Smartphone with Duo App installed or a hardware token device.
- What is the phased rollout for Duo MFA?
The phased rollout is designed to ensure a smooth transition for the faculty and staff of UCA. By rolling this out first to our Division of Information Technology, we can perform testing and validations of process, access, and work flows without impacting faculty and staff.
|
Phase 1
|
Feb 2022
|
The IT Department will be the initial rollout phase and will allow for extensive testing and other activities to ensure that the rollout to the rest of FS goes smoothly.
|
|
Phase 2
|
Mar/Apr 2022
|
UCA Staff will be enrolled.
|
|
Phase 3
|
Fall 2022
|
UCA Faculty will be enrolled. There may also be the opportunity to opt-in to MFA during Phase 2. (More to come on this as we get closer to Phase 2.)
|
- How do I get started?
Smartphone
At your first attempt to sign into your UCA account, you will be prompted to enroll in DUO. Duo will walk you step-by-step through account creation, app download (if using a smartphone), and activation. Also, Duo has created an Enrollment Guide that provides detailed information on enrollment and activation.
For smartphones, using Duo to approve login requests is simple. Login as you normally do. When accessing a service that requires MFA, click the button to Send Me a Push, and click approve on your secondary device. Login will continue automatically. To see this process in action, view the Duo Approve Smartphone Notification video.
Hardware Token
If you want to use a separate hardware token, this process requires the user to complete a Duo Token Request ticket. Once the ticket has been submitted, you will receive an email with instructions for picking up the hardware token from IT.
Accessing a service that requires MFA when using a hardware token is a similar, but slightly different process. When logging in, you’ll click Enter a Passcode, click the button on your token device to generate a six-digit code, enter the code on the login screen and click Log In. To see this in action, view the Duo Approve Token Device video.
- What is the best/recommended method of MFA?
The recommended method of MFA is using a smartphone, downloading the Duo app, and approving logins with a push notification. However, for those individuals that do not use a smartphone, a Duo Token may be requested using the Duo Token Request ticket link.
- What should I do if I receive a Duo Push when I didn’t log in?
If you are not in the process of logging into a UCA MFA-enabled service, click Deny to prevent an unauthorized use of your account. You may also consider changing your password if you believe it has been compromised. Passwords can be changed at https://password.uca.edu.
- Why don’t I need to use Duo MFA each time I login when using Google Workspace apps? Can you explain Google Workspace apps “remembering” me for 14 days?
Unless you explicitly log out of Google (click your initial in the upper right corner and then "Sign out of all accounts"), closing your browser does not end your Google session. It will be remembered for up to 14 days. It is only when the full Google session has timed out or been ended that you will be prompted for MFA.
- If I’ve logged in using MFA for email or another MFA service, will I have to use MFA again to login to additional MFA-enabled services?
Please note that you will not be prompted for each separate MFA-enabled service during a single browser session. After responding to the first MFA prompt of a session, you will be able to access other services without additional prompting for the duration of the session. Some exceptions would be if you start a new browser, end your current session, there is a network connectivity problem, or your session exceeds the MFA timeout (to be determined).
- I need to request a token because I don’t have/use a smartphone. What do I need to do?
Request a Duo token by completing the Duo Token Request ticket form. In the process of assigning a token to you, the enrollment will be completed and your account activated when you visit the help desk - with your Bear Card/ID - to pick up the token.
- I recently got a new/replacement smartphone. Do I have to re-enroll and complete account activation again?
You will need to reinstall and reactivate Duo Mobile on the new phone. Contact the IT Help Desk for assistance at 501.450.3107.
- I don’t have reliable cell service at home. I use the internet by satellite/cable. Does Duo use an internet connection or cell service to authenticate?
Duo uses the internet - however your phone is connected to the internet. If your phone/device does not have an internet connection at the time you are trying to log in, you can generate a one time passcode from the Duo app that can then be entered on the login page.
- If I’m using a smartphone, can I use a passcode instead of a push notification?
Yes, you can enter the passcode provided in the Duo app rather than using push notifications. When logging in, click the Enter a Passcode button to display a text box and, in the Duo app, click Show to reveal the passcode. Enter that in the text box to continue the log on process.
- If I previously had to get the Duo app when I worked remotely, do I need to set it up again?
In this case, you will just add another account to your Duo app. When you are prompted to enroll in Duo, follow the steps to display a QR code. Then, in the Duo app, click the Add button and select Use QR code.
- My phone died/I left my phone at home/I’m working from home, but my phone is at the office/I don’t know where my phone is! How do I authenticate?
Call the IT Help Desk and they can provide you with a one-time passcode that will allow you to authenticate.
- When using email or myUCA on my phone, will I still need to authenticate?
Yes, when logging into services using your phone that require MFA authentication, you will still authenticate with the Duo app.
- Will employees that are also enrolled as students require multiple Duo codes and/or logins?
No. Employees enrolled as students still use their @uca.edu account when logging into MFA required services.
- What about departmental emails? How would those work?
Departmental email accounts will not be subject to MFA.