This article serves to explain what multi-factor authentication (MFA) and Duo Mobile are, and why they are necessary additions to Deakin's security.
Are you looking for Troubleshooting Information about Duo? |
To further enhance security the Deakin Shield program will be implementing Multi-Factor Authentication, also known as "MFA" on key Deakin services that contain personal or sensitive information.
When you log in to Deakin University services you use your username to identify yourself and your password to prove your identity or authenticate yourself. There are many different ways to authenticate yourself to a service, and when categorising authentication methods together into groups, or "authentication factors", your password is considered to be "something you know". Other authentication factors include "something you have" such as a mobile phone, smart card or hardware token; and "something you are" which includes your fingerprint and other biometrics.
MFA requires you to prove your identity using more than one factor of authentication. In the MFA implementation currently underway your password, or "something you know", will be combined with either an app installed on your smartphone or a hardware token; "something you have".
By combining multiple factors of authentication your account is protected in the event that your password is stolen.
The Deakin Shield project is using Duo Security to implement MFA because it provides a streamlined user experience. If you access other online services which require Multi-Factor Authentication you have experienced the process of copying a 6-digit One Time Passcode (OTP) from Google Authenticator or a hardware token into a web page. When using the DUO Mobile app, you can simply approve or deny a login by pressing a button on your Android or iOS device.
Anti-malware and email filtering can only do so much to protect you from malicious software and phishing attacks designed to trick you into giving your password to a third party, and while everyone knows they should not use the same password for multiple services inevitably people forget this and use their Deakin University password on other services meaning if those other services are compromised not only does the attacker have your password for that service, but also your Deakin University password. Databases of passwords stolen from compromised services are readily available online for criminals to purchase and use with credential stuffing and other attacks.
Multi-Factor Authentication is needed to protect your personal information, information belonging to Deakin University and our online reputation.
Once your account has been configured to require Multi-Factor Authentication the next time you access an MFA enabled service you will be prompted to install the Duo Mobile app and link your smartphone to your account. This is a straightforward process with easy-to-follow on-screen instructions.
After your smartphone is enrolled you can then use the Duo Mobile app to approve logins or generate a OTP that you can enter.
DUO Security provides a streamlined user experience through the use of push notifications, and enterprise management features allowing eSolutions to effectively support the thousands of staff and students who work and study at Deakin University.
Most third-party issued MFA tokens, like the one issued by a bank, are not able to be used because they are tied to the organisation that issued them. Other MFA tokens need to be plugged into a USB port on your computer making then unsuitable for authenticating when using a smartphone or tablet. Supporting third-party MFA applications such as Google Authenticator introduce additional complexity which makes it difficult to support and provide a good user experience.
Multi-Factor Authentication is intended to protect your account in the event that your password is compromised by a third party, and this is achieved by isolating your second authentication factor from your password. Because your password can be used to login to Microsoft Teams to receive phone calls the use of phone calls as a second authentication factor is not secure.
Due to a rising number of high-profile attacks where SMS services have been hijacked most online services are removing support for text messages as a second authentication factor. For this same reason Deakin University is not allowing SMS or phone calls to be used as a second authentication factor.
Students are offered SMS in the event that there is no other alternative, such as using Duo Mobile to authenticate. This is included as a bypass feature.
Most importantly, Duo Mobile has no access to change settings on your phone. Duo Mobile cannot read your emails or SMS history. It cannot see your browser history. It cannot wipe or remove files on your phone. The visibility Duo Mobile does require is to verify the security of your devices, such as OS version, device encryption status, screen lock, and the ability to send notifications to your phone (for Push requests).
More Information: Duo Push Guide (which explains what Duo Mobile can, and cannot do)
On the 20th of August 2019, MFA was applied to all Deakin applications that currently use 'single sign on (SSO).
Our tip is to keep the "Remember me for 7 days" tick box checked.
When using MFA for the first time and enrolling your device the Duo Mobile app will use your camera to scan a QR code displayed on the screen. If you do not wish to give this permission to the DUO Mobile app you can also enrol your device using a link sent via email.
Duo Mobile may use your mobile number in order to authenticate the device during the initial set-up. Deakin would not use your number for any other purpose.
While Duo Mobile does operate best while connected to the internet, it requires a very minimal amount of mobile data. Typically, a single Duo Push takes about 2 kilobytes (KB) per authentication.
There are understandable concerns that Duo Mobile may utilise a large amount of data throughout the average working month, however, Duo Mobile implores that you might only use up to 1 megabyte (MB) if you were to authenticate around 500 times in a single month—which equates to over 16 authentications per day, well above the average authentication rate of most staff or students.
1 MB is roughly equivalent to loading a single webpage on your smartphone.
More Information: How much data does a Duo Push request use?
For information on managing your MFA devices and settings, please visit the Duo Central - Managing Devices article.