In a process approved by the President's Cabinet to meet university compliance requirements, Multi-Factor Authentication with Duo has been selected as the university's Multi-Factor Authentication method to secure access to Protected Data.
Table of Contents
Every University employee has access to data that is protected by some form of regulation. Passwords alone are no longer enough to secure protected data and auditors are asking us to do more. Failing to secure protected data can result in large fines and loss of funding for the University. We also are concerned for the privacy of our students, patients, and fellow employees and want to do our best to protect their information.
Currently, only full and part time university employees, and sponsored employees, are required to use Multi-Factor Authentication.
Multi-Factor Authentication with Duo will be the official name used by UIS. Sometimes referred to as MFA, or Two-Factor Authentication (2FA).
Duo is currently configured to protect web logins to Pacific's single sign-on environment. These include myAccount, Moodle, Box, BoxerApps (Google), Boxer Alerts, Compliance Training, Qualtrics, Zoom, and others. We plan to add employee access to Webmail in the near future.
No, because UIS will not refer to it as “MFA” alone.
Since most employees are already using personal cell phones for accessing University email and accessing Boxer Wireless, our hope is that most employees will use their cell phone for push notifications using the Duo Mobile app.
The Duo Mobile App can be downloaded from either the Apple or Google Play app stores.
If you have been provided a university funded cell phone or you receive a cell phone stipend for required university usage of the device, then you would be required to us the university funded device. Cell phone requirements may also be included as part of an employment contract or job requirements for particular positions. Other employees may choose to use their personal cell phone as a convenience, but not a requirement. Since many employees are already using personal devices on the campus wireless network, no additional costs would be incurred by the employee to install and use the free Duo Mobile app.
Any employee who doesn’t want to use a personal phone for this purpose should talk to their supervisor, director or dean about it. The gap between what an employee needs to be able to do their job, what personal resources the employee is willing to use and what resources their department is willing and able to provide is a matter for each employee to work out with their supervisors. UIS’ only role is to provide the required security framework and to assist employees with whatever is their chosen method for authenticating.
Hardware security keys are also available for purchase to use when a smartphone is not available.
University departments may choose to pay for employee hardware keys like they would for other office supplies. Employees may also bring their own hardware key that can be used for both work and personal online accounts.
UIS recommends Yubikey hardware security keys from yubico.com that cost as low as $20 per device. You may also check with the University Bookstore. We suggest caution when finding less expensive security key devices made outside the United States since these devices are given access to your computer and data by connecting through a USB port or other methods.
Currently, the only computers UIS has issued without USB-A ports are the recent MacBook Pros. With each of these USB-C-only MacBook Pros we ordered USB-A to USB-C adapters and delivered those when we deployed the MacBook Pros. We plan to continue doing this for any computer we deploy that is USB-C only. It is true, however, that having a more expensive USB-C Yubikey would make it more convenient for those users.
If you leave your Multi-Factor Authentication device at home, please contact the Technology Helpdesk and we will assist you with temporary access. You may consider purchasing a hardware security key to keep on a key ring for backup if needed.
Using the Duo app on a smartphone, using the Duo app on a tablet and using a hardware authentication device (a key) are the only ways employees can authenticate to Duo protected systems.
Our experience is that having a second device reduces problems (or at least makes them less urgent), as one can be used as a backup to the other. For instance, if one’s phone is acting weird, one can use a Yubikey instead. If a Yubikey is lost or stolen, employees can (and should) disable that device from being able to be used to authenticate.
For one’s primary web browser, it should generally be once a week, since one can tell Duo to keep one logged in for five days. Using other systems (e.g. a web browser on a classroom PC) that may require authentication more often (as often as a faculty member or staff logs into a protected system).
The Duo Mobile app will allow you to generate a one time code that can be used when your smartphone does not have data service.
If you choose not to use Multi-Factor Authentication you will not be able to use any of the services protected by it an may not be able to complete your job duties.
Employees who may need to login on multiple devices at various locations will need to carry either their cell phone or a hardware key in order to login. For example, a faculty member needing to log into a single sign-on server from a classroom computer will need a device to authenticate.
Multi-Factor Authentication with Duo will work on any computer used to access University resources protected behind Multi-Factor Authentication.
Duo Mobile will work on many of the recent versions of Apple iOS and Android versions as long as the phones have screen locks enabled and have not been "rooted".
Please see this Duo web site for supported Apple iOS versions.
Please see this Duo web site for supported Android OS versions.
If you are a university employee using Multi-Factor Authentication with Duo, and you use your phone as an authentication device, and you get a new phone, you will need to transition over to using the new phone as your authentication device. Please see our Knowledgbase article for Changing Multi-Factor Authentication with Duo to a New Phone.
One can log onto a Duo-protected application using the browser on one’s cellphone, and authenticate using the Duo app on the same device.
On Safari on macOS Catalina 10.15 and macOS Big Sur 11.0, to take advantage of this feature, you must go to Preferences -> Privacy and uncheck the checkbox for "prevent cross-site tracking."
Please contact the Pacific Technology Helpdesk at 503-352-1500 or by Zoom.
See Also
For more information, please see the Duo service catalog entry.
Questions?
Contact Support