CITS

Multi-Factor Authentication is Coming!

June 20, 2017   |  By Joe Dincau

What is Multi-Factor Authentication (MFA)?

UMB’s computing environment requires a high level of security to ensure the privacy, integrity, and confidentiality of the data that resides in its systems. During the last 10 years, the UMID and password have developed and served as a common credential to access systems and services at the University. This authentication strategy has greatly improved the computing services user experience. However, with the growth of cyber threats and attacks, and the attempts to persuade individuals at UMB to reveal their credential, known as phishing, it has prompted the computing industry to address this problem. An approach was devised to leverage multiple verification methods and no longer rely only on a single credential. The combined strength of these multiple factors of authentication creates a confidence or level of assurance that the person accessing the system is the appropriate individual. At UMB, we will be transitioning to a MFA approach that allows users to use a mobile device in addition to their UMID and password to achieve a significantly higher level of security and almost entirely negate the risk associated with phishing and similar attacks.

Why is MFA important to the security and privacy of UMB, its data, and its users?

Over the last 10 years UMB has made immense strides toward establishing a common ID and password that provides secure and easier access to systems. While this has greatly improved the usability of our computing services, it has likewise increased the importance and influence of that single set of credentials. The UMID and password now have the highest level of criticality as this credential provides in almost all cases the only verification method that the user accessing a system is the intended person. Therefore, a breach of that credential would provide far-reaching access to a perpetrator.  Unfortunately, most universities and organizations have found themselves in this situation, and UMB is no different. As such, the number of attacks on users to coerce them into revealing their credential is exponentially increasing. These attacks, known as phishing, are now operating at such as scale in volume, variety, and degree of sophistication that even with the immense resources dedicated to prevention, detection, and monitoring, some attacks will still reach users. The phishing epidemic has exposed and clearly demonstrated the weakness of only having a single credential to prove identity.

As a result, the industry has started to embrace and move to this new approach. Specifically within higher education over the last 12 months, the pace and range of the adoption of multi-factor authentication (MFA) have confirmed it is and should be one of the highest IT priorities a university should focus.

UMB’s computing environment requires a high level of security to ensure the privacy and integrity of its users and the data that resides within its systems. A single credential will only continue to pose a significant risk as a single point of failure within our collective IT infrastructure. The most effective way to mitigate this risk is to introduce a second credential and adopt a MFA strategy for all users of all systems. This unilateral approach will almost entirely negate the risk associated with phishing and similar attacks and align UMB’s IT security practices with the overwhelming majority of its peer institutions.

Which users require MFA to access applications and services?

The Center for Information Technology Services (CITS) has been preparing the computing environment for this new technology since last year. CITS also has been coordinating with each school and department to plan the implementation of MFA across the campus. The first phase of this rollout will cover the systems that contain our University’s most sensitive data and the users who can access that data. As each of these systems is integrated with MFA, the impacted users will be contacted individually with relevant timelines and instructions to set up and use MFA in their daily computing operations.

When will MFA be available?

CITS has already implemented MFA for a number of groups within Central Administration and many of the schools that use Virtual Private Network (VPN) software. MFA also was implemented with Sunapsis when it was implemented late 2016. From now through Spring 2018, CITS will be integrating MFA with the rest of the systems that contain the University’s most sensitive data and the users who can access those data.

In parallel, CITS is working on making MFA available to all users on an opt-in basis late 2017/early 2018.

 

How to Register/Administer my MFA device(s)