Research collaboration, password security, and mobile convenience got upgraded last week thanks to the new two-factor authentication (2FA) system, Duo Security, launched by UW-IT as part of the HR/Payroll Modernization (HRPM) Program.
The changes are a prerequisite for participation in this summer’s migration to a new, cloud-based human resources and payroll application called Workday. When asked if student employees were included in the initiative, Nathan Dors, assistant director of Identity and Access Management for UW-IT, confirmed the scope of those who should sign up for Duo.
“The key phrase is ‘all employees,’ even students,” Dors said. “It represents a big investment for UW.”
According to a factsheet published by the HRPM Program, over 3,700 UW NetIDs were compromised in 2016 due to phishing scams. The sheet also explains that 2FA keeps someone from accessing your accounts, even if they have phished your password, by adding a second, physical point of login verification.
Professor Annie Searle, lecturer on risk assessment at the information school, frames the process in terms of an ATM interaction — both a physical card and a PIN are required to get the cash.
Duo works through a mobile app connected to the owner’s UW NetID. Entering a NetID password into a Duo-enabled site prompts the app to generate an “approve” button on the connected device to complete the login process.
In her risk assessment classes, Searle teaches about the security trade-offs that often come with technological convenience, but her initial assessments of Duo are positive.
“It’s pretty seamless,” Searle said. “It’s a strong solution in that family.”
This system is not new technology to the university. In an email, Dors provided a history of its use dating back to the 1980s. Traditionally, the physical component was a keychain-sized token that was inserted (like an ATM card) or a code to be entered manually. Because physical components are precious resources, tokens were issued only to those with express need to access sensitive data or hardware.
Researcher and UW associate professor of communication Mako Hill was very familiar with the current system of Entrust tokens used by the university, and was excited about the move to Duo.
He has worked with Hyak, UW’s supercomputer to analyze data and, in
his other work, he collects and stores personal information.
“I do interviews with people where potentially there are sensitive things that people say,” Hill said. “It’s important to keep that information private.”
He described 2FA’s components as “a thing that you know, and a thing that you have.”
Or don’t have, in the case of the existing Entrust tokens.
“Getting these tokens to people has been such a mess,” Hill said.
New employees or research collaborators can’t access Hyak until they receive their token in the mail, Hill explained. Sometimes tokens arrive broken, or worse, envelopes arrive empty because the token had slipped out. Once they do arrive, the tokens are still small and easily forgotten or misplaced.
With the new system, access is granted almost as soon as the NetID is created. All the end-user has to do is set up the Duo account connection and download the app to their phone. UW-IT has provided complete instructions on their website. The new system also has built-in redundancy and recovery options, like dialing a desk phone as backup if a device is left at home.
Collaboration with other universities and research partners will also improve with Duo. According to Dors, the collaboration with CERN accelerator is one example of the offsite projects to which UW researchers contribute. CERN’s systems allow for the use of UW NetIDs, but only with 2FA-enabled logins.
For now, use of Duo will be limited to specific systems tied to highly sensitive data. An employee that does not otherwise interact with Hyak or certain admin systems will only use Duo when accessing Workday.
Students who are not employees and who do not currently have Entrust 2FA tokens will not see much, if any, impact in the immediate future. However, Dors explained that the ultimate plan for Duo is to make 2FA available as an option for all UW NetIDs on key systems.
Reach contributing writer Sarah Corn at email@example.com. Twitter: @ThatSarahCorn