Enabling Multifactor Authentication
This post is part of a series contributed by the ISO’s 2019-2020 student intern Emily Connolly, ’20.
What is multifactor authentication? How do I use the DUO app? How do I lock down my passwords? If these questions keep you up at night, read on. If not, read on anyway; it’s important knowledge to have.
Multifactor authentication (MFA) is the practice of having two or more methods of verifying your identity when logging into an account. Entering your password is one method of verification, and others may include a text sent to your phone with a code, a security question, or even biometrics, like your fingerprint.
MFA types fall into three major categories: something you know, something you have, something you are.
A password or a security question is something you know. It doesn’t change often and is a piece of information that can be leaked or stolen. However, the second piece of authentication requires something you have (a one-time code) or something you are (fingerprint) to proceed. These are harder to get false access to without physically stealing your phone or stealing one of your fingers (in which case you’d have much bigger problems).
You’ve probably used multifactor authentication before—Google accounts often enforce it when you’re logging in on a new device.
Multifactor authentication helps protect your account by setting up several ways to verify that it’s really you logging into your account. That way, even if someone cracks your password, there is another, tougher layer of security for them to get through.
Multifactor Authentication at UVM
Here at UVM, some resources are protected by DUO Multifactor Authentication. With this tool and the free smartphone app, users are sent a one-time verification method to use alongside their login credentials. This verification can be sent as a push notification from the app (easiest method), or as the six-digit code provided in the app. This code can also be sent as a text message, through a landline phone, or even as a generated list of codes users can use when offline as well.
This method adds a second step to the login process and thwarts would-be attackers who may have your password, but do not have access to your phone. Multifactor authentication protects you, your information, and the University’s information.
However, beware if you receive a request in your DUO app that was not sent by you. Sometimes, users can get a request and know they did not send a push notification to their mobile device (tablet or mobile phone). Denying the request is your best option; it could be someone else attempting to gain access to your account.
To learn more about multifactor authentication here at UVM you can visit https://www.uvm.edu/it/kb/article/duo-multi-factor-authentication or read the Duo FAQ at https://www.uvm.edu/it/kb/article/duo-faq. We also made another blog post back in 2016 on the matter, which you can read here.