UVM's Information Security Operations Team answers "Why?" Why?security

Passphrases and multifactor authentication

IT Colleagues,

If you find yourself challenged to help those whose IT needs you support understand the importance of strong passwords, how to choose one, or why to use unique passwords, this month’s OUCH! newsletter may be useful.  You can download it from securingthehuman.org [1].

The newsletter also covers two-step verification or multi-factor authentication (MFA) [2].  While passwords are a single factor (a secret you know), MFA adds factors that someone who’s stolen your password won’t have: something you possess, something you are (a physical characteristic), or somewhere you are (a location or a trusted device).  Most people have experienced MFA with ATMs or online banking, and for good reason: it’s way too easy to steal passwords, either through social engineering or device compromise (e.g., key loggers).   A strong password is no defense against those threats.

Multi-Factor Authentication at UVM 

At UVM, we’re on track for a record year of Net-ID password compromises (95 so far in 2015, compared to 61 in the first three months of 2014, 350 in all of 2014, and 102 in 2013).   Compromised accounts are most often used to send spam, but more dangerous uses have been seen, with potentially catastrophic consequences for UVM and for the information resources, often very personal and sensitive, that we’re entrusted to manage.

With the diminishing effectiveness of passwords, UVM needs to expand our use of MFA.  People have been using RSA SecurIDs for access to Banner and some VPNs for a long time, making it all but impossible to access those systems with a stolen password.

The PeopleSoft system is next.  The recently implemented switch to using Webauth to log in to PeopleSoft has laid the foundation for MFA for that system.  SecurIDs will be supported, but most people who don’t already have SecurIDs will be able to choose several alternatives, including a USB key fob from Yubico, a smartphone app (Duo Mobile), a text message, and even a phone call.   A pilot population is using MFA with PeopleSoft now, and discussions with data stewards and affected groups will determine the roles that will be required to use MFA, and who will be able to opt in.

In the mean time, I hope this month’s OUCH! newsletter will shed some welcome light on good passwords and multi-factor authentication.

[1] http://www.securingthehuman.org/ouch/ 

[2] http://en.wikipedia.org/wiki/Two_factor_authentication 

Best regards,

Dean Williams

Information Security Officer

Enterprise Technology Services

Dean.Williams@uvm.edu | 802-656-1174  

Find information security news, best practices, and how to report concerns on the UVM Computing Web site:


Published by Dean

Dean Williams is UVM's information security officer.

Skip to toolbar