Multi-Factor Authentication

Over the past few weeks, many of us have begun to use Duo Mobile, the new Multi-Factor secure login solution now offered by Pitt through CSSD.  This new solution comes highly recommended by Pitt’s information security team.  FIS strongly encourages the implementation of this solution and some of our supported departments have mandated its use.  We would like to take a moment to answer some frequent questions and concerns that are brought up on Multi-Factor authentication.

What is Multi-Factor Authentication?

Simply put, Multi-Factor Authentication is a method for securing access to computer system which requires users to present different types of evidence to verify who they are before accessing the system.  There are three common methods, or factors, used to authenticate ones identity.  These are:

Something You Know

This factor includes usernames and password.  If you know the proper username and password combination you are granted access to the system.

Something You Have

This factor includes keys and tokens.  If you possess the right key you can unlock the door.  If you have the correct token you are allowed in the room.

Something You Are

This factor typically includes biometric data such as fingerprints, voice recognition, and retina scans.  Once very costly, this factor is now common.  Many models of smart phones, laptop, and tablets can now recognize faces and scan fingerprints.

In order to implement Multi-Factor authentication, a method from at least two of these categories must be used.  Allowing access after scanning a fingerprint and using voice recognition would not be multi-factor becomes both are from the “something you are” category.  Likewise, simply having two passwords would not be multi-factor as both passwords would fall under “something you know”.  However, if you first scanned in your fingerprint and then entered a password in order to gain access to a system, you would be using Multi-Factor authentication.

Why is Multi-Factor Authentication Being Implemented at Pitt?

Traditionally, your Pitt account has been protected by a single factor, Something You Know, which is your username and password.  While this does provide some level of protection which gets better the more complex your password is, it is susceptible to a social engineering attack which is growing in popularity – Phishing.  We have all received suspicious emails informing us that we must change our password immediately or verify some setting with a link that bring us to a fake page asking us to enter our credentials.  The hackers are hoping that a few people they attack will enter their credentials, which can then be used to access the Pitt system when the hackers decide to do so.

Duo-Mobile, the new Multi-Factor solution that Pitt has implemented, adds a second factor, Something You Have.  This is done by connecting a specific phone number to the account.  When the username and password is entered for that account a notification (either a call or an application notice) is sent to a specific phone number.  In order to log in, the user must possess the phone associated with that phone number.  Even if the hackers know the phone number it does them no good if they do not possess the physical phone.  The owner of the phone and account will be notified as soon as any unauthorized access is attempted as well.  Then the password can then be immediately changed, making the Something You Know factor secure once again.

Due to the increasing popularity of Phishing and other Social Engineering attacks targeting usernames and passwords, the University has concluded that implementing Multi-Factor Authentication is not only prudent, but necessary.  An account with Multi-Factor Authentication applied is exponentially more secure than one without.

How Do I Set Up Multi-Factor Authentication and How Does It Work?

Computing Services and Systems Development provides an excellent set of instructions on how to set up Multi-Factor Authentication for your account which can be found at by clicking this link. As always, FIS Customer Support would be happy to assist with setup and any issues that may arise while using the Duo Mobile Multi-Factor Authentication solution.  We can be contacted at 4-FIS1 or via ticket submission at the FIS Support Portal.

Once you have Duo Mobile Multi-Factor Authentication set up it will add an additional action to the login process each time you access a secure service with Pitt’s Single Sign On solution.  After putting in your username and password you will either receive a notification on your smartphone or tablet via the Duo Mobile application or an automated phone call from the Duo Mobile service.  The application will give you a button to press to approve the log on and the automated phone call will prompt you to press 1 on your phone to approve the log on.  Once Due Mobile receives approval via application or phone call your login will complete.  Using the mobile application adds 5 to 10 seconds to the login process while using the phone option typically adds about 15 to 20 seconds.

Duo Mobile supports the option to add a secondary authentication device and we strongly recommend that a secondary device be set up.  This means that if a smartphone is lost or left at home for the day a second option is available from the authentication screen, such as your desk phone number.  You can simple click a button and Duo Mobile with authenticate via your secondary device.

james-award

Congratulations to James Van Poolen for being the recipient of the prestigious Pittsburgh HDI Analyst of the Year award! This award recognizes a help desk analyst that exemplifies the best qualities among the practitioners in our region who possess the knowledge and skills required to provide quality service and support for customers.

Brian Samec was also nominated for the Pittsburgh HDI Desktop Support Technician of the Year award. This award is given to a desktop support professional who responds to incidents escalated by the service desk that are related to customer equipment where additional skills, knowledge, tools, or authority are required.

James will now move on to compete for the regional award. Please join us in congratulating and wishing him luck with the regional competition!

Do you do your holiday shopping online? There are a few easy ways to protect yourself online whether you are purchasing items for yourself or for the University with your P-Card. Follow the tips below for a safe experience:
1. Shop with reputable merchants. Only purchase from online vendors that you are familiar with, or do some research first. If you are not familiar with an online store, use caution. Just because the website looks professional, it doesn’t mean the vendor is trustworthy or has proper security controls in place. Check an independent source that allows customers to rate their shopping experience with a vendor such as Reseller Ratings. You can also refer to the Better Business Bureau to see if there are any complaints listed. You should also be aware that in some cases, you may be purchasing from an individual rather than business, and your legal recourse may be different in the event of a dispute.

2. Check the merchant’s customer information and return policies. Before ordering, be sure to read the terms of sale, return policies and fees, shipping methods and prices, and guarantees. Make note of vendor’s policies for storing and distributing your personal contact information. If you do not want to be included on mailing lists or have your contact information made available to third parties (spam lists), look for an option on the web site to indicate your preference. Do not provide vendors with sensitive personal information, such as your social security number or bank account numbers. Basic shipping and credit card information is all that should be required to make a purchase.

3. Be sure the transaction is secure. When you are in the checkout process, the web site should be using encryption called SSL (Secure Sockets Layer). SSL ensures secure transmission of your credit card information across the internet. You can tell if the web site is using SSL by looking for “https://” (rather than “http://”) at the beginning of the web site’s address in the browser. Another sign is the presence of a padlock symbol in the address bar of the browser. In Internet Explorer, the padlock symbol will appear on secure pages in the address bar, located to the right side of the web address. You can click on the lock symbol to verify the security of the site.

4. Never send credit card numbers via e-mail. Although it is generally safe to enter your credit card number on a secure web site, it is not safe to send it through e-mail. E-mail is sent through the internet in clear text (non-encrypted) format, so it’s possible for someone other than the vendor to see it. Sending a credit card number through e-mail is the equivalent of writing it on a postcard rather than mailing it in an envelope.

5. Keep a record of your transaction. Before you leave the transaction page of the web site, print a copy of the screen and keep it for your records. Check your credit card statements to verify you were charged the proper amount. Also, keep any e-mail confirmations about your order for later reference.

6. Use Identity Finder to protect your data. All FIS-supported computers have a program called Identity Finder installed. It will search your files, e-mails, databases, websites, and web browser data for Social Security numbers, Credit Card numbers, Bank Accounts, Passwords, etc. so you can then take steps to remove the sensitive data from your files. This program is also available for home use by contacting FIS.

7. Keep a record of your transaction. Before you leave the transaction page of the web site, print a copy of the screen and keep it for your records. Check your credit card statements to verify you were charged the proper amount. Also, keep any e-mail confirmations about your order for later reference.

8. Take action if there is a problem. If you do have a problem with an online vendor, first attempt to work it out with them directly. Don’t just rely on e-mail; call them as well. If you cannot resolve the problem to your satisfaction, you should contact your bank and ask them to stop the payment. If that’s not possible, you can use an online service such as SquareTrade to resolve your dispute. You can also file a complaint to the state Attorney General’s Office, who will investigate the case. You should also post your experience on a site like Reseller Ratings so other customers can be warned. While you may also wish to contact the Better Business Bureau, note that they have no authority over the vendor. They will simply accept your complaint and allow the vendor to respond.

 

Secure your home computer to help protect yourself, your family, and our organization!

secure-your-home-network

Get ahead this fall and follow this Digital Spring Cleaning Checklist!!

digital-spring-cleaning-checklist

Take this quiz, Workplace Security Risk Calculator,  to find out if you activities while at work are risky and what you can be doing on the front lines to protect our organization!

top5scamsrnd3

Welcome to FIS’s 5 days of Cyber Security! October is national cyber security month. This is an initiative to help keep our online community safer and all citizens more informed. Over the next 5 days, we will highlight everything from types of scams to a checklist to complete cyber spring cleaning. Follow along with all of our information, videos, and quizzes! We are going to start with basic tips and advice to be safe online. Be sure to watch the YouTube video to gather 3 easy tips to stay safe on the go.


basictipsandadvice_page_1

digital-workplace-1-002

The digital workplace is designed to empower employees, reduce total cost of ownership, and improve security. This increasing reliability, value, flexibility, and agility to the University.  FIS Technical Services has invested in bringing about the digital workplace to the University through embracing cloud, mobility, and virtualization. Over the past year, Technical Services has undertaken the following initiatives to bring us closer to the digital workplace:

  • VMWare Horizon View: FIS implemented Horizon View hosted virtual desktops as a replacement to the traditional desktop for more than 100 computers. Horizon View extends the replacement life cycle of the desktop. It also enables access to the desktop from almost any endpoint, including mobile hardware and the web, while securely running the desktop from the University Data Center. Finally, it enables flexibility to adjust resources to each desktop on-demand which will decrease downtime.
  • SharePoint Online and Office 365: FIS Technical Services started the process to migrate from our SharePoint 2010 on-premise sites to the University Enterprise SharePoint Online service with One Drive for Business hosted by Microsoft.   FIS has worked to provide guidance, governance, and a data migration plan for this cloud offering.  By using hosted cloud-based services, staff will have increased storage,  enables access to their content from almost any endpoint including mobile and web, and reduced IT management.

Check out our latest website launch!

ir-device-view-002The Office of Institutional Research collects and analyzes information about the University that supports the data-driven decisions of the University’s executive administration, the University community, and external agencies. The Institutional Research’s website exists to provide access to the University’s Factbook, common data sets, and tuition and fees.

The new website is maintained by the Office of Institutional Research and works closely with the CFO.


1 2 3 4 5 6 7 8 10
Archives