Do you know what options you have with Mutifactor Authentication (MFA)? National Cyber Security Month is a good time to review the various ways you can use MFA. Your online security is one of our top priorities. As a member of the DUSON community, your data is protected with MFA and you have different ways to use it, depending on where you are.
Here’s what you need to know …
But first, here’s our Tech Tip of the Week –
Win an Apple Watch from the Duke Security Office!
You have a chance to win prizes from the Duke Security Office! Visit the OIT Security Office and watch the phishing video. It’s ten minutes well-spent and best of all, you can register to win an Apple Watch at the end.
Just the Basics –
Multifactor Authentication (MFA), also known as two-factor authentication, relies on two factors of evidence to allow you in to various computer systems – you need to know something (your password) and have something (a device or passcode). This greatly reduces the likelihood of a successful cyber-attack … and keeps Duke School of Nursing data safe. To learn more about MFA at Duke, take a look at the MFA User Guide. It’s a great way to learn more about using the system.
Three types of MFA Factors
Most MFA factors are based on one of three types (Duke uses the first two):
- Things you know (a password or pin);
- Things you have (a badge or smartphone);
- Things you are (fingerprint, iris or voice recognition);
Large data-sensitive systems also use Adaptive Authentication as another factor, such as location, time-of-day and device type. You’ve probably noticed these with your bank and social media logins.
What’s at Duke?
Duke University and Health System uses DUO to provide multifactor authentication services. When logging into a Duke site requiring MFA, the image to the left is displayed.
NOTE: If you ever login to a Duke system and do not see this familiar login, please check to make sure you are on the right webpage.
Duo provides these options for using MFA. You can use one of the following:
- Duo Push: If the Duo mobile app is installed on your smartphone, you will receive a notification that you can either approve or deny (the most common way to use Duo);
- Phone Call: You can receive a phone call from Duo with instructions on approving or denying the attempt (this is useful in your office or at your home desk);
- Passcodes via Text: You can receive a batch of one-time use pass codes via text message. The codes do not expire and are valid until used;
- Passcodes via Duo Mobile App: Use the Duo Mobile app to receive a single passcode. Just tap the key next to “Duke University” in the mobile app. This code must be used immediately;
- Temporary passcodes: You can obtain a batch of temporary passcodes by logging into the multifactor home page, verifying yourself using Duke’s challenge-response. These passcodes can be used only once and expire in 72 hours;
- Generate a passcode with Yubikey: A Yubikey is a hardware token you can use to perform MFA. See our IT Service Desk for more information regarding Yubikeys;
One of these six factors can be used to complete Duke’s MFA and access Duke services.
Having Problems with MFA?
The most frequent request related to MFA is that a user does not have access to their smartphone. Here’s what to do if you don’t have your device with you:
- Login to the Multifactor home page;
- Use your password, then verify yourself using challenge-response;
- Receive your passcodes;
- (You can also receive passcodes by pressing “Forgot Device” on the login screen);
Each passcode can be used once and all will expire in 72 hours.
Note: Use this option if you are traveling and do not have access to your phone or your phone does not have service.
Extra Credit
Use MFA on all websites for which you have the option.
Most web pages that require logging in have developed multifactor options similar to Duke. Even your social media accounts. Enabling multifactor authentication on these sites is quick and provides additional protection for your data.
To enhance your online safety, combine MFA with LastPass on all websites you visit. This will protect your devices, your data and Duke’s data.