The technical staff at Loyola University Maryland was aware of two-factor authentication as a means to protect sensitive data, such as personal identities, login credentials, human resources information, and financial data, but they did not have a specific use case for it until around 2013. At that time, the University’s technical staff were installing a password vault (Thycotic’s Secret Server) to audit and track credential usage. As part of that effort, Senior Systems Engineer Tim Enders realized “if we’re going to have all of this critical user credential data stored in one place, we need to make it as secure as we can.”
During the implementation of the password vault, Tim’s Chief Information Officer, Louise Finn, mentioned Duo Security as a two-factor authentication vendor that partnered with InCommon Federation, a group dedicated to building a common trust framework for U.S. education and research organizations. After hearing about Duo, Tim evaluated their two-factor solution, alongside some of the legacy token-based multifactor vendors, such as RSA.
RSA’s 2011 data breach concerned Tim, as did the clunky idea of only being able to authenticate a user via one method: a dongle with a passcode.
On the flip side, Duo’s technical storage methods, asymmetric key pairing in particular, sold Tim on going with their cloud-based two-factor solution. Putting himself in the heads of his end-users, Loyola University Maryland faculty and staff, Tim also realized that the flexibility of authentication methods and general ease of use (authenticate with the single click of a button) with Duo’s solution would be key to user adoption.
Making the Case
Of course, rolling out a security solution isn’t always an easy sell to your end-user population. One of the key challenges Tim had to address from the start was how to deploy any sort of extra step in the workflow of a large group of faculty and staff without causing an upset.
Tim faced some of the questions you might expect from end-users: “This is going to make my life harder” and “What if I forget my mobile phone...how can I work?” To address these issues, he decided to do a quick demo to show how easy Duo Push is to use: “It just pops up on your phone,” he explained, “no codes, you just click yes or no.” As to the concerns about forgetting a cell phone and still being able to access email, the VPN, and additional business applications, Tim set each user up with both Duo Mobile/Duo Push and a landline or desk phone. That way, he explained, even were you to forget your mobile phone at home one day, you could still authenticate in via landline.
Those concerns allayed, Tim rolled out Duo to a few hundred users, primarily IT administrators. Also included in the group currently using Duo is the faculty and staff who work in the University’s clinical centers who must use two-factor authentication due to HIPAA compliancy regulations. He is using this group as an example of how easy Duo was to deploy and to help make the case for rolling the solution out to the full faculty and staff group. Tim says, “Rolling Duo out to the clinical centers went really, really smoothly.”
He plans to extend the University’s use of Duo in the coming months, utilizing Duo’s self-service portal, which takes the load off of the administrators. His experience so far with the self-service portal has been positive, he says.
Tim explains that user feedback has been mostly positive. The only thing that he finds the need to occasionally address from the help desk tickets is that Duo Mobile is tied to a specific device. “People sometimes don’t know or don’t remember that once you provision a device to Duo’s two-factor solution, Duo Mobile is tied to that device and only that one. So, if they get a new phone, they are confused about why Duo didn’t make the switch with them automatically.” The solution to that is easy for the end-user to do his or herself, luckily, by following this quick and easy, step by step guide.
“I think people within my organization were afraid that Duo would generate a bunch of help desk tickets and be generally unwieldy to manage,” said Tim. “But it turns out it’s not as scary as people think it is.” He attests that he has not had to spend much time at all doing direct user support and, as the only administrator for Duo in the entire organization, that says a lot about just how easy Duo really is. “Our users got the hang of it really quickly. They get in with one click and then they can go ahead and get to work.”
How has Duo worked for Loyola University Maryland overall?
“Our experience has been overwhelmingly positive,” said Tim. “The value for money is really, really there. It’s an easy to adopt, easy to run system that offers incredibly robust security. There are times as a security administrator when you have to spend a lot of time and effort running around only to have a small return on that effort. Duo is the opposite end of that scale. With Duo, you expend ten percent effort and you get ninety percent benefit. The fact that the value for money comes along with what I consider to be one of the most robust two-factor systems out there is just icing on the cake. I would highly recommend Duo to other organizations.”