Teaching Hub

Who is Allowed to Do That? DUO at UA

by Dean Townsley, Department of Physics and Astronomy

Passwords are often the basis for authentication. Who is allowed to set the grades of the students in a course? The instructor. Well, at least anyone who knows the instructor’s password. The difference between those two is the essence of authentication and highlights the importance of DUO, the two-factor authentication infrastructure UA is rolling out now.

Multi-factor authentication is a method in which evidence from more than one category (in the case of DUO, aptly, two) must be presented for authentication. The categories are (1) something you know, (2) something you have, (3) some feature of yourself. We use two-factor authentication every day for credit card transactions. You present something you have, your credit card, and a feature of yourself, your ability to produce your signature. For ATM transactions the second factor is something you know, your PIN. For DUO the two things are something you know, your password, and, by default, something you have, your smartphone. Requiring both of these makes it much more difficult for an attacker to impersonate you. Or, said another way, much more likely that the individual changing a grade or accessing a student record is actually the person allowed to do that.

One of our biggest vulnerabilities at UA, from an Internet security standpoint, is our passwords. UA has not had strict password policies and, as we all know, has been subject to persistent attempts to get users to enter their passwords in fake websites. As faculty, we also commonly enter our passwords on lightly secured machines in classrooms, where a keylogger could be fairly unobtrusively installed and retrieved, or a student might be able to “shoulder-surf” a password by standing in a strategic location at a well-chosen time. Enforcing strict password policies is both burdensome to users as well as, typically, not very effective. As a result, the pragmatic solution to this vulnerability is two-factor authentication.

DUO, or any two-factor system, is not a panacea. For example, with the 30-day browser memory, it is still feasible to trick a user into entering and confirming their credentials in a fake site in order to obtain 30 days of access. But this only lasts 30 days with DUO in place, and, compared to a simple compromised password, requires some technical acumen to use the resulting information correctly. This vastly decreases the value of undertaking the attack in the first place.

Security in the Internet age is generally a matter of deterrence, not of being bulletproof. But a little better security can go a long way. If a certain presidential campaign committee chair had been using two-factor authentication like he was advised by his IT staff, it would have been much less feasible for attackers, operating remotely, to steal all of his emails and use them as fodder for a negative publicity campaign. The stakes are not so high for us as faculty and students. However, universities, due to their historically privileged position on the Internet, have long been a high-value target. Institutions choose various ways to manage these threats to information security, and two-factor authentication is an effective piece of the strategy for UA.