Blog

  

Background

Multifactor authentication (MFA) is the process of using two or more factors of authentication to grant access. This is sometimes called two-factor authentication (2FA) or 2-step verification. MFA is the most effective method for stopping unauthorized account access today. When combined, multiple factors of authentication provide a high level of confidence that the identity (user) is who they claim to be. 

The factors of authentication are broken down into three categories, with examples of each:

Something you know

Something you have

Something you are

  1. Password or passphrase
  2. Personal identification number (PIN)
  3. Security questions
  1. Trusted mobile device or computer
  2. Security key
  3. Identification badge
  4. Hardware token or code generator
  1. Fingerprint
  2. Face
  3. Retina

In 2019, UNW Information Technology began the implementation of MFA using Duo Security for core University business personnel to secure VPN access to Northwestern's networks. Since then, the MFA implementation has expanded to include critical applications and requiring enrollment for all staff, then all faculty in late 2021.

Reminders

  • Never approve a multifactor authentication request you did not initiate.
  • If you suspect your account is compromised or is repeatedly requesting codes/approval: decline the requests and contact IT immediately.
  • Declining or not responding to 10 requests in a row will lock the Duo account to prevent any misuse until IT can resolve the incident.
  • UNW IT will never ask for your account password nor any MFA approval/code.

Contents at a glance:


Roadmap

While the MFA implementation has covered the core institutional information systems, there are still gaps that remain to be addressed. Primarily, the entire Microsoft 365 suite that Northwestern relies on for everyday functions has not been protected by MFA. Take a glimpse into what is coming for the Northwestern community over the next few months. More information regarding each if these changes will be communicated in advance of their roll-out.


Unification of Single Sign-On platforms

Single Sign-On, or SSO, allows a user's login session to be initiated and maintained for a multitude of applications by only requiring a single authentication event, such as entering a username and password plus multifactor.  In the coming months, authentication will be shifted to center on Microsoft Azure Active Directory as the Identity and SSO provider, leveraging our Microsoft cloud infrastructure for highly available and secure identity management.

Timing: Late November

Login Integration for UNW Workstations

Along with the centralization of identity management in our Microsoft cloud, a feature for UNW-owned Microsoft Windows devices known as Hybrid Azure Active Directory Join enables the integration of the device itself to the authentication infrastructure. In practice, this allows the Windows login to be leveraged for authentication to the rest of the applications on the device and even in the web browser. Additionally, these trusted UNW computers can serve as a factor of authentication (something you have), thus replacing the need for additional Duo MFA on those devices in many cases.

For UNW-owned Mac computers, the Microsoft Company Portal app will be installed to broker the single sign-on for desktop and browser sessions. Apple and Microsoft have announced login integration support with later editions of macOS 13 Ventura, so stay tuned for future updates.

Timing: Early December

Reminder

Always report lost or stolen devices to UNW IT as soon as possible to prevent potential misuse. This includes personal devices that may contain UNW data or are used for MFA.

Protection of the Microsoft 365 Suite

The above-mentioned improvements were championed by the IT project team for several months in order to provide a better overall experience to authentication systems and Duo MFA so that the addition of Microsoft products to the MFA protection would not be entirely burdensome. The truth is that this will be an adjustment for the Northwestern community. The current Microsoft Suite experience involves the simple login with username and password, remaining logged in for up to 180 days, when the password expires. In the cybersecurity landscape we live in today, this is far too long, leaving the door open for unauthorized use of Northwestern information systems when not protected by multifactor.

Timing: December through January

What are my options?

There are multiple options for Duo MFA available to the UNW staff and faculty. If you have used one of the methods since enrolling but would like to switch to a more convenient way to use Duo, you can adjust your preferences using the Duo self-service portal the next time you login. UNW IT recommends using the Duo Mobile app methods for the most convenient and secure way to use Duo MFA.

Duo Push (Recommended)

About Duo Push: When the Duo Mobile app is installed on your mobile device and registered for your UNW Duo account, the option Send Me a Push on the login prompt will send a notification to your mobile device for approval.

Why use Duo Push? This is the most convenient method. The requests can be easily approved or declined by choosing the appropriate option in the notification popup or Duo Mobile app. Apple Watch users can approve/deny from their watch if the iPhone is in range and the screen is locked.

For more information about using Duo Push, follow the guide for your platform:

Duo Passcode

About Duo Passcode: When the Duo Mobile app is installed on your mobile device and registered for your UNW Duo account, the option Enter a passcode will open a field to input a 6-digit passcode.
To find the Duo passcode, open the Duo Mobile app and locate the account you are logging into. Tap the account to reveal the one-time passcode and enter it in the login window on the computer.

Why use Duo Passcode? Although slightly less convenient than a push, this method is resistant to multifactor harassment since the passcode is generated silently and automatically. This method also works without Wi-Fi or cellular coverage on the approving mobile device; however, the authenticating computer must have an internet connection to initiate the prompt.

