...
Implementing Duo multi-factor authentication virtually eliminates the risk of password compromise and identity impersonation by requiring the user to also enter a one-time passcode generated from a device only in their possession (either smartphone app or hardware token) when authenticating to a system. This combination of "something you know" (password) with "something you have" (Duo token) would then require an attacker to steal not only their password but also a physical device in their possession, which is much less likely than password compromise.
...
- Identify the high-risk systems or high-risk roles within those systems for which multi-factor authentication should be enforced
- Priority given to roles with access to sensitive "restricted" data or system administrator type roles
- Identify the users in those high-risk roles
- If using KSAMS for role-based access management, we can produce a report of current role membership
- Provision users with Duo tokens
- OIT covers user license cost including software token, if user doesn't have smartphone or wants a hardware token for whatever reason then their department will be recharged the cost (at most $25/each, purchased in increments of 5, usually lasting for 5 years)
- Duo Security Multi-Factor Authentication - UCI User Guide
- Configure applications/systems to enforce Duo multi-factor authentication
- Programmer or system administrator responsibility, current currently support native WebAuth (not Shibboleth yet), SSH, RDP, VPN/Radius, LDAP authentication.
- Protecting Your System Using Duo Multi-Factor Authentication
- Protecting Your Web Application Using WebAuth And Duo Multi-Factor Authentication