Multi-Factor Authentication Overview
Compromised credentials are commonplace in the Information Technology industry and often lead to data breaches. Breaches over the past few years resulting from compromised credentials include companies like Target, government agencies like the Federal Office of Personnel Management, and higher education institutions like the University of Maryland, in which a cleanup effort cost over $6.2M in credit monitoring alone.
UW System Administration accounts are being compromised at an ever-increasing rate. This institution must find a way to lower the incidents of credential compromise. One way, multi-factor authentication (MFA), significantly increases credential security across IT systems.
UW System Administration has elected to leverage the UW Madison Duo Security contract and technology as means to provide multi-factor authentication to reduce security vulnerabilities across all critical UW System applications and data stores. A Request for Proposal (RFP) project was concluded in Q4 of FY17, with Duo Security being selected.
A phased approach will improve customer adoption of new 2-Factor authentication processes and lessen risks to critical UW System operations that new technologies can provide across the organization. This project will leverage a phased approach to ensure all key constituent customer groups to move to the multi-factor authentication Duo platform by the end of Fiscal Year 2019
To better protect the intellectual property and personal information of faculty and staff and to enhance the security of our digital assets, UWSA and UW -Shared Services (UWSS) Office 365 (email, calendar, One Drive, etc.) environments will require use of a second factor of authentication. In addition to using your username and password, you will need to use multi-factor authentication (MFA) to access UWSA/UWSS Office 365 services.
The tool selected to perform the multi-factor authentication is DUO. DUO is a Cisco product that connects your account (something you know) to a physical asset (something you have). The physical asset can take a variety of forms. For the UWSA and UWSS deployment you will be able to choose from the following options:
- A DUO application installed on your personal smartphone
- A hardware token from DUO, issued by UW-Shared Services IT
Increasingly sophisticated phishing attacks are resulting in staff inadvertently giving their UWSS or UWSA username and password to attackers. Attackers then use the stolen credentials to gain profits by diverting payroll direct deposits, for example. Use of multi-factor authentication will disrupt the attacks because the attacker will not have what they need to access the compromised email account.
The MFA Project will initiate with a pilot as a first step in the larger MFA deployment. By being an early adopter of MFA, the pilot group will help the project team better understand the benefits, challenges, and requirements of deploying MFA for all UWSA/UWSS Office 365 users. Therefore, feedback is critical to the pilot and the project.
All UWSS and UWSA employees with an email account are required to enroll.
The following UWSA/UWSS units participated in the pilot:
- Office of the Vice President of Administration
- Office of Information Security
- UW System Chief Information Officer
- UWSS IT