Two-Factor Authentication With Duo

John Charles, Vice President of IS&T, announced earlier this month the upcoming requirement for using two-factor authentication to log into systems and services at MIT. Two-factor authentication secures our data by limiting the risk of a password compromise, which in turn could allow a cyber attacker to access services limited to MIT users. Duo Security is the service IS&T is using to leverage two-factor authentication.

Services that you will need to use Duo for, beginning September 30, 2015, include:

  • Touchstone and web services authenticated through Touchstone (such as Atlas, Barton, and Stellar)
  • MIT’s VPN service
  • Remote access to systems supported by IS&T or located within IS&T data center facilities.

Students are excluded from this requirement until Summer 2016.

Two-factor authentication is used in addition to a username and password to prove you are authorized to log into a system. It is based on the principle of something you know (your username and password) and something you have (your phone or a hardware token). Users are first asked to authenticate with their username and password (considered the first factor) and then prompted to retrieve a code that is sent to their phone or designated device (considered the second factor).

The code can be sent to the Duo application on your smartphone, which, when when it is received, you simply click on the message to OK. No re-entering of the code is necessary. You can also have a non-smart phone or hardware token set up for Duo.

Although this second step requires dedicating a bit of extra time to logging into a system, you have the option to have a browser remember you for the next 30 days, which turns off the prompt for the second factor during that time.

Learn more via the links below.

Using Duo Two-Factor Authentication (KB)

How do I log into MIT services that leverage Duo? (KB)

Register for Duo (sign up form)

Duo Memo (Letter to the Community)

Security SIG Talk: Slides are Available

Thank you to all who attended the Security SIG talk last week on Lessons Learned from the Top Healthcare Information Security Breaches. If you were not able to attend, or did attend but would like to review the information again, the slides are available here. (MIT certificate required.)

Risks to Information When Traveling

This recent NY Times article outlines the ways your data can fall into the hands of snoops and thieves if you’re not careful when traveling. The tips the article lists include some great security best practices.

1. Take only what you need. If you can, take a loaner laptop or one that contains only what you need for the trip and nothing more. Alternatively, if you must take sensitive data, carry it on a memory stick.

2. Use encryption. Encryption can be added to MIT laptops, mobile devices and memory sticks. To learn more about how to use and enable encryption, see:

3. Install a virtual private network (VPN). The VPN that MIT provides gives users an encrypted network connection, even when accessing the Internet via public or open wifi (such as at a hotel or cafe). This prevents anyone on the same public wifi from accessing your communications. Install the VPN client from the IS&T website:

4. Protect using a password. If you must take a phone, laptop or tablet with you on your trip, make sure it has a code or password on it. Some smartphones now have fingerprint sensors for locking/unlocking. Choose a strong password for your laptops (learn how). Create strong passwords for the mobile apps or websites you use for accessing sensitive information, and don’t leave passwords written down and stored near the devices you use them for.

5. Use layered protection. This means, for example, having extra copies of files safely stored elsewhere (not on your computer’s hard drive), or having your files backed up within the cloud. MIT offers CrashPlan, the new backup service that replaces TSM. Mobile devices can also use CrashPlan via CrashPlan apps.

Note: while having files in Dropbox can be convenient for sharing files with other colleagues, if you have installed Dropbox on your computer, the files are accessible to a thief who has stolen your computer. A recommendation would be to remove the DropBox folder from the computer prior to traveling and to access your Dropbox files via the Dropbox website. On mobile devices, the folder can be password protected within the Dropbox app. See these security tips for Dropbox users.

Find more tips for MIT Travelers in this KB article.

Securely Disposing of Mobile Devices

The June issue of OUCH!, led by Guest Editor Chris Crowley, discusses how to securely dispose of your mobile device. Most people do not realize just how much sensitive and personal information they have on their mobile device. If you are not careful about how you dispose of your older mobile devices, almost anyone can access that information.

Download the June issue of OUCH! (pdf) and please feel free to share with colleagues.

Additional information about secure disposal and data sanitizing old equipment can be found in the Knowledge Base.

Risks of International Travel

Two weeks ago the International Coordinating Committee (ICC) at MIT hosted a presentation on international travel resources. Members of IS&T were there as co-presenters and addressed concerns regarding safe computing, mobile devices and data protection while traveling.

The event was well-attended but if you weren’t able to be there, the slides can be viewed online via the Office of Sponsored Programs website. A lot of the information presented by IS&T can also be found within this Knowledge Base article.

In addition, SANS shares a security awareness video each month, and this month it is on International Travel. The video explains the risks with international travel and how you can protect yourself and your data. It will be available at the link below until the end of February.

SANS: Monthly Awareness Video.

Data Privacy Month: Is Online Privacy Possible?

dataprivacymonthData Privacy Month kicked off on January 28th, a day that is historically celebrated as Data Privacy Day. To get a sense what data privacy means to regular citizens, I interviewed Jeff Schiller, a long-time security technologist at MIT.

The information Jeff shared was somewhat sobering: privacy only goes as far as the level of protection you require. In other words, it really comes down to how much you care about your privacy and the risks you’re willing or unwilling to live with. But the situation isn’t hopeless. We reviewed some steps users can take right now to protect their privacy online.

Read the article online at IS&T News.

MIT has policies around protecting personal privacy. Review them here.

Securing Your e-W2 Tax Forms

It is tax time, which means we need our W2’s. At MIT you can access your electronic W2’s from SAP Self Service. As with any personal data you access online, there are measures you can take to minimize the risk of exposure.

The SAP Self Service website requires authentication via personal web certificates, and these are obtained with your MIT Kerberos username, a password and your MIT ID number. Make sure to never share your password with anyone, and make sure it is strong and updated on a regular basis. You can also protect your web certificate with a password.

After downloading your W2 and printing it out or submitting it for processing, you should clear your browser’s history and cache and securely delete the W2 from your downloads folder.

If your files are backed up to an external drive, use a tool such as Identity Finder to find social security numbers and other sensitive data on your systems. Added protection can be obtained by encrypting your computer.

Printing from an MIT printer may bring risks as well. Check with your local IT support person to see if proper measures are in place to secure or remove files stored in the printer’s memory.

No system is 100% secure, even those with security measures in place. An attacker may gain access, regardless of those measures. Therefore it is all of our responsibility to think about security and to use proper hygiene on a computer. If we take steps to secure personal information, we can minimize the risks.

If you are concerned, use strong passwords, access personal information online only when using a protected computer or an encrypted network (such as a home network, protected by a password, or via the MIT VPN) and use the hygiene recommendations listed in this article by following the steps linked to in the Knowledge Base.