Two-Factor Authentication Project Page

 

GOAL: To protect our community, their personal information, and institutional data as ITS evolves systems, services, and capabilities

Concept

IT security tools have become more sophisticated and provide better protection for IT resources. To circumvent these security practices, criminals have become increasingly adept at stealing individual’s credentials through phishing campaigns and other nefarious activities. Once gained, criminals can access sensitive information and compromise accounts without triggering security alerts immediately.

Two-factor authentication (2FA) enhances security by adding an additional layer of protection to the authentication process. It requires you to verify your identity with something you know (your credentials) and with an item in your possession (your device). This effectively prevents unauthorized access, even if your password has been compromised.

2FA is an established IT security practice that has widespread adoption at peer institutions. Institutional and state-level stakeholders have also been advocating for implementation of a two-factor authentication service. Notably, the State announced that protection for authentication is going to become a requirement in the near future for Core-CT, the Connecticut state government's integrated human resources, payroll, and financial system.

Product Selection

ITS evaluated the concept, researched competing alternatives, and selected Duo Security as the vendor for UConn’s 2FA service.  Duo is a leader in the multifactor authentication market and is used heavily by higher education institutions with comparable populations and requirements. Duo is also the product currently used internally at UConn for select use cases.

Planning

ITS assembled staff members from Identity and Access Management, Security, Project Management, and Communications to contribute to development and enactment of a detailed project plan.  The service manager also reached out to external stakeholders to discuss and plan solutions for possible obstacles to a smooth implementation. He also presented the service at IT functions.

In later stages of the planning phase, team members began drafting support documentation and developing a communication plan for an enterprise-wide deployment. A service management portal was designed, created, and tested.

Staging

In this phase, the Central Authentication Service (CAS) was upgraded. Although this change was part of the routine, scheduled upgrade cycle, it was necessary for implementation of 2FA. ITS also began testing the service and support for it. The process involves adding devices that are associated with individual’s NetIDs and then enabling 2FA for either Core-CT or all services behind CAS. Firewall administrators were the first test group, and then ITS employees and Payroll staff (representing functional partners). Feedback was requested and incorporated from all early adopters.

Formal Service Rollout

During the execution phase, ITS will initiate a phased roll-out for all faculty, staff, special payroll, and student employees. Participants will be encouraged to add devices to the service before it is required for access to Core-CT.

7-STEPS-staging