With several high-profile stories of higher education institution data breaches, like The University of Maryland, which estimated costs of their breach to around $35 million, Duke University knew that one of the key strategies needed was to provide a two-factor authentication solution that would work for their students, faculty, and staff.
Richard Biever, Duke’s Chief Information Security Officer & Director of Identity Management, said that Duke researched two-factor authentication solutions as far back as 2010, including legacy vendors using tokens. Duke quickly discovered that those solutions required far too much overhead and management, and were too complicated for end-users who required a seamless authentication experience. Duke needed a flexible solution with a variety of authentication methods that would work for the whole of the Duke community, while remaining painless for IT admins to manage. “We needed a multifactor solution that would be easy to use for our faculty, staff, and students,” said Richard. “That’s over 54,000 individuals using our system -- with completely different behaviors and needs -- and we needed a solution that would provide options for how they authenticated to Duke systems.”
A phishing attempt compels Duke to deploy Duo to a larger group
While Duke had implemented a small pilot with 600 users to test the selected technology, Duo, the efforts were accelerated in early 2015 when a phishing attack targeted the direct deposits of faculty members. Of 600 faculty members targeted, twelve people fell for the phishing attempt with ten having their monthly paychecks re-routed to the attacker’s bank account.
While phishing attacks are hardly limited to the higher education industry, there has been an increase in media coverage of these types of attacks on universities, including the most recent: Anthem’s phishing attack, which targeted a large number of customers, including faculty, staff and students from major universities across the country.
Duke takes action
The Duke security team assessed the incident and settled on a two-pronged approach, improving detection of potential compromised accounts, and opening up the multifactor service to all faculty and staff. A memo sent by Duke’s leadership warned faculty and staff that their direct deposits may not be fully guaranteed unless they set up multifactor authentication for access to Duke’s employee self service portal. Immediately after the memo was sent, 6,000 faculty and staff members enrolled in Duo’s two-factor authentication solution.
All central IT staff were enrolled in the multifactor solution as part of the original pilot of 600 individuals. During that pilot, one IT staff member commented on disliking the additional step required to login to the Duke systems the IT teams maintained. After the well-publicized phishing attack, the same IT administrator stopped by with a different outlook. “He changed his tune after the phishing attack,” said Richard, “and he actually said, ‘I love that we have this service.’”
Richard and his team considered what many IT and security departments are also wondering: what is our strategy for rolling out a multifactor solution, and how do we train our end-users not to fall for these phishing attempts? In the case of the former, Duke settled on a multi-pronged approach that provided end-users and application owners the flexibility to decide what services should require multifactor authentication. End users can self-select what they would like to protect, departments and schools at Duke can and have mandate specific applications that should require multifactor authentication, and services or applications that contain sensitive data require end users to authenticate using multifactor authentication.
Regarding education and outreach, the Duke team is very proactive and visits departments almost weekly to evangelize for multifactor authentication, explain why it’s important and how to enroll and use the service effectively. Duo contributes to the ease of training, since end-users are able to experience first-hand how seamless the authentication process can be.
“Duo has demonstrated itself to be flexible and works with many of our diverse technologies,” Richard said. “We were able to build it into our existing authentication infrastructure, including our various remote access and SSO technologies like shibboleth, remote desktop, SSH and our VPN service as well as key infrastructure technologies like VMware. The flexibility of the technology both in terms of what it can integrate with as well as how our community can use it was key in our adoption of Duo as a partner in our multifactor authentication strategy.”