2FA is on Its Way!

Posted: December 15, 2015

You may have already heard of Two-Factor Authentication (2FA), or it may be a new term and practice for you. Day by day the use of 2FA is growing at Penn State, but what is it? What value is it to you and to Penn State? How does it work?

Two factor authentication is a heightened security practice – you may already use it with a bank, credit union or other services.  Penn State is implementing the use of this technology on a phased-in schedule that may impact many of you later in the spring of 2016.  This article is only meant to be an introduction to the concept and its mechanics – there are no action items here.  We have months to help you prepare for 2FAs eventual integration into services that you use.  Before that happens, AgIT will help you to be ready to use it on a daily basis.

In its simplest form, 2FA matches who you are with what you know and what you have.  Who you are (at least electronically!) is your username - abc123; what you know is the password that you created for that account; and what you have is a registered device (cell phone, smartphone, landline telephone, Apple Watch, or a Duo brand token).  Fortunately it is possible (recommended, in fact!) to register multiple devices so that if, for example, you accidentally leave your cell phone in the car you can easily switch your 2FA to your office telephone and conduct business.

Once you have your device(s) registered the process is simple.  When you point your web browser to a secure site you will get the familiar “thumbprint” web access log in window for your username and password.  Once you enter your username and the correct password, you will be asked which device you want to use to complete the login.  The second factor authentication is initiated…

If you choose to use a registered smart phone with the Duo application, a message will pop up on the phone screen asking you to approve or deny the logon attempt.

If you choose to use a registered landline or cell phone, the phone will ring and an automated voice will ask you to press any key on the phone to accept the logon, or to hang-up to deny.

If you choose to use a registered a token, a window will ask you to enter the number displayed on your token.

Once you have accepted your second-factor the process continues and you’ll be logged in.

In each of these cases, someone who may have access to your name and password but does not have access to your device will be unable to log on.  In recent security incidents at Penn State, the usernames and passwords of some accounts were compromised and made available to hackers overseas.  You can see that two-factor authentication renders that information useless – and therein lies the value of the process.  If you question its impact to you personally, log in to Penn State’s OHR site, ESSIC, and see how much information is available to anyone with your password – salary and benefits information as well as the ability to change your direct-deposit information!  Yes, this will add an extra layer of security for you and for Penn State.

Please remember that this article is just intended as a broad overview of the service.  As we move into the spring you'll be seeing and hearing more about the service and its implementation.  If you have specific questions now, surely feel free to contact Ag IT Support or your IT Consultant.