Skip to main content

Extra Login Step Provides Online Protection

Multi-factor authentication is part of Duke's efforts to protect users and data

John Owens, an analyst with Duke'€™s Office of Information Technology (OIT), is one of about 200 Duke employees piloting a new two-step verification system.
John Owens, an analyst with Duke'€™s Office of Information Technology (OIT), is one of about 200 Duke employees piloting a new two-step verification system.

John Owens doesn't worry as much anymore.

Owens, an analyst with Duke's Office of Information Technology (OIT), is one of about 200 Duke employees piloting a new two-step verification system designed to reduce the risk of Duke users having their online accounts hacked.

Read More

"With multi-factor authentication, there's less worry that the information you deal with can be compromised," said Owens, who supports Duke's student-information systems.

Multi-factor authentication, also known as two-step verification, is part of Duke's ongoing efforts to protect its users and data as phishing schemes and password breaches become increasingly common, said Richard Biever, the university's chief information security officer.

Google and Twitter have implemented similar systems, which are designed to prevent hackers from gaining access to an account far more effectively than a password alone.

"We want to make sure the identities of the people with higher-level access are protected from a bad guy getting hold of them," Biever said.

Here's how it works: When logging in, a user is required to enter both a password and a randomly generated code. The codes can be generated by a special device or token or can be sent via a text message or a smartphone application.

In other words, accessing an account requires two things: something you know (the password) and something you have (a previously registered device). At Duke, OIT requires that system, network and application administrators who have higher-level access to systems use multi-factor authentication.

The service has been in development for a year, while OIT collected feedback from a group of pilot users, and is now open to any Duke user interested in helping to test and refine it. Any Duke faculty, staff or student can set up multi-factor authentication for their NetID and can select which of about 1,100 Duke-managed applications or websites, including the Duke@Work self-service site, will use it. Register online.

Password strength and complexity needs to constantly improve to keep up with increasingly sophisticated password-cracking algorithms and techniques, said Chris Meyer, OIT's senior director of Enterprise Systems & Support. This system introduces an extra step - and more protection - into the authentication process, Meyer said.

"It can be inconvenient to have to be responsible for and have a second device with you at all times, but it adds another layer of security for users with access to sensitive and restricted institutional data," Meyer said. "And that extra step raises awareness: Now I'm in an application with access to restricted data. It's a reminder that now I need to be very careful what I do."