Securing Our Technology Resources
Multi-factor authentication has become an essential requirement for all businesses and industries. In compliance with the University System of Georgia (USG) and acting in good faith alongside other USG colleges and universities, Georgia Highlands College (GHC) will also add a second layer of authentication to all of our online and connected systems. GHC will be utilizing Duo as our vendor to implement this additional verification requirement. Duo will utilize an additional form of authentication, such as an app on a mobile device, to make it more difficult to gain unauthorized access to one of our accounts. While this alone does not protect all of our valuable data assets, it does hopefully shut the door to the easiest forms of unauthorized access: utilizing one of our own trusted accounts access into the middle of our systems.
Contact Information Technology (IT) if you encounter an issue or device problem that is not addressed within this guide. You can email firstname.lastname@example.org to automatically create a help ticket or call our IT Help Desk at 706-295-6775 for an urgent issue.
What is Two-Factor Authentication?
Multi-factor authentication requires a user to present two or more forms of information (or evidence) in order to access a system or service. Two-factor authentication (2FA) adds a second layer of security to your account by requiring something in addition to your password. Verifying your identity using a second factor (like your phone, other mobile device, or landline) prevents anyone but you from logging in, even if they know your password. Each time you attempt to login to one of our systems protected by 2FA, Duo will send a notification to one of these devices you have selected and in turn allow you to quickly acknowledge you were in fact the one attempting this login. This prevents a third party from actually gaining access to your account and our data resources, as they do not have that second trust device in hand.
Why use Duo Two-Factor Authentication?
Passwords are increasingly easy to compromise. They are often stolen or guessed and, in many cases, victims of a password compromise may not be aware that their account is being accessed. Duo helps protect your accounts from unauthorized access in the event your username and password become compromised. Even if these credentials were guessed or stolen, the hacker would not be able to gain access without authorization using Duo.
Why use Duo?
Duo is a tool that provides two-factor authentication to help protect university accounts with online access to sensitive information. We have chosen this vendor as our two-factor authentication provider based on the capabilities and flexibility included with this product. Several other USG institutions have also selected this vendor – thus providing all schools a negotiated contract site license rate.
Our Duo implementation allows the use of mobile phones (via app, SMS, or phone call), tablets, traditional “landline” phones, Duo authenticator hardware tokens, or U2F security keys to verify your identity after you’ve entered your username and password.
How Does it Work?
- Enter username and password as usual
- Use your phone to verify your identity
- Securely logged in
Once you’ve enrolled in Duo the first time, you will be ready to access a system quickly: You’ll login as usual with your username and password credentials, and then use your device to verify that it’s you. There are several methods for signing up the first time. IT will provide the easiest methods for achieving a successful registration for your account.
No mobile phone? You can also use a landline or tablet, or there is a possibility of using a hardware token or security key. The decision on who might be responsible for purchasing hardware tokens and security keys, should the institution decide to go this route, has not yet been decided. Some institutions have chosen to not utilize these at all, while others have offered them for sale in the bookstore.
Duo also lets you link multiple devices to your account, so you can use your mobile phone and a landline, a landline and a hardware device, two different mobile devices, etc., depending on all of the methods employed by the institution.
How Does this Affect Me?
- All employees will be required to utilize Duo in order to gain access to GHC’s single sign-on environment and secure institution systems.
- Multi-factor authentication is a requirement for all institutions within the University System of Georgia (USG).
- GHC IT recommends that employees utilize their smartphones to receive a free “push” notification with Duo. This process allows access with a simple acknowledgement on the Duo Mobile app.
- Employees may also choose to receive a phone call to their cell or landline or text message code by SMS.
- Two types of physical devices can also be used with Duo.
- A supported Universal 2nd Factor (U2F) security key. (Note: security keys may offered limited compatibility with specific devices or applications and are not supported by Internet Explorer and Mozilla Firefox as of February 2019.)
- Yubico YubiKey Security Key, Neo, 4, 4C, 4 Nano, 5, 5C, 5 Nano, or 5C Nano
- Google Titan USB Security Key, Bluetooth Security Key
- Feitian ePass NFC
- HyperFIDO Mini – U2F Security Key
- A supported hardware token. (Duo Authenticator). If an individual is unwilling to utilize their own personal device, cannot legitimately use their desk phone because of their job requirements, will not purchase an affordable hardware key of their own, or has a documented disability of some nature, then a hardware token request form can be completed requesting the use of a GHC provided hardware token. This form must also be signed by the supervisor and submitted to IT at the time of the account conversion request. These are first come/first serve on a limited basis.
- Every employee must verify their identity through Duo daily on each combination of computer, laptop, or mobile device and web browser. GHC IT does not allow “trusted” workstations or any other mechanism for bypassing Duo. However, a device and browser combination can be remembered for 12 hours. This setting provides a reasonable balance between usability and risk associated from the potential compromise of an employee’s device or account credentials.
- Instructor computers in classroom follow this same procedure due to the risk these devices present by being frequently left unattended in unlocked classroom.