- What is multi-factor authentication (MFA)?
MFA adds another layer of security to your UCA user account by utilizing a secondary device (your smartphone, SMS-capable phone, or hardware token) to prevent anyone but you from logging in to your account, combining something you know (your password) with something you have (your smartphone, SMS-capable phone, or token). Our partner for this project is Duo (duo.com), a leader in multi-factor security.
Many people may be familiar with MFA from your iCloud, Instagram, Snapchat or online banking accounts, as all of these utilize MFA as a part of the security aspect. An example would be logging into a UCA application that requires you to enter your credentials and then being required to enter a secondary authentication. This will be handled with a push notification that would be accepted on your secondary device. For both simple phones and the token process, Duo generates a code that the end user would have to enter.
- Why do I need MFA?
Defending against cyber security threats has become a major part of the overall security plans for universities across the country. It is becoming increasingly easier for your password to be compromised either through phishing attacks, illegitimate emails, or malicious software on your computer. Rather than just asking for a username and password, MFA requires one or more additional verification factors, which decreases the likelihood of a successful cyberattack.
- Was there a particular situation that prompted the use of MFA on campus? Is this a precaution or has there been an occurrence of “hacking” on campus?
According to the 2021 Data Breach Investigations Report, a security industry summary, phishing (password theft via email) was present in 36% of breaches, up from 25% the previous year. Due to this trend, we are working to reduce our risk exposure from credential theft and phishing. The rollout of MFA is not in response to any known attempt of unauthorized access to the university’s data.
- Is Duo MFA required?
Yes, for specific services. Examples of such services include:
- Banner Self-Service
- Medicat
- eAccounts
- My Housing (StarRez)
- Google services (Google Workspace)
- Is this something that would apply to Faculty and Staff or just Students?
MFA applies to Faculty, Staff, and Students at UCA.
- How does MFA work?
Smartphone and SMS-Capable Phones
When accessing some University-related applications, you will be asked to perform a second authentication step by simply responding to a notification on your device (smartphones) or entering a passcode that is sent via text to your SMS-capable phone.
Hardware Token
If you choose to utilize a separate Hardware Token, you will need to open a Hardware Token Request ticket with the IT Help Desk (Duo Token Request ticket). Once your ticket has been resolved, you will be notified by the IT Help Desk that your hardware token is ready for pickup at the IT Help Desk. When using a hardware token for secondary authentication, you will enter the code displayed on your token.
- What is required to use Duo MFA?
Smartphone with the Duo Mobile App installed, an SMS-capable phone, or a separate hardware token device.
- What is the timeline for students to enroll for Duo MFA?
First year students will be prompted to enroll in Duo at their first attempt to sign into their UCA account after they are registered for their classes.
- How do I get started?
Smartphone and SMS-capable cell phone
For first year students, after you have been registered for your classes and at your first attempt to sign into your UCA account, you will be prompted to enroll in DUO. Duo will walk you step-by-step through account creation, app download (if using a smartphone), and activation. Also, Duo has created an Enrollment Guide that provides detailed information on enrollment and activation.
For smartphones, using Duo to approve login requests is simple. Login as you normally do. When accessing a service that requires MFA, click the button to Send Me a Push, and click approve on your secondary device. Login will continue automatically. To see this process in action, view the Duo Approve Smartphone Notification video.
If you use a SMS-capable phone, when accessing a service that requires MFA, click on the button to “Send text message passcode” to receive a passcode text on your cell phone. Enter the code on the login screen and click Log In.
Hardware Token
If you want to use a separate hardware token, this process requires the user to complete a Duo Token Request ticket. Once the ticket has been submitted, you will receive an email with instructions for picking up the hardware token from IT.
Accessing a UCA service that requires MFA when using a hardware token is a similar, but slightly different process. When logging in, you’ll click Enter a Passcode, click the button on your token device to generate a six-digit code, enter the code on the login screen and click Log In. To see this in action, view the Duo Approve Token Device video.
- What is the best/recommended method of MFA?
The recommended method of MFA is using a smartphone, downloading the Duo app, and approving logins with a push notification.
- What should I do if I receive a Duo Push when I didn’t log in?
If you are not in the process of logging into a UCA MFA-enabled service, click Deny to prevent an unauthorized use of your account. You may also consider changing your password if you believe it has been compromised. Passwords can be changed at https://password.uca.edu.
- Why don’t I need to use Duo MFA each time I login when using Google Workspace apps? Can you explain Google Workspace apps “remembering” me for 14 days?
Unless you explicitly log out of Google (click your initial in the upper right corner and then "Sign out of all accounts"), closing your browser does not end your Google session. It will be remembered for up to 14 days. It is only when the full Google session has timed out or been ended that you will be prompted for MFA.
- If I’ve logged in using MFA for email or another MFA service, will I have to use MFA again to login to additional MFA-enabled services?
Please note that you will not be prompted for each separate MFA-enabled service during a single browser session. After responding to the first MFA prompt of a session, you will be able to access other services without additional prompting for the duration of the session. Some exceptions would be if you start a new browser, end your current session, there is a network connectivity problem, or your session exceeds the MFA timeout.
- I need to request a token because I don’t have/use a smartphone. What do I need to do?
You will still receive an enrollment email. However, instead of using the link provided in that email, request a Duo token by completing the Duo Token Request ticket form. In the process of assigning a token to you, the enrollment will be completed and your account activated when you visit the help desk - with your Bear Card/ID - to pick up the token.
- I recently got a new/replacement smartphone. Do I have to re-enroll and complete account activation again?
You will need to activate the new device. Follow the steps at https://guide.duo.com/add-device for details on activating new devices. If you do not have access to your original device, you will need to contact the Help Desk for assistance.
- I don’t have reliable cell service at home. I use the internet by satellite/cable. Does Duo use an internet connection or cell service to authenticate?
Duo uses the internet - however your phone is connected to the internet. If your phone/device does not have an internet connection at the time you are trying to log in, you can generate a one time passcode from the Duo app that can then be entered on the login page.
- If I’m using a smartphone, can I use a passcode instead of a push notification?
Yes, you can enter the passcode provided in the Duo app rather than using push notifications. When logging in, click the Enter a Passcode button to display a text box and, in the Duo app, click Show to reveal the passcode. Enter that in the text box to continue the log on process.
- My phone died, I left my phone at home, or I don’t know where my phone is! How do I authenticate?
Call the IT Help Desk and they can provide you with a one-time passcode that will allow you to authenticate.
- When using email or myUCA on my phone, will I still need to authenticate?
Yes, when logging into services using your phone that require MFA authentication, you will still authenticate with the Duo app.