Two-Factor Authentication With Duo

John Charles, Vice President of IS&T, announced earlier this month the upcoming requirement for using two-factor authentication to log into systems and services at MIT. Two-factor authentication secures our data by limiting the risk of a password compromise, which in turn could allow a cyber attacker to access services limited to MIT users. Duo Security is the service IS&T is using to leverage two-factor authentication.

Services that you will need to use Duo for, beginning September 30, 2015, include:

  • Touchstone and web services authenticated through Touchstone (such as Atlas, Barton, and Stellar)
  • MIT’s VPN service
  • Remote access to systems supported by IS&T or located within IS&T data center facilities.

Students are excluded from this requirement until Summer 2016.

Two-factor authentication is used in addition to a username and password to prove you are authorized to log into a system. It is based on the principle of something you know (your username and password) and something you have (your phone or a hardware token). Users are first asked to authenticate with their username and password (considered the first factor) and then prompted to retrieve a code that is sent to their phone or designated device (considered the second factor).

The code can be sent to the Duo application on your smartphone, which, when when it is received, you simply click on the message to OK. No re-entering of the code is necessary. You can also have a non-smart phone or hardware token set up for Duo.

Although this second step requires dedicating a bit of extra time to logging into a system, you have the option to have a browser remember you for the next 30 days, which turns off the prompt for the second factor during that time.

Learn more via the links below.

Using Duo Two-Factor Authentication (KB)

How do I log into MIT services that leverage Duo? (KB)

Register for Duo (sign up form)

Duo Memo (Letter to the Community)

WEBCAST: Authentication Security and Why It Matters

Join a free webcast provided by this Tuesday.

What: Looking Beyond Layers: Why Authentication Security Matters Most
When: Tuesday, June 24 at 12:30 PM EDT
Featuring: Dave Shackelford and Brian Kelly

Sponsored By: Duo Security

Description: Traditional, “tried-and-true” security wisdom tells us that tough perimeter controls, defense-in-depth, threat intelligence feeds, and all manner of security point products are the solutions to all our problems. However, as we’ve seen time and time again, breaches still happen, credentials still get lifted, and chaos ensues. Yet there’s still hope — authentication security is a viable avenue for making a huge impact against an attacker’s sphere of influence and lateral movement capabilities.

Presenters will highlight some examples where two-factor authentication provided the key defense for disrupting attacks.

Duo Security is a vendor that IS&T is considering working with for two-factor authentication. If you miss this webcast, it will be archived on the SANS website here.

See additional upcoming webcasts from SANS.

Password Security is a Problem

As we have learned from the Heartbleed Bug and from years of brute-force attacks on systems containing log-in credentials, the risk to passwords is still great.

But passwords fall into the hands of criminals in other ways besides through attacks on a database or web server. 40% of people have one of the top 100 most common passwords. This makes it very easy for intruders to access your online accounts and steal your identity.

As it happens, April is also Records and Information Management month and now is a good opportunity to spread awareness around the topic of password security. Here is an info graphic to get you started.

The graphic mentions two-factor, which is the same as two-factor or multi-factor authentication. This verifying technique is something that IS&T is looking to implement in the near future, so stay tuned.

Social Media Security Tips

There are various ways you can get scammed or, at the least, embarrassed if you don’t follow general security practices when using social networking sites such as Facebook and Twitter. Don’t worry, if it happened to you, you’re not the only one. The Associated Press, Burger King and The Onion have all recently had their Twitter accounts hacked. Various celebrities have had their Facebook accounts hijacked. They are then used to spread misinformation or to post links that lead to malware.

Twitter recently implemented two-factor authentication to crack down on the problem. No word yet on whether Facebook will follow suit. Facebook does offer something called Login Approvals, its version of two-factor authentication, to protect users from takeover attempts of their account.

To learn more on protecting accounts and preventing scams, go to the companies’ security guidelines pages:

Microsoft to Offer Two-Factor Authentication

Two-factor authentication is a security protocol designed to improve the restrictions to sensitive information, such as a bank account or a website with financial or personal information. It augments a password with a one-time code that’s delivered either by text or generated in an authentication application.

According to a recent news article, Microsoft announced last week that it is rolling out this option to the 700 million Microsoft account users, confirming rumors. The feature works essentially identical to existing schemes already available for Google accounts.