Skip to end of metadata
Go to start of metadata

You are viewing an old version of this page. View the current version.

Compare with Current View Version History

« Previous Version 23 Next »

What is Multi-Factor Authentication and why is it important?

First we should define "authentication".  Authentication is simply the act of verifying an identity is who they say they are.  Commonly this is using a password to authenticate a username, which theoretically only the owner of the username would know.  However this is a low level of assurance, meaning it is possible that another identity could also know that password and impersonate that user.  Either the password was weak and guessed or brute force attacked, or stolen via a keylogger, phishing email, or compromise of another authentication system where the password was reused.  Whatever the reason, passwords are constantly being compromised which leaves the systems they protect vulnerable to compromise.

The example above is an example of "single-factor" authentication.  A "factor" is basically a type of authentication, commonly either a knowledge factor (something only the user knows), a possession factor (something only the user has), or an inherence factor (something the user is, biometrics or location based usually).  Using "multi-factor" authentication, requiring two or more of the previously mentioned factors to be verified successfully, offers a much higher level of assurance.  In the example above, an attack must steal a password and also something the user physically has in their possession or impersonate who they physically are, much less likely to occur.  It also increases the accountability of the user and helps in auditing as the likelihood someone was spoofing another account is almost nil.

At UCI the goal is to offer multi-factor authentication to all users and systems, primarily focused first on protecting the most high risk assets from authentication compromise, because simple password authentication just isn't secure enough anymore.  UCI is using Duo Security as its multi-factor authentication solution.  With Duo Security, you combine something you know (password) with something you have (mobile device or hardware token) to authenticate you are truly who you say you are.

Obtaining a Duo Security Token

To become a Duo mutli-factor authentication user (either hardware or software):

  1. Complete, agree to, and submit the UC Irvine Duo Security Token Agreement Form (UCI Google Account login required)
  2. Have your supervisor email security@uci.edu to authorize and request a token for you.
  3. A Duo Security token is then assigned to the user. Token assignment of hardware or software is done based on availability.

Initial Token Setup Instructions

Software Token Setup

  1. OIT Security will send you email with two links.  It is best to open that email on the device you want to configure to use Duo.
    1. First link is to download the Duo Mobile application based on the device platform you specified (i.e. Apple AppStore for iOS, Google Play for Android, etc).
    2. Once the Duo Mobile application is installed on your mobile device, the second link is to activate the Duo Mobile app specific to your user and device account.
  2. You can then test it by going to the test Duo-protected URL below.

Hardware Token Setup

  1. Hardware tokens will need to be picked up from the OIT Security group located on 6th floor Science Library.
  2. Once the hardware token is issued to you, it should be configured and ready to go.  You can then test it by going to the test Duo-protected URL below.

General Usage Information

  • Duo Guide to Two-Factor Authentication
  • Keep your Duo Security token in a safe place, either with you at all times or somewhere you won't forget it, when you need access to systems from work or home
  • Duo Security requires two factors being authenticated before you are allowed to progress:
    • First Factor = the normal native password you have been using to access the system
    • Second Factor = the Duo Security Tokencode or Duo Push Response
  • A Tokencode on a Duo Security token changes every 60 seconds.
  • A Tokencode can only be used once. (You must wait until tokencode changes before attempting to use the Duo Security token for authentication again.)
  • Accounts, by policy:
    • lockout after 5 failed login attempts
  • The following Duo-protected URL can be used to verify your token is working: https://secw2k3test.adcom.uci.edu/DuoWebTest/
  • If you need your account reactivated after a lockout, or you've lost or forgotten your Duo Security Hardware or Software token, or have any problems related to Duo Security Authentication, please send email to security@uci.edu
  • Duo Security tokens tokens do not communicate to a central server and do not need internet connectivity for standard use. If you wish to use the Duo Push feature of the software device token, that does require a data connection of the mobile device.
  • Here is generic information (.pdf) about Two-Factor Authentication via SANS (calling the process two-step verification)

Common Usage Step-by-step

WebAuth Duo Push

  1. You will first see a WebAuth login page. Login with your UCInetID and Password.


  2. When you login, you will have an option to choose your type of phone device and either Duo Push or to enter in a Passcode. The example that is shown uses "Android" as a device. If you choose to select Duo Push, then press the "Log in" button.


  3. You will receive a notification from Duo on your mobile device. Click approve. If you do not click approve fast enough, the dialog box down below will pop-up.  


  4. If you do click approve in time though, the WebAuth page on your computer will redirect to this screen.
  5. You have now successfully used Duo Push.

Windows

  1. blah

Unix SSH

  1. You will have UNIX SSH open and it will ask you to input your username first. Press the "Enter" key on your keyboard. Next you must input your password, but the password will not show up when you type it. When you are done typing up your password and you press "Enter", this screen pops up.


  2. Type in just "1" not "1." for Duo Push to Happen and press enter. 


  3. You will get an e-mail from Duo to accept the request to approve the Login Request. Approve the Login request and UNIX SSH will show the following message.


  4. You are now logged into UNIX SSH. When you are done with your work, you can type in either "exit", "logout", or press the red x-button to exit.

SecretServer

  1. blah

VPN

  1. blah

 

  • No labels