Important Miami University security update: Mandatory two-factor authentication

Here at Miami University, and especially in IT Services, we take data privacy seriously. A lot of personal information is required to make the University go ‘round, and it’s our responsibility to ensure that that information is protected from prying eyes and ears.

Educause director of cybersecurity and IT governance, risk, and compliance Joanna Grama told EdTech Magazine in early 2018 that the key to a stronger security strategy is making sure that the stakeholders across campus remain informed.

“Institutions that are doing really well in the information security sphere understand that everybody at the institution has a role and that everybody needs to be empowered to do that role properly,” she said.

In 2014, as part of an effort to create a more secure campus computing environment, we rolled out two-factor authentication on select services at Miami: W-2 forms, changes to direct deposit information, and submitting midterm and final grades in Banner are all currently protected by two-factor.

Now, we're moving to a global approach with two-factor: We're launching mandatory two-factor authentication for everyone at the University. With the new tool, called Duo, we’re adding that extra layer of security to the entire school—which means you’ll need to enroll if you want to continue using University resources (even if you are already enrolled in our current solution—Duo is a completely new service).

Quick refresh: What is two-factor authentication?

Now that we are moving from limited to global requirements for two-factor authentication use, you’ll need to know what it is. So here’s a refresher.

In higher education, the most common security incidents are caused by malware, phishing attempts, and distributed denial of service (DDoS) attacks. Cybersecurity is something we are intimately familiar with, but sometimes that’s not enough to stop the bad guys. Technology solutions provider CDW, in a survey of 250 higher-education IT professionals and 300 students, found that 76 percent of students admit to neglecting best security practices while connected to their universities’ networks.

And as the data is combed further, other startling statistics emerge. For instance, 13 percent of students open messages from unknown senders (always a big no-no) and 21 percent visit websites of questionable integrity.

Two-factor authentication provides us an answer to these common security issues.

Think about logging in to your email account. You have a username and a password. Two-factor authentication adds a second layer of security onto that login process; in addition to a static password, a randomly generated code is also required (the second ‘factor’). So the two factors required for login are:

  • Something you know (your password or PIN)
  • Something you have (number-generating smartphone app, SMS message, or key fob)

Two-factor authentication makes it difficult for would-be attackers to gain access to unsuspecting users’ accounts via phishing or social engineering, because in effect, they can’t authenticate the second part of the equation.

Here’s where Duo comes in

Duo is the two-factor solution that we’re rolling out to the entire Miami population. Faculty, staff, and students will all be required to enroll in Duo.

“We see around 1,000 compromised Miami accounts every year,” said Joe Bazeley, assistant vice president of security, compliance, and risk management. “These compromised accounts are then used to send out additional messages targeting members of the Miami community, attempting to harvest passwords or trick them out of money. Duo will eliminate this problem for faculty, staff, and students.”

We’re offering a few different ways for you to authenticate your accounts via Duo:

  • Smartphone/tablet application: Duo Mobile (supports both push notifications and Duo Mobile Passcodes)
  • Landline phone call
  • SMS (Text Messages)
  • YubiKey (hardware token) purchased from the Campus Store

When you enroll, you’ll be able to choose which one you use as your default method for authentication. And, depending on what browser you’re using, whether you log in from the same device every time, your individual browser settings, and the website you’re accessing, you may not have to authenticate each time you log in. There is a “Remember Me” option that, when checked, allows you to access services for up to 14 days in the same browser session before needing to reauthenticate. (Note: When accessing VPN,  you will need to authenticate every time.)

How do I enroll?

Beginning September 4, you will be able to enroll in Duo (don’t worry, we’ll be sending out reminders before then). In fact, you should enroll before the cutover date of December 19.

It’s easy to get set up with Duo. We highly recommend downloading the Duo Mobile smartphone app, as it’s free and simple to use.

“One of the challenges in security is balancing security against usability,” Bazeley said. “The current two-factor authentication solution is not particularly user friendly. The Duo solution is much more user friendly and has already been deployed at hundreds of schools.”

Using the app is quicker than a text or phone call. Authenticating with a text message means you have to wait to receive the text, read the passcode, and type it in. And phone calls require you to actually answer the phone, listen to a recording, and approve the login using your dial pad. Duo Push, on the other hand, is just one button. (It’s also more secure than SMS and phone calls - and the whole idea behind Duo is about better security, anyway!)

Bazeley had one more word of advice:

“Two-factor authentication is a great way to protect yourself from losing control of your password,” he said. “I strongly encourage you to enable two-factor on any external services that are important to you - such as your Google, Facebook, or bank accounts.”

For more information, please see our Duo FAQ page. You can also check out Duo Security’s own knowledge base guides.

Key Takeaway

The big thing you need to remember here: On December 19, we will begin to enforce Duo on Miami University systems. That means email, myMiami, Banner, lab computers, and classroom resources.

You will be able to enroll as early as September 4, 2018, and we highly recommend you do so before the enrollment deadline.

For more information, visit the Duo FAQ.