Compromised credentials are commonplace in the Information Technology industry and often lead to data breaches. Breaches over the past few years resulting from compromised credentials include companies like Target, government agencies like the Federal Office of Personnel Management, and higher education institutions like the University of Maryland, in which a cleanup effort cost over $6.2M in credit monitoring alone.

UW System Administration accounts are being compromised at an ever-increasing rate. This institution must find a way to lower the incidents of credential compromise. One way, multi-factor authentication (MFA), significantly increases credential security across IT systems.

MFA Overview

UW System Administration has elected to leverage the UW Madison Duo Security contract and technology as means to provide multi-factor authentication to reduce security vulnerabilities across all critical UW System applications and data stores. A Request for Proposal (RFP) project was concluded in Q4 of FY17, with Duo Security being selected.

A phased approach will improve customer adoption of new 2-Factor authentication processes and lessen risks to critical UW System operations that new technologies can provide across the organization. This project will leverage a phased approach to ensure all key constituent customer groups to move to the multi-factor authentication Duo platform by the end of Fiscal Year 2019

To better protect the intellectual property and personal information of faculty and staff and to enhance the security of our digital assets, UWSA/Central IT Office 365 (email, calendar, One Drive, etc.) environments will require use of a second factor of authentication. In addition to using your NetID and password, you will need to use multi-factor authentication (MFA) to access UWSA/Central IT’s Office 365 services.

The tool selected to perform the multi-factor authentication is DUO.  DUO is a Cisco product that connects your account (something you know) to a physical asset (something you have). The physical asset can take a variety of forms. For the UWSA deployment you will be able to choose from the following options:

  • A DUO application installed on your smartphone (personal device or university issued)
  • A hardware token from DUO

Why

Increasingly sophisticated phishing attacks are resulting in staff inadvertently giving their UWSA username and password to attackers. Attackers then use the stolen credentials to gain profits by diverting payroll direct deposits, for example. Use of multi-factor authentication will disrupt the attacks because the attacker will not have what they need to access the compromised email account.

The MFA Project will initiate with a pilot as a first step in the larger MFA deployment. By being an early adopter of MFA, the pilot group will help the project team better understand the benefits, challenges, and requirements of deploying MFA for all UWSA/Central IT’s Office 365 users.  Therefore, feedback is critical to the pilot and the project.

Who

The following UWSA/Central IT units will participate in the pilot:

  • Office of the Vice President of Administration
  • Office of Information Security
  • UW System Chief Information Officer
  • Central IT
  • Note: This does not include student employees

When/How Paragraph

Participation is required.  You and your office will be contacted by Central IT Solution Services to set up a time to deploy MFA.

We want to hear from you during this pilot and throughout the project.  Please provide feedback to this email address: UWSA-MFA-DUO@uwsa.edu