Two Factor Authentication

What is two-factor authentication?

All of us have used a username and password to access systems and services in our professional and personal lives. Passwords protect our email, personal data, finances, and the information we have access to as employees of the University. What happens if someone else finds out what our passwords are? In that case, the information or systems protect by that password are at risk.
Two-factor authentication is a way to reduce that risk. Put simply, two-factor authentication means you need something else in addition to a password to log into an account or system. The “something else” is usually something you have or something about you that can be used to make sure it’s really you logging in, not an attacker who has somehow stolen your password.

Why is this important?

There are many ways to steal passwords, but one of the most common is ‘phishing’ email messages. Phishing messages are designed to get people to give up their usernames and passwords to an attacker. Some are better designed than others, but statistically some small percentage of people will fall for the message. Attackers use phishing because it works. These attackers are not stealing your passwords so they can help you do your work or because they have your best interests in mind. Rather, at DSU, phished accounts have been used to send thousands more fake messages, attempt to access sensitive information, and in one case, even used to steal an employee’s paycheck.

Two-factor authentication helps mitigate this problem. When two-factor authentication is in place, the password by itself is not enough to access an account. Google, Facebook, Amazon, and nearly all banking institutions, among others, offer two-factor authentication systems of some kind to protect their user’s accounts and personal information. The Utah System of Higher Education has mandated that USHE institutions implement two-factor authentication on important systems such as Banner.

How does it work?

At DSU, we are rolling out the Duo Security two-factor authentication system. Duo works by adding a little extra to the process of logging in. Duo works using a smartphone app, or for those who don’t have a smartphone, using a hardware token.

When you log into a Duo-protected system, you enter your DixieID and password just like normal:

After you click ‘Sign In’, you’ll be prompted to send a push or enter a passcode. The smartphone app can provide either option, hardware tokens provide only passcodes.

The smartphone app will present a screen like this one. To complete the log in, tap ‘Approve’.

Duo provides that extra layer of security; if an attacker has your password, but does not have your smartphone or token, they will be unable to log into any DSU services protected by two-factor authentication.

How to get started with two-factor authentication at DSU

Duo Security works as an app on a smartphone or with a hardware token.

The smartphone app is the simplest option. It works on IOS and Android and is free. You can self-enroll at any time at https://duo.dixie.edu. The app works over Wi-Fi or carrier data and uses a minimal amount of data, around 1 MegaByte per month for average use. To contrast, a single visit to Facebook or Instagram on a smartphone will typically use more data than the Duo Security app will in a month. The app is unobtrusive and will only notify when a log in attempt is made.

The hardware token for those who do not have a smartphone, have an exceptionally old, uncommon (i.e. WindowsPhone), and/or out-of-date smartphone, or other cases where the smartphone app is not an option. IT services maintains stock that is available for purchase by departments for $25 per token. Tokens are assigned to a single user and cannot be shared. Tokens require assistance from the Helpdesk to enroll a user account. Tokens use a small battery and have an expected lifetime of around two years.