For more information about using Duo Mobile app passcodes, follow the guide for your platform:

Call Me

About Call Me: When a telephone number is registered for your UNW Duo account, the option Call Me will call that phone number to request approval. Answering the call will prompt the user to press any key, approving the sign-in.

Why use Call Me? This method is useful if the Duo Mobile app is not supported on your mobile device or you are authenticating with phone number that does not have SMS (text) capability, such as a landline. This method may also be faster than receiving an SMS passcode

For more information about using Call Me, follow this guide:


Please note that MFA methods requiring a phone call or SMS message from a cellular carrier are subject to more frequent outages than Duo Mobile app methods.

SMS Passcodes

About SMS passcode: When a telephone number is registered for your UNW Duo account, the option Enter a passcode will open a field to input a 6-digit passcode. A Text me new codes button will appear to send a passcode to your phone number.

Why use SMS passcode? This method is useful if the Duo Mobile app is not supported on your mobile device. For UNW, SMS passcodes are generated one at a time.

For more information about using SMS passcode, follow this guide:


Please note that MFA methods requiring a phone call or SMS message from a cellular carrier are subject to more frequent outages than Duo Mobile app methods.

New option!

Security Keys (bring your own)

About Security Keys: These dedicated hardware devices store the multifactor authentication information securely outside of your computer or phone and are activated by inserting the USB connection into the device and pressing a button. In some cases, NFC can be leveraged by just bringing the key near your mobile device.

Why use Security Keys? If you already own a compatible security key, such as a Yubikey or Feitian device, you can leverage it for secure, convenient multifactor authentication.

For more information about using Security Keys, follow this guide:

Not sure which option is best for you?
Contact the IT Service Desk!

Walk-Up Service:

Monday-Thursday: 7:45am - 8:30pm

Friday: 7:45am-5:00pm

Saturday-Sunday: Closed

Located in the Riley Hall lower level.

Phone, Email, or Ticket:

Available 24/7 at 651-631-5699

servicedesk@unwsp.edu

https://servicedesk.unwsp.edu



Key Terms

Identity - An attribute or set of attributes that uniquely describe a subject within a given context.
Examples might include a username, email address, or ID number.

Identity Provider (IdP) - The party that manages the subscriber’s primary authentication credentials.

Authentication - Verifying the identity of a user, process, or device, often as a prerequisite to allowing access to a system’s resources. 

Multifactor Harassment - Where a user is bombarded with push notifications, text messages or calls from an attacker attempting to gain access to the account.

Source: Digital Identity Guidelines (nist.gov)

Schedule Change

Beginning February 4, 2021, Information Technology will be changing the software update schedule for all Windows and Mac office computers.  The following software update schedule will now be in place: 

  • 1st Thursday of each month beginning at 10:00 PM through the following Thursday at 10:00 PM 

This schedule change will provide more opportunities for your computers to get critical software and security updates.

Note: This applies to Windows and MacOS computers used in employee offices; this does NOT apply to classrooms, computer labs, or production computers.

Background

For the last several years, Information Technology has been installing software updates during a narrow 14 hour window from 10:00 PM on the 1st Thursday of every month through 12:00 PM on Friday.  However, many office computers are not turned on or available for software updates during time.  As a result, many computers are not receiving necessary software updates needed to maintain the security of our computers, systems and networks.

Why Software Updates are Necessary

Installing software updates regularly is important for several reasons

Keeps your computer secure

Most updates include security updates to block vulnerabilities an attacker could use to gain access to your computer

Keeps your data protected

Many updates block malware, spyware and ransomware that can lock or delete your data

Keeps your computer compatible

Often updates keep software on your computer compatible with other systems on the network

Keeps your computer current

New features are released through software updates

What to Expect

Before the Maintenance Window

Notifications

Information Technology will post the maintenance notification to the IT System Status Page

Click here to learn how to subscribe to updates from the IT System Status Page

Manually Install Updates

You can start the software update process as soon as you see the notifications

Note: Software Updates will not install automatically before the scheduled and communicated maintenance window.

During the Maintenance Window

Updates will begin automatically

During the maintenance window, your computer will automatically begin installing any missing software updates as soon as it is powered on and connects to the internet or UNW's network.
Note: Your UNW computer does not need to be connected to the UNW Network, it only needs to be turned on and connected to the internet. 

Reboot when updates are complete

Once updates are complete, you will be prompted to reboot your computer; you can choose to defer this reboot for up to 4 hours.

After the Maintenance Window

Questions or Issues?

If you have any questions, comments, issues or concerns please contact the IT Service Desk by email servicedesk@unwsp.edu or call the Service Desk at 651-631-5699. 

Note: Software Updates will not automatically install outside of the scheduled and communicated maintenance window.