Body
| Users will need to have the Duo Mobile smartphone application downloaded, installed, and actively connected to their BYU-I accounts in order to meet the security requirements defined below. For information on how to get the Duo Mobile app installed and connected please visit: the "How-to: Setup, Install, Enroll, Activate DUO Mobile" knowledge article. |
We are adding the following two security enhancements: "MFA Everywhere" and "Verified Duo Push" to a limited number of users a part of specific departments at BYU-Idaho (see Who is affected by the change? section).
MFA Everywhere
MFA Everywhere is a term used to define "where" users are required to authenticate using Duo 2-factor authentication methods. Historically, Duo 2FA has not been required "on-campus" (i.e., user's only have to authenticate with username/password & Duo is automatically bypassed while on the BYUI WiFi or wired networks). This has indeed made the user login experience faster and more streamlined for users on-campus. However, this assumes user's don't require the extra-layer of protection from Duo/2FA while here on-campus.
To harden our BYUI accounts against increasingly complex phishing campaigns, we're removing the on-campus exception that's bypassed Duo. As a result, some users will need to simply authentication with Duo/2FA "Everywhere" as the name suggests, both on and off campus.
Simply put, instead of only being asked to authenticate via Duo off-campus, users will also authenticate on-campus, as well.
Verified Duo Push
Verified Duo Push is a simple Duo Push, like we've been doing for a while, but instead of a simply "Approve" or "Deny" the Duo Push, the user will also need to verify the push notification. This enhanced push notification slightly changes push notifications by requiring the user to verify the 3-digit number provided by Duo in the Duo Push notification (see example image below). This number essentially has the user verify the Duo Push with the number provided by Duo. It's another small change that adds more complexity for bad actors attempting to defraud and hack innocent BYUI employees and staff.
When implemented, the end-user will be prompted with a three- to six-digit passcode after approving a push. This passcode will need to be entered into Duo Mobile before allowing the user to log in. If the user fails to enter the passcode, access is denied. This protects the user from approving login requests not made by the user and helps keep accounts and information safe. It provides additional security against push harassment and fatigue attacks by asking the user to enter a verification code while approving a Duo Push authentication request. It also provides improved fraud reporting from end-users by directing them toward the fraud report option in Duo Mobile when they receive unexpected Duo Push login requests.
What this looks like:
Please note: this means in order to follow this standard each employee must have the
Duo Mobile smartphone app setup on their personal device.
For information on how to get the Duo Mobile app installed and connected please visit: the "How-to: Setup, Install, Enroll, Activate DUO Mobile" knowledge article. If you cannot use the Duo Mobile app, please contact your supervisor.
The primary reason for these changes is to protect our organization from increasingly sophisticated cyber threats. On average, human error remains the weakest link in an organization’s security chain. By adding these extra layers to our current 2FA authentication process, we aim to minimize human error and reduce our vulnerability to:
- Hacking
- Phishing attacks
- Ransomware
- Other forms of cybercrime
Key Benefits:
- Enhanced Security: Ensures that all user logins are authenticated through Duo 2FA, providing robust protection against unauthorized access.
- Phishing Resistance: The additional verification step with Verified Duo Push significantly reduces the risk of successful phishing attacks.
- Consistency: Uniform security measures across all access points, both on and off campus, create a more secure environment.
By implementing MFA Everywhere and Verified Duo Push, we are taking proactive steps to safeguard our users, data, and systems. These changes are critical in maintaining a secure digital environment and protecting our community from potential cyber threats.
This change will be applied to all student and full-time employees in a small number of departments that have been identified as high risk of phishing vulnerability by the CES Security Operations Center, due to a number of factors, such as hightened system access to sensitive data (banking information, account information, etc.). These departments, while not explicitly listed here, should have received communication through their appropriate management chains.
Departments that have not received the targeted communication will continue with the current 2FA process and are thus not affected by these changes.
Contact the IT Service Desk
*(excluding weekly devotional, forum hour, and University Recognized holidays)