GHC Sites > Information Technology > Multi-Factor Authentication (Duo)

Multi-Factor Authentication (Duo)

 

Securing Our Technology Resources

Multi-factor authentication has become an essential requirement for all businesses and industries. In compliance with the University System of Georgia (USG) and acting in good faith alongside other USG colleges and universities, Georgia Highlands College (GHC) will also add a second layer of authentication to all of our online and connected systems. GHC will be utilizing Duo as our vendor to implement this additional verification requirement. Duo will utilize an additional form of authentication, such as an app on a mobile device, to make it more difficult to gain unauthorized access to one of our accounts. While this alone does not protect all of our valuable data assets, it does hopefully shut the door to the easiest forms of unauthorized access: utilizing one of our own trusted accounts access into the middle of our systems.

If anyone needs assistance with this transition, please contact Information Technology (IT) if the documentation being provided here is not adequate or you are having a device problem that is not functioning as described.  Contact IT via rt@highlands.edu to create a ticket.  Tickets can be handled by any IT staff member on any campus, thus is usually the fastest path to resolution.  If you feel your situation is more of an emergency situation with the technology, call 706-295-6775.

Note:  (Want the longer answer? Click here to read the more comprehensive answer concerning why and what’s covered.)


What is Two-Factor Authentication?

Multi-factor authentication requires a user to present two or more forms of information (or evidence) in order to access a system or service. Two-factor authentication (2FA) adds a second layer of security to your account by requiring something in addition to your password. Verifying your identity using a second factor (like your phone, other mobile device, or landline) prevents anyone but you from logging in, even if they know your password.  Each time you attempt to login to one of our systems protected by 2FA, Duo will send a notification to one of these devices you have selected and in turn allow you to quickly acknowledge you were in fact the one attempting this login.  This prevents a third party from actually gaining access to your account and our data resources, as they do not have that second trust device in hand.

 

Why use Duo Two-Factor Authentication?

Passwords are increasingly easy to compromise. They can often be stolen, guessed, or hacked — you might not even know someone is accessing your account.  Duo helps protect your accounts from unauthorized access in the event your account and password become compromised. Even if your account credentials were guessed or stolen, the hacker would not be able to gain access without authorization using Duo.

 

Why use Duo?

Duo is a tool that provides two-factor authentication to help protect university accounts with online access to sensitive information.  We have chosen this vendor as our two-factor authentication provider based on the capabilities and flexibility included with this product. Several other USG institutions have also selected this vendor – thus providing all schools a negotiated contract site license rate.

Our Duo implementation allows the use of mobile phones (via app, SMS, or phone call), tablets, traditional “landline” phones, Duo authenticator hardware tokens, or U2F security keys to verify your identity after you’ve entered your username and password.

 

How it Works?

Three steps to stronger authentication

  1. Enter username and password as usual
  2. Use your phone to verify your identity
  3. Securely logged in

Once you’ve enrolled in Duo the first time, you will be ready to access a system quickly: You’ll login as usual with your username and password credentials, and then use your device to verify that it’s you. There are several methods for signing up the first time.  IT will provide the easiest methods for achieving a successful registration for your account.

No mobile phone? You can also use a landline or tablet, or there is a possibility of using a hardware token or security key.  The decision on who might be responsible for purchasing hardware tokens and security keys, should the institution decide to go this route, has not yet been decided.  Some institutions have chosen to not utilize these at all, while others have offered them for sale in the bookstore.

Duo also lets you link multiple devices to your account, so you can use your mobile phone and a landline, a landline and a hardware device, two different mobile devices, etc., depending on all of the methods employed by the institution.

 

How Does this Affect Me?

  • All employees will be required to utilize the new account credential access methods in order to gain access to most systems on our campus networks and remotely, as well.  This policy and standard revision will be published as a requirement in the Password Policy & Password Standard upon instantiation or shortly following.
  • This is a requirement for all institutions within the University System of Georgia (USG).
  • It is highly recommended that employees utilize their personal smartphones to receive a free “push” notification and therefore a simple acknowledgement on your phone satisfies verification of a proper two-factor authentication.  This requires the free Duo App to be installed and configured with your account.  This is the quickest and least intrusive method.  This is almost exclusively the #1 method being utilized at our sister institutions and across the US.
  • There are other methods allowed, as stated above and explained in additional sections within this site.  One can choose to receive a call to their cell or landline.  One can choose to receive a code via SMS (text messaging).
  • A physical device can also satisfy this 2fa verification.  Those are available for retail purchase.
    • a supported Universal 2nd Factor (U2F) security key. (Note: security keys may offered limited compatibility with specific devices or applications and are not supported by Internet Explorer and Mozilla Firefox as of February 2019.)
      • Yubico YubiKey Security Key, Neo, 4, 4C, 4 Nano, 5, 5C, 5 Nano, or 5C Nano
      • Google Titan USB Security Key, Bluetooth Security Key
      • Feitian ePass NFC
      • HyperFIDO Mini – U2F Security Key
    • a supported hardware token. (Duo Authenticator).  If an individual is unwilling to utilize their own personal device, cannot legitimately use their desk phone because of their job requirements, will not purchase an affordable hardware key of their own, or has a documented disability of some nature, then a hardware token request form can be completed requesting the use of a GHC provided hardware token.  This form must also be signed by the supervisor and submitted to IT at the time of the account conversion request.  These are first come/first serve on a limited basis.
  • In order to satisfy the ultimate goal of safeguarding all accounts and ultimately the safety of our data resources as an institution, GHC will be required to follow the same requirements like all other USG institutions.
  • Therefore, each account will need to verify their identity through this account access process each day on each different system and for each different web browser. No workstation can be trusted unfortunately.  We currently have the threshold set for 12 hours, but many institutions are not allowing any grace period to remember verification on devices.  It only takes a few minutes to gain access to a user’s workstation and we cannot differentiate between a laptop, a desktop behind locked doors, or a public workstation.
  • Classroom faculty workstations will also have to follow this same procedure each time a new workstation or browser is utilized.  While this seems very inconvenient, these are the most vulnerable machines we have on our campuses, since they are in unlocked and unattended classrooms.
  • Successful authentication through this verification process provides each user with secure access to systems.