All University of Oregon faculty and staff members can now protect their Duck ID accounts with two-step login.
As of Feb. 6, enrollment in two-step login is open to all employees, including student employees and graduate employees. Instructions for getting started are available in the UO Service Portal.
Two-step login — also known as two-factor authentication, 2FA, two-step verification or multifactor authentication — adds a powerful extra layer of security to any login process. After entering a username and password, users must also verify their identity by tapping a button in a mobile app, entering a code or answering a telephone call. The UO is using a simple system designed to allow employees to quickly verify their identity with as little effect on their workflow as possible.
"Even if a cybercriminal stole your password, two-step login would make it really hard for them to actually use your account because they'd have to steal a device of yours as well," said Leo Howell, chief information security officer.
"Multifactor authentication blocks almost 100 percent of credential theft-based attacks, according to research by Google and Microsoft," Howell said. "This is the single most important thing you can do to protect your account, the university and the people around you."
For UO's two-step login service, the university is partnering with Duo Security. People will first register a mobile phone, tablet, desk phone or a small hardware device called a token. Within a day, two-step login will go into effect for their Duck ID account.
From that point on, when the user logs in to Canvas, MyTrack, Concur, the UO Service Portal or any other UO website that uses Shibboleth single sign-on, Duo will prompt users to confirm their identity using the device they've registered.
"Once you're set up with Duo, you'll start using it everywhere you see that green-and-yellow 'Login Required' screen," said Patrick Chinn, associate chief information officer for customer experience. "Luckily, Duo only takes a few seconds, and for most services, you only have to do it once a week."
In July, Information Services announced plans to launch two-step login for all UO staff and faculty members this academic year. Because UO's Banner system provides access to high-risk data, about 1,500 employees who use Banner started doing two-step login in the fall.
"I was prepared for it to delay my access, but that just hasn’t been the case," said Sandee Bybee, HR employee engagement and communications manager, who started using Duo in November. "The process has integrated seamlessly right into my work."
Two-step login is currently voluntary for the other approximately 12,000 UO employees.
"Sometime soon, we will require all employees to use Duo," Howell said. "We plan to announce that date in the next couple of months."
To help faculty and staff members enroll in two-step login before it becomes mandatory, Information Services is partnering with IT staff throughout the university to do direct outreach and offer trainings and enrollment sessions. Many employees will be contacted by IT staff in their respective areas about recommended time frames for enrollment.
For employees comfortable with self-service enrollment, Howell encouraged signing up as soon as possible to reduce their vulnerability to threats like the phishing attack of August 2018.
"People may be surprised to hear that we see coordinated campaigns every week to steal passwords from our students, faculty and staff," Howell said. "You may not think your own credentials would be so valuable to steal, but cybercriminals can use them to steal identities and intellectual property and empty bank accounts, not only yours but those of your colleagues and students."
Students who aren't UO employees will be included in a future phase of the two-step login rollout.
Faculty and staff members seeking help with two-step login are encouraged to contact the IT staff responsible for supporting their respective areas, if applicable, or contact the Technology Service Desk by phone at 541-346-4357, by live chat, through the UO Service Portal or in person in Room 68, Prince Lucien Campbell Hall.
—By Nancy Novitski, University Communications