Two-factor authentication is coming to your phone (or other device)

As I’m sure you know, the internet is an increasingly dangerous place, and the most frequent source of compromised computers is people responding to phishing emails. The Security office at C&IT is working 24/7 to keep track of phishing and block people’s access to bad sites, but unfortunately it is just not enough, so C&IT is about to introduce two-factor authentication for certain WSU websites.

The danger with phishing is that people will log into websites that are not what they seem to be, and input their credentials (AccessID plus password) . The bad guys running the phony websites then take those credentials and use them to log into sensitive Wayne State sites, like your bank direct deposit setup page, where they redirect your paycheck to a bank of their choosing. And yes, this has indeed happened recently to Wayne State employees. They also use those credentials to install bad stuff on your computer, which they then use to attack other computers within Wayne State.

Since people are easily fooled into clicking on things they shouldn’t, we’re also combating the problem from our end, by beefing up security on certain Wayne State websites—pages within Academica, like PayStub, Direct Deposit etc. We are introducing what is called ‘two-factor’ authentication. (The current system is ‘one-factor’ authentication, where you simply type your password, which is ‘something you know’ into a box). Two-factor authentication adds an additional layer of security by having you touch ‘something you have’1. Wayne State has contracted with Duo, a nationally-known Ann Arbor-based company to implement this additional layer.

How does it work?

If you have a smart phone (iPhone, Droid, Windows phone) you can download a free app on the device, and go through a simple registration process. You get the app in the usual way (from the App Store/Google Play etc., by searching for ‘Duo’). You go through a one-time set-up process, and after that, when you log in to the sites that WSU has protected through Duo, your phone will pop up an ‘Approve’ or ‘Deny’ button:

Duo on iPhone

If you push ‘Approve,’ Timesheet, Pay Stub, and a few other websites, such as native Banner2, will open up. There are additional wrinkles that can simplify your interaction with Duo–you can read about them here.

The process for other flavors of smartphone is the same. See here for Android and scroll down on this page for other devices.

If you would prefer not to use Duo’s app, you have many other choices. You can choose to receive a text message and then type that number into the website, or a phone call (where you can just press # as a response). And there are other ways to do it too. Details can be found here.

If you don’t want to use any device (smart phone, tablet, flip phone, computer) there are other ways to log on (contact the C&IT Help Desk for additional information).

For much more detail on how this works, go to our FAQ.

Many universities and other organizations with sensitive websites that everyone needs to access are moving in this direction. Normally it only adds one or two seconds to the time it takes to log on to Academica or Banner (C&IT employees have been using Duo for a few months, based on the cutely-named  notion that we should ‘eat our own dogfood’).

As always, if you have questions you can contact the Help Desk, or you can add a comment below–I always read and respond to comments.

_______________________________________________________________________________________________

1 You can read about this way of classifying security methods on this website.

2 Technically you will need Duo whenever you access ‘Self-service Banner’. This includes facilities you access from Academica such as Pay Stub, Time Sheet, Direct Deposit, tax forms etc. In short, to get to any page within Academica that looks like this:

Self-service Banner image

 

What does the Yahoo Breach mean? Fix your password now!

You may have heard that Yahoo suffered a security breach which they revealed last week, although it’s not exactly clear when it happened, or even when they became aware of it. You probably don’t think this matters to you, but you might be surprised. There are some things you should do immediately, and some things you should do in the next few days.

First the facts: According to Reuters,  at least 500 million (yes, half a billion) accounts were hacked. That means that user names, email addresses, telephone numbers, birth dates, and encrypted passwords were all stolen. Unencrypted passwords, payment data (bank account information) were not taken. According to Bruce Schneier this is the largest breach in history.

Yahoo is claiming that the breach happened in 2014, and that they became aware of it recently, although some have questioned that claim.

So what does this have to do with you? First, if you know you have a Yahoo account, change the password now. Although they claim it happened two years ago, unless you’re sure you’ve changed the password since then, change it now.

Second, many other things are linked to Yahoo. For example, if you have a Uverse account, and use the email address associated with it, that’s the same set of credentials. The same for Flickr. Also, change the security questions (and especially the answers).[1]

Finally, if you used the same password for any other account, particularly your Wayne State email/Academica/AccessID account, CHANGE THE PASSWORD NOW!!! Especially if you have the same access ID (i.e. as I do, geoffnathan@yahoo.com)[2]

This is a good reason, unfortunately, for the annoying requirement for frequent password changes—people reuse passwords. On the other hand, if you use a password manager (like LastPass or Dashlane or Keepass) you don’t need to worry about it. You can read a discussion of the various password managers here

Finally, check back here later in the week to hear about a new security measure C&IT will be implementing that will change the way you get to things like your pay stub, your time sheet and your direct-deposit information in Academica.


[1]    This is a good time to reiterate that you should not use standard answers to security questions. So if it asks you your mother’s maiden name, LIE. Nobody cares, and that answer can’t be Googled, and isn’t on Facebook. Just make sure you record you answer somewhere where you can find it.

[2]    And, before you can get smart with me, as I am writing this I have already changed it.