The Student’s Guide to Two-Factor Authentication (2FA)
Students all over the world are required to use Duo two-factor authentication (2FA)… and they hate it. You might be one of them.
They hate it because their phone is currently sitting on the other side of campus after a fun night out. They hate it because their phone is dead. They hate it because it’s one extra step to get their financial aid money.
But if you understood how Duo protects you, you might even secretly love it.
Why Do I Need Duo?
You see an email from your school telling you to enroll in Duo. Your first thoughts are why do I have to do this?
Does Duo even do anything? Yes! Duo performs an extremely valuable function that benefits not just your school, but also you personally. Let’s take a look at how Duo and 2FA protects you (and more importantly your private data)!
In January 2019, a popular online streaming gaming site reported a flood of hijacked accounts when the popular game “Town of Salem” had 7.8 million passwords stolen because many users had the same exact passwords for “Town of Salem” and the online game streaming site to login. Hackers successfully used a bot to test the “Town of Salem” credentials on the gaming site and stole stored payment information. The gaming site already allows users to set up free 2FA on their accounts. However, most end users did not opt-in, leaving them vulnerable. Breach researchers found the gaming site is no longer accepting email addresses to log in and is incentivizing users to set up two-factor authentication — because it would eliminate the problem.
How Duo Verifies Your Identity
2FA can be like a Bumble date. You agree to meet at a specific date and location (something you know) but pictures can be deceiving. You tell each other what you are wearing (something you have) to ensure you recognize each other.
Just like you needed the clothing description to verify your date, you need Duo to validate your identity! Like your password (something you know), the date and location are relatively easy to hack. To protect against this, Duo requires a second factor device that is unique to you, like your phone (something you have). Now if your primary credentials are stolen, attackers will have a much harder time gaining access to your accounts without having access to your phone. If the online gaming users had 2FA enabled on their accounts, it would be more difficult for hackers to gain access to the accounts because of the use of 2FA.
Duo deployed at universities may result in up to a 96% decrease in stolen credentials.
What Is Two-Factor Authentication?
Passwords are extremely vulnerable to hackers as a single factor by themselves. With multi-factor authentication (MFA or also known as 2FA - two-factor authentication) a user’s identity can be authenticated and user trust (authorization) established by using two or three factor combinations.
Something you know (e.g., passwords)
Something you have (e.g., your smartphone)
Something you are (e.g., biometrics, like fingerprints)
How Breaches Happen
You may still be thinking along the lines of, 'I’ve got nothing they want.'
Think again! Your personally identifiable information is extremely valuable and its theft can have widespread implications. While a hacked and locked Instagram account is devastating, your school is trying to prevent phishing attacks, which often targets your largest assets: financial aid, your on-campus job paycheck, and other stipends.
Don’t Get Phished!
Many students have been victimized by phishing attacks to gain access to Federal Aid Refunds. Federal Aid Refunds are what’s left over after you use aid to cover room, board and tuition. Universities transfer the remaining balance to students, often by electronic deposits. These electronic deposits are very vulnerable to attack.
The attack begins with a phishing email sent to the student's EDU address. The students are taken to a website that replicates the school systems. After the student enters their username and password, the hacker has their credentials and can divert the student’s direct deposit destination to a bank account controlled by the hacker.
As a result, Federal Student Aid intended for the student is sent directly to the attacker. The US Education Department recommends schools mitigate this risk through the use of 2FA. The attacker would need to have access to the second factor to divert the deposit.
Improve Your Duo Experience and Save Time with Duo Push!
With Duo Push, you tap a notification and can access your applications in seconds instead of waiting for a text and entering a password.
In addition to being a faster way to authenticate, Duo Push is also more secure than SMS and phone calls, uses almost no data and contains passcodes you can use while offline (like when you are on a plane). Nothing can stop you from authenticating quickly!
If you want to save even more time, your school may allow you to purchase a U2F token like a Yubikey to authenticate even faster. You simply tap a physical USB key plugged into your laptop. Check with your school to see if this is an option. You may be able to purchase one at the bookstore.
Tick Tock! Which Factor is Faster? 2FA push!
A user that uses SMS as their second factor could save time by switching to other, more secure, authentication methods like Duo's two-factor authentication aka Duo Push.
While hackers will continue to try to access your accounts and steal your credentials, Duo decreases the risk of compromised credentials at universities by up to 96%.
Next time you have to approve a Duo Push to access your financial aid, you won’t be thinking about the inconvenience of one more tap, but instead of the security Duo provides.