What is two-factor authentication (2FA)?
Authentication is the process of determining whether someone or something is, in fact, who or what it is declared to be. At the Health Science Center, we authenticate ourselves whenever we log in to our computers. Our username says who we are and we use passwords that no one else is supposed to know to prove who we are. Our password is a single-factor authentication for our username and is the most common form of authentication in use.
There are three primary factors of authentication; they are:
- What you know, e.g., a password
- What you have, e.g., a physical device you carry with you (mobile device or token)
- What you are, e.g., something unique about yourself (fingerprint, etc.)
Multi-factor authentication is using two or more of the factors with your username to authenticate yourself.
At the university, we will be implementing two-factor authentication (2FA) with our username. For our application, the two components of two-factor authentication are something you know (password) and something you have (a mobile device or landline phone).
2FA is required in situations that involve remote access to resources. Specifically, in the following situations:
- When an employee or individual working on behalf of the university logs on to a university network using an enterprise remote access gateway such as VPN, Terminal Server, Connect, Citrix or similar services;
- When an individual working from a remote location uses an online function such as a web page to modify employee banking, tax, or financial information;
- When a server administrator or other individual working from a remote location uses administrator credentials to access a server that contains or has access to confidential university data;
- When an individual, described in the first bullet point, who is working from a Remote Location accesses a web-based interface to University email.
What are the benefits?
2FA adds a second layer of security, keeping your account secure even if your password is compromised. With 2FA you’ll be alerted right away (on your phone) if someone is trying to log in as you.
What systems require 2FA to log in?
All information resources with sensitive information used by faculty and staff will require two-factor authentication. This will eventually be implemented for all systems over the course of the next several years.
- Accessing the university network from off-campus via Virtual Private Network (VPN).
- Accessing the university network from off-campus via Hosting Virtual Desktop (HVD).
- Only required when accessing the desktop from untrusted networks (e.g., from home, a hotel, a restaurant, etc.)
- Those devices already registered will not need to re-register for Duo Mobile.
- Accessing servers or systems that contains confidential university data using Remote Desktop Protocol (RDP) or secure shell (SSH).
- Access to secure University information such as Student Administration, Financials, Employee Self-Service, and others.
- Access to Office 365 from a non-University network connection through a browser (for UTHSCSA users and non-UTHSCSA users).
- Other systems will be identified and tested with 2FA as needed. Affected users will receive additional notification before changes become active.
When will I be required to enroll for two-factor?
Some users will want to enroll for 2FA as soon as it is available, depending on the system they access. Other users may not enroll for protection until they have need. For example, VPN remote access will be protected by 2FA. If you use VPN, you will need to enroll and activate 2FA. If you do not have a need of VPN, you may not need to participate in the 2FA initiative for the foreseeable future.
How does it work?
Once you’ve enrolled in two-factor you’re ready to go. You’ll login to the 2FA-enabled system as usual with your username and password and then use your device to verity that it is you logging in.
Do I have to use a mobile device to gain 2FA?
2FA protection will be powered by Duo software. Duo offers several methods including a mobile device app, SMS text message and voice phone call options. University users will not be required to own a mobile device to gain 2FA.
If you do not want to use a phone at all, you can purchase a hardware token from the TechZone for $22. The hardware token works like the passcode authentication method. It will generate the passcode which you will use for the second factor in authentication. NOTE: Since the token is associated with a user’s login account, tokens cannot be shared, however, they can be transferred. Contact the Service Desk for more information.
Do I have to use my personally-owned mobile device?
University users will not be required to have a mobile device to use 2FA, but this is the most convenient option which most users have preferred in tests. Using Duo for 2FA will consume data, though it will be relatively small. Instead of a smartphone, users may register with another mobile device (for instance, a tablet) or by receiving voice calls through a landline.
Does the university gain control of my personally-owned device if I participate in 2FA?
The 2FA initiative is powered by software developed and published by a contracted third party, Duo Security. By installing the application on your mobile device, you do not provide the Health Science Center with any ability to access your device or monitor your personal activity.
What happens if my mobile device prompts me and I am not trying to log into a university system protected by 2FA?
When you attempt to connect to a system protected by 2FA, you will be prompted on your mobile device, which serves as your second factor. If you receive unexpected prompts when you are not trying to log into a university system, you should press “Deny” in the Duo application. The 2FA architecture has worked and your account has been protected; an intruder cannot log into the protected system without the second factor. You should report such unexpected mobile device prompts to Information Security by email at InfoSec@uthscsa.edu or by phone at 210-567-0707.
Duo was working with my old phone but I got a new phone with the same phone number. How do I get it working with VPN and 2FA?
Install the Duo App on your new phone. Then call or email the Service Desk and ask them to reactivate your phone. They will send an Activation Text your phone number. Follow the instructions in the text to get the new phone activated for your account.
What if I lose my mobile device?
Contact the Service Desk immediately if you lose your mobile device with Duo installed on it. They will disable the phone for authentication and help you log in using another phone or factor. You can contact them by email at IMS-ServiceDesk@uthscsa.edu or by phone at 210-567-7777.
While it is important that you contact the Service Desk if you lose your phone, remember your password will still protect your account; an intruder would need both factors.
If I am concerned that 2FA will not be compatible with my workflow process or application requirement, does this policy apply to me?
In certain limited instances, Information Security may consider an exemption to avoid system incompatibilities or work disruptions. An exemption request must be submitted to the Chief Information Security Officer.
Do I need to use Duo every time I login?
Yes. Access to specific University resources must be authenticated each time. Currently, those resources are the University’s virtual private network (VPN) and administrative access to University servers. Your workstation on campus will not need Duo two-factor authentication.
I am traveling internationally. Will my device need to have international voice, texting, or data to authenticate?
No. You can still use the Duo Mobile app to authenticate. By opening up the Duo Mobile app, you can press the “key” icon which will generate your 6-digit login code. This does not require a cellular or wireless (Wi-Fi) connection.
Is the Duo Mobile app trustworthy to install on my personal device?
The Duo Mobile app is highly rated in both the Android and Apple stores. Additionally, this app has been reviewed and approved by Information Security to ensure appropriate levels of security and privacy. The app does not have the ability to access data on your phone such as pictures, messages or contacts.
My username and password do not have access to anything confidential. Why do I still need two-factor protection?
Most attackers are interested in using your username and password to break into the secure internal network so that they can look for vulnerabilities on the thousands of sensitive internal systems on campus. Alternately, attackers will login to a user’s email account and send out hundreds or thousands of phishing and spam messages outside the university and to other faculty, staff and students in an attempt to compromise their computers and\or get access to sensitive information.
Do I need to install software on my laptop or home computer to do two-factor authentication?
No, two-factor authentication is integrated into the various login pages, so additional software is not required.
Can I request an exception to the 2FA requirement for my system and/or application?
IMS has implemented 2FA to explicitly comply with the access scenarios described in the Chancellor’s mandate. Further, this requirement has been adopted in both UT Health San Antonio and UT System policy.
A request for exception will require the approvals of your Chair/Dean, the University Chief Information Security Officer, and President, with submission to UTSystem for the Chancellor’s review and approval. Please contact Information Security to first assess your exception request and to help identify potential configuration options to bring your system into compliance.
Contact Information Security immediately if you lose your mobile device with Duo installed on it. We will disable the phone for authentication and help you log in using another phone or factor.
While it is important that you contact Information Security if you lose your phone, remember your password will still protect your account; an intruder would need both factors.
