Enhanced authentication service upgrades your online security

From: Division of Information Technology

To help protect personal data and university systems from cyber attacks, Virginia Tech is upgrading our Duo 2-Factor Authentication service for all members of the university community. Migration to the new services will take place over the summer.

2-Factor Authentication (2FA) is a security method that requires two different forms of identification (usually a password plus a digital device in your possession) before accessing an account or service. Virginia Tech first implemented 2FA in 2016, and its use greatly improved the university’s security posture.

However, 2FA does have a vulnerability to something called ‘multi-factor fatigue.’ This occurs when an attacker bombards a user with repeated multi-factor authentication requests, usually after the user’s password is compromised through a phishing exploit. The goal of these repeated requests is to annoy or exhaust the user into approving one of the requests, thereby granting the attacker access to the account.

To significantly reduce this possibility, Virginia Tech's Enhanced 2FA program relies on a time-sensitive three-digit code to complete the login process when using the Duo mobile app. This step is very quick, but provides an important additional layer of security, even when an attacker is in possession of stolen login credentials. Enhanced 2FA will also end the option of using less-secure authentication methods, like SMS text messages, or voice authentication, which can be intercepted or spoofed. Users who have been authenticating using these less-secure methods are encouraged to switch to more secure methods to authenticate (i.e. through the mobile app, or with a token) as soon as possible in advance of migration dates this summer.

In addition to the mobile app, Enhanced 2FA includes other second factor options, such as hardware tokens (Yubikey, Duo D100) and software tokens. A token requiring biometric data, such as a fingerprint or facial recognition, may be the preferred option for users who need to routinely access sensitive information on a recurring basis — contact your local IT professional to learn more.

Migration schedule for all users

This update will become mandatory over the summer, according to the following schedule:

• Students - to be migrated during the week of July 7
• Alumni - to be migrated during the week of July 14
• Employees and Retirees - to be migrated during the week of August 1

During this migration, the less-secure methods of authenticating will be discontinued, as discussed above. For this reason, users of SMS text and voice authentication methods are urged to add one or more additional means of authenticating prior to their migration date. This will prevent any interruption in their ability to log in.

More information

• Best Practices for 2-Factor Authentication Usage at Virginia Tech
• Frequently Asked Questions about Duo 2-Factor Authentication

Questions about 2-Factor Authentication? Please contact 4Help IT Support online at 4help.vt.edu, or by phone at 540-231-4357.