Multi-Factor Authentication

Over the past few weeks, many of us have begun to use Duo Mobile, the new Multi-Factor secure login solution now offered by Pitt through CSSD.  This new solution comes highly recommended by Pitt’s information security team.  FIS strongly encourages the implementation of this solution and some of our supported departments have mandated its use.  We would like to take a moment to answer some frequent questions and concerns that are brought up on Multi-Factor authentication.

What is Multi-Factor Authentication?

Simply put, Multi-Factor Authentication is a method for securing access to computer system which requires users to present different types of evidence to verify who they are before accessing the system.  There are three common methods, or factors, used to authenticate ones identity.  These are:

Something You Know

This factor includes usernames and password.  If you know the proper username and password combination you are granted access to the system.

Something You Have

This factor includes keys and tokens.  If you possess the right key you can unlock the door.  If you have the correct token you are allowed in the room.

Something You Are

This factor typically includes biometric data such as fingerprints, voice recognition, and retina scans.  Once very costly, this factor is now common.  Many models of smart phones, laptop, and tablets can now recognize faces and scan fingerprints.

In order to implement Multi-Factor authentication, a method from at least two of these categories must be used.  Allowing access after scanning a fingerprint and using voice recognition would not be multi-factor becomes both are from the “something you are” category.  Likewise, simply having two passwords would not be multi-factor as both passwords would fall under “something you know”.  However, if you first scanned in your fingerprint and then entered a password in order to gain access to a system, you would be using Multi-Factor authentication.

Why is Multi-Factor Authentication Being Implemented at Pitt?

Traditionally, your Pitt account has been protected by a single factor, Something You Know, which is your username and password.  While this does provide some level of protection which gets better the more complex your password is, it is susceptible to a social engineering attack which is growing in popularity – Phishing.  We have all received suspicious emails informing us that we must change our password immediately or verify some setting with a link that bring us to a fake page asking us to enter our credentials.  The hackers are hoping that a few people they attack will enter their credentials, which can then be used to access the Pitt system when the hackers decide to do so.

Duo-Mobile, the new Multi-Factor solution that Pitt has implemented, adds a second factor, Something You Have.  This is done by connecting a specific phone number to the account.  When the username and password is entered for that account a notification (either a call or an application notice) is sent to a specific phone number.  In order to log in, the user must possess the phone associated with that phone number.  Even if the hackers know the phone number it does them no good if they do not possess the physical phone.  The owner of the phone and account will be notified as soon as any unauthorized access is attempted as well.  Then the password can then be immediately changed, making the Something You Know factor secure once again.

Due to the increasing popularity of Phishing and other Social Engineering attacks targeting usernames and passwords, the University has concluded that implementing Multi-Factor Authentication is not only prudent, but necessary.  An account with Multi-Factor Authentication applied is exponentially more secure than one without.

How Do I Set Up Multi-Factor Authentication and How Does It Work?

Computing Services and Systems Development provides an excellent set of instructions on how to set up Multi-Factor Authentication for your account which can be found at by clicking this link. As always, FIS Customer Support would be happy to assist with setup and any issues that may arise while using the Duo Mobile Multi-Factor Authentication solution.  We can be contacted at 4-FIS1 or via ticket submission at the FIS Support Portal.

Once you have Duo Mobile Multi-Factor Authentication set up it will add an additional action to the login process each time you access a secure service with Pitt’s Single Sign On solution.  After putting in your username and password you will either receive a notification on your smartphone or tablet via the Duo Mobile application or an automated phone call from the Duo Mobile service.  The application will give you a button to press to approve the log on and the automated phone call will prompt you to press 1 on your phone to approve the log on.  Once Due Mobile receives approval via application or phone call your login will complete.  Using the mobile application adds 5 to 10 seconds to the login process while using the phone option typically adds about 15 to 20 seconds.

Duo Mobile supports the option to add a secondary authentication device and we strongly recommend that a secondary device be set up.  This means that if a smartphone is lost or left at home for the day a second option is available from the authentication screen, such as your desk phone number.  You can simple click a button and Duo Mobile with authenticate via your secondary device.