Recently, Library and Technology Services teamed up with Duo Security to deploy two-factor authentication (2FA) at Lehigh. While we are still in the early phases of 2FA socialization, this post serves as an introduction to second factors used for 2FA.
Two-factor authentication is about what you know (password) and what you have (physical second factor such as a mobile phone). 2FA provides an additional factor for authentication in case passwords are compromised, which means if someone has your credentials, they will need your physical second factor in order to authenticate.
While 2FA may seem an inconvenience, there’s no argument that hacking, malware, phishing and ransomware has been on the rise in recent years. If you are not using 2FA for your personal accounts, including bank accounts, you need to rethink how you are protecting your data.
For our deployment, we support many different second factors such as Duo Mobile app, text messages, voice callbacks, and hardware tokens. Preferred second factor is to download and use the Duo Mobile app which is supported on a variety of mobile devices including iPhone, iPad, Android and Windows phones. After registering the mobile device, a push notification will be sent to your device when you need to acknowledge that second factor. If you have an Apple watch, you will get the notification directly on your watch.
While we currently support text messages (codes) as a second factor, there’s a growing debate in the security community on how secure text messages are for 2FA. Good reference for why this method is not recommended can be found at “So Hey You Should Stop Using Texts for Two-Factor Authentication“.
Voice callback option works by calling the predefined phone number that you registered and provides a code over the phone to enter in. While this works, its not as fast and convenient as the mobile app.
Hardware tokens, sometimes referred to as Universal 2nd Factor (U2F) or Security Token are USB keys that you can place on your keyring and inserted into your USB port. Pressing the button sends over the key for authentication. These keys are the most expensive of the second factor options but can be useful for those that do not have access to cell phones, cell or wireless service.
For our deployment, users are not limited to the # of second factors that can be registered. For example, you can use the Mobile App as your regular second factor but have your office phone # for callback in an event that you forget your mobile device.
Lastly, once you have signed in and authenticated with your second factor, there is an option to select remember device for x days. This means that as long as you use that same device, such as laptop or desktop for those days, you will not be prompted for the second factor. If you should go to another system that was not remembered, you will be prompted.
Stay tuned for more information about our planned rollout of two-factor authentication for faculty and staff